Contents
As a business, it’s crucial to keep your systems safe and secure – especially if you operate online. With cyber threats evolving rapidly in 2025, every online business needs robust protection measures in place. Whether you’re a start‐up or an established enterprise, ensuring your digital environment is secure is key to maintaining trust and protecting your bottom line, as discussed in our legal requirements for online business guide.
You should be aware of cyber attacks and understand how to defend against them. So, what types of cyber attacks are out there in 2025?
A business email compromise (BEC) is a sophisticated cyber attack that targets a company’s email system, allowing fraudsters to exploit insider knowledge and misdirect payments or sensitive information. This scam remains one of the most financially damaging threats to businesses.
Keep reading to learn more about BEC, discover updated prevention strategies, and find out what you can do to safeguard your business.
What Is Business Email Compromise (BEC)?
BEC scams are specifically targeted at businesses. Cyber criminals impersonate trusted parties – such as clients, associates, or even fellow employees – to deceive you into redirecting funds or sharing confidential data.
This type of fraud is a serious breach under the Cybercrime Act 2001. Recent data from the Australian Federal Police indicates that in the past two years, BEC scams have cost Australian businesses over $100 million in losses. It’s a staggering figure that underscores the need for constant vigilance and updated defenses.
Is BEC A Type Of Phishing?
Yes, BEC is a form of phishing. Phishing is a tactic where scammers use emails to trick individuals or organisations into revealing personal or sensitive information.
BEC scams predominantly use emails because they allow fraudsters to remain anonymous and impersonate someone within your trusted network.
What Are Email Scams?
As mentioned earlier, phishing scams use deceitful emails to obtain your personal information. However, email scams can also inflict damage in other ways.
Some scams are designed not only to extract sensitive data but also to gain unauthorized access to your systems, ultimately leading to hacking. These sophisticated schemes combine elements of both phishing and direct cyber intrusion.
Hacking occurs when cyber criminals breach your IT infrastructure-often through a malicious link or an unsecured backdoor-to cause extensive damage and disrupt your business operations.
What To Do If You’ve Been Targeted
If you suspect that you’ve fallen victim to a BEC scam or notice any suspicious emails, act immediately. Here are the critical steps you should take:
- Report the incident promptly to ReportCyber and notify the relevant authorities.
- Secure all compromised accounts right away, and review other accounts that might be at risk by updating passwords and enabling multi-factor authentication.
- Inform your service providers and, if necessary, contact legal counsel for further guidance – our online lawyer services may help.
- Communicate with your clients, employees, and stakeholders to alert them of the incident and minimise further risk.
- Consider conducting a comprehensive cyber security audit to identify and address vulnerabilities.
It’s not uncommon for businesses to be targeted. In fact, the Australian Cyber Security Centre has classified BEC as a threat with a medium alert level. Make sure you have a robust plan in place to respond to these risks.
Business Email Compromise Cases Around the World
One of the most notorious examples of BEC involved the scam targeting tech giants Facebook and Google, which collectively suffered losses exceeding $100 million over a prolonged period. Fraudsters posed as legitimate suppliers, duping these companies out of vast sums before being apprehended.
Other organisations, from multinational corporations such as Toyota to local charities, have also fallen prey to these scams. The lesson is clear: whether you run a small business or a large enterprise, no one is immune to BEC.
The prevalence of BEC globally highlights the importance of staying informed and prepared for emerging cyber threats.
What Happens If There Is A Data Breach?
As a business, you store sensitive personal information of clients, customers, employees, and associates – often detailed in our guide on Sensitive Personal Information. When a breach occurs, this data is at risk.
Under the Privacy Act 1988, organisations must notify the Office of the Australian Information Commissioner (OAIC) about any notifiable data breaches. It’s essential to have a pre-established Data Breach Response Plan.
A comprehensive Data Breach Response Plan outlines who to inform, how to contain the breach, and steps to mitigate further risks – ensuring you comply with legal obligations and safeguard your business reputation.
How To Avoid BEC
Implementing robust measures to prevent BEC is essential. In 2025, consider incorporating these strategies into your cyber security plan:
- Maintain a strong cyber security system and have it regularly updated by qualified IT professionals.
- Conduct regular training sessions with your employees to stay vigilant against phishing and other email scams.
- Stay informed about the latest BEC trends and tactics by following reputable sources like the ACSC and our own Online Business Privacy Guide.
- Use customised business email accounts instead of generic web-based ones.
- Utilise scam-detecting software to help identify and block fraudulent emails.
- Minimise your use of public Wi‑Fi networks for sensitive communications, or use a secure VPN when necessary.
It may be worth investing in professional cyber security advice to protect your business, as recommended in our cyber security legal issues resource.
Who Is Liable In A Business Email Compromise?
Currently, there is no specific legislation or case law that distinctly allocates liability for BEC incidents. Liability may depend on whether the responsibility lies with the sender, the recipient, or if inadequate security measures were in place.
This means that while clients need to verify the source of any unusual email requests, businesses must also take all reasonable steps to secure their systems, as elaborated in our legal requirements for online business guide.
Ultimately, if a breach occurs, your liability might be influenced by the preventive measures you’ve implemented.
Who Is Liable For Hacked Emails In Australia?
As with BEC, there isn’t a one-size-fits-all answer when it comes to liability for hacked emails. The circumstances – whether the email was spoofed or directly hacked – are taken into account when assessing responsibility.
While you may not be held accountable if an email is spoofed, failing to secure your systems against hackers could leave you liable for any subsequent damage.
How To Build A Strong Cyber Security System
Cybercrimes can be daunting, but the best defence is a proactive one. In 2025, ensure your business is protected by establishing and maintaining a robust cyber security system. Here are some strategies:
- Restrict and monitor access to your sensitive data and systems.
- Consider investing in comprehensive cyber security insurance.
- Implement strong password protection protocols and encourage regular password updates.
- Ensure your software and systems receive regular updates and patches.
- Consult an IT professional to conduct routine security audits.
- Develop clear internal policies with cyber security best practices at their core.
- Regularly train your employees on the latest cyber security threats and response strategies.
In addition, scheduling periodic cyber security audits and updating your IT policies in line with emerging threats are vital practices. For more in-depth strategies on managing your data protection, our Online Business Privacy Guide offers comprehensive advice.
Key Takeaways
BEC scams continue to pose a significant threat to businesses in 2025. By staying informed and prepared, you can protect your organisation from the financial and reputational damage these scams inflict. To summarise:
- BEC scams manipulate email communications to commit fraud, often resulting in substantial financial losses.
- If targeted, act swiftly by notifying the appropriate authorities, safeguarding your accounts, and informing affected parties.
- Both major corporations and small businesses are vulnerable to BEC scams.
- Robust cyber security systems and regular employee training are essential to avoid falling victim to these scams.
- Liability for a BEC incident is determined on a case-by-case basis, making it crucial to take every reasonable precaution.
If you would like a consultation on business email compromises or need help bolstering your cyber security measures, feel free to reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
Meet some of our Data & Privacy Lawyers
Get in touch now!
We'll get back to you within 1 business day.
Top 3 Legal Mistakes
Book in a free consultation with us to discuss your legal needs.