Business Email Compromise: The Fraud That Looks Exactly Like a Normal Email
BEC is the most financially damaging form of cybercrime — and your antivirus won’t catch it. Here’s how it works, how to spot it, and what every NZ business owner should do about it.
There’s a type of fraud that doesn’t involve malware, doesn’t trigger your antivirus, and doesn’t require an attacker to “hack” anything in the traditional sense. It just requires a convincing email — and someone in your team trusting it.
It’s called Business Email Compromise, or BEC. In 2023, BEC caused over $2.7 billion in confirmed losses globally, according to the FBI. That figure almost certainly underrepresents the real total, because many businesses never report it — either out of embarrassment or because they don’t realise what happened until it’s too late to recover the funds.
BEC is also one of the attacks we see most often when NZ businesses come to us after something has gone wrong. It’s worth understanding how it works — because once you do, it’s significantly easier to prevent.
How it actually works
BEC doesn’t look like a cyber attack. That’s the whole point. There are three common variations, and all of them rely on your team doing exactly what they’d normally do — just with one critical detail changed.
Invoice fraud. An attacker impersonates one of your regular suppliers and sends an email that looks entirely legitimate — same formatting, same tone, same contact name — but with updated bank account details. Your accounts team pays the next invoice to the attacker’s account. By the time anyone notices, the money has been withdrawn and the trail is cold.
CEO fraud. An email arrives that appears to come from your CEO, director, or a senior manager. It requests an urgent payment, a wire transfer, or even the purchase of gift cards. The request almost always includes a reason to bypass your normal approval process — “I’m in a meeting,” “this needs to happen today,” “I’ll explain later.” The person on the receiving end wants to be helpful. So they act.
Account takeover. This is the most sophisticated version. An attacker gains access to a real email account — usually through a phished password — and then sits quietly, reading emails for days or weeks. They learn your processes, your relationships, your payment cycles. Then they insert themselves into an ongoing conversation at exactly the right moment, with a request that makes perfect sense in context.
Why it works so well
Most cybersecurity advice focuses on spotting things that look suspicious. BEC works because nothing looks suspicious.
The emails come from addresses that are either genuine (in the case of account takeover) or close enough that you’d need to look very carefully to notice the difference — a swapped letter, a slightly different domain. They reference real people, real projects, and real invoices. They use the same language your actual suppliers and colleagues use.
And they almost always introduce urgency. Urgency is a manipulation tactic. It short-circuits the part of your brain that would normally pause and think, “I should check this before I act.”
This is why security training matters so much. Technology alone won’t catch these attacks. Your team needs to know what BEC looks like — not in theory, but through realistic simulations that build the habit of pausing before acting on financial requests.
What to do about it
The good news is that BEC is preventable. The controls aren’t complicated, and most of them cost nothing to implement. Here’s where to start.
Verify bank account changes by phone — every time. This is the single most effective control against invoice fraud. Any time a supplier, contractor, or partner sends updated payment details, call them on a number you already have on file — not a number from the email — and confirm the change verbally. Make this a non-negotiable part of your accounts process. No exceptions, regardless of who the request appears to come from.
Treat urgency as a warning sign, not a reason to hurry. Any request that pressures you to bypass normal authorisation processes should be treated with more scepticism, not less. This applies whether the email appears to come from your CEO, your biggest client, or your bank. A legitimate request can always wait ten minutes for verification. A fraudulent one can’t.
Enable multi-factor authentication on every email account. Account takeover BEC starts with a compromised inbox — and the most common way inboxes get compromised is through stolen passwords. MFA stops the vast majority of these attacks before they begin. If you’re running Microsoft 365, our M365 security assessment checks whether MFA is properly configured across your entire tenant — along with dozens of other settings that are often left at insecure defaults.
Configure DMARC, SPF, and DKIM on your email domain. These are technical email authentication controls that make it significantly harder for attackers to send emails that appear to come from your domain. Without them, an attacker can send an email to your clients or staff that genuinely looks like it came from your address. If that sentence makes you uncomfortable, it should — and it’s fixable. DMARC configuration is included in our Microsoft 365 assessment.
Run realistic phishing simulations with your team. Reading about BEC is one thing. Experiencing a realistic simulation — and learning from it in the moment — is something else entirely. Our security training service includes baseline phishing simulations followed by monthly ongoing campaigns, so your team builds genuine awareness over time rather than sitting through a single annual presentation and forgetting it by Friday.
A word on cyber insurance
If you have cyber insurance — or you’re considering it — review your policy carefully. Many cyber insurance products in New Zealand either exclude BEC losses entirely or require specific controls to be in place before a claim will be accepted.
Common requirements include MFA on all accounts, DMARC properly configured, and documented verification procedures for payment changes. If those controls aren’t in place when an incident occurs, your claim may be declined — even if you’ve been paying premiums for years.
Don’t assume you’re covered. Find out for certain, and make sure the controls your insurer requires are actually implemented. If you’re not sure what your insurer expects, a risk assessment will map your current controls against the requirements and flag any gaps before they become a problem.
What to do if it’s already happened
If you suspect a BEC attack is underway or has already occurred, act immediately. Contact your bank and request a recall of the funds — the sooner you act, the better the chance of recovery. Do not delete the emails or turn off any devices, as these contain evidence that may be needed for investigation. Notify the NZ Police and report the incident to CERT NZ.
Then talk to us. Our incident response service can help you contain the breach, investigate how it happened, preserve evidence, and — if a privacy breach has occurred — guide you through your notification obligations under the NZ Privacy Act 2020.
The bottom line
BEC doesn’t require technical sophistication from the attacker. It requires trust and routine from the target. That’s what makes it so effective — and so preventable once you know what to look for.
The controls are straightforward: verify payment changes by phone, slow down when you feel pressured, enable MFA, configure your email authentication, and train your team with realistic simulations.
If you’re not sure whether your business is exposed — or whether the basics are actually in place — a free 30-minute conversation is a good place to start. We’ll tell you honestly what your business needs and what it doesn’t.
KIS helps New Zealand and Australian businesses get their cybersecurity right — in plain English, with clear pricing, and without the overselling. If you found this useful, try our free Essential Eight assessment to see where your business stands on the security basics.