Estimated reading time is 5 minutes.

The threat of email scams for businesses is very real, and it’s growing. According to the FBI, in the United States the amount of money stolen by cyber criminals who target business email addresses has increased over 300% in just two years. Globally, $5.3 billion has been targeted in the last three years by criminals using a type of scam called Business Email Compromise (BEC).

Australian businesses are far from safe - we’re the second most targeted country for these attacks, behind the US.

The good news is you can take some simple steps to keep your money and your business safe.

Types of email-based scams

Business Email Compromise (BEC)

Also known as ‘CEO phishing’, BEC is when an email appears to come from a senior person in a business such as a Chief Executive Officer (CEO) or Chief Financial Officer (CFO), requesting an urgent transfer of funds.

By making the email appear to come from a very senior person, the criminals are hoping the recipient will action it quickly without verifying the request.

Find out more about protecting your business from CEO phishing

Invoice scams

In another scenario, a business receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The invoice looks legitimate so the business doesn’t question the payment details, and sends the payment to the criminal’s account.

Another variation of an invoice scam is when a business receives a request from a supplier to cancel a recent payment, and ask to make the payment to a new account.

Find out more about protecting your business against Invoice scams

How do email scams work?

First, cyber criminals look for information on organisations. They find employee names and job titles, company structures and job descriptions on company websites and social networking sites like LinkedIn.

They then use this information to craft convincing emails requesting payments.

These fraudulent emails are normally sent to a small number of targeted recipients. This means the emails are often missed by email spam filters, which look for large volumes of identical messages.

These emails can be sent from:

  • a simple email address such as ‘’
  • an email address very similar to the senior business person the criminal is impersonating, but with a slight variation which is easy to miss. For example instead of
  • what appears to be the correct email address, but when the victim replies, the email is sent to a different reply-to address
  • the impersonated sender’s real email address. This can happen if the criminal has stolen the email credentials from a previous phishing email or by malicious software.

In this last example, the criminal can set up a rule in your mailbox so all emails are forwarded to them without your knowledge. This allows the criminal to keep tabs on your business activity and spend time learning how you communicate. They can then work out the type of requests you might make or respond to. By studying your behaviour, criminals are able to mimic real requests, meaning their fake request won’t seem out of the ordinary.

Take these 8 simple steps to protect your business

1. Empower your team

Your employees are the first line of defence against cyber attacks. Teach them to recognise and know what to do with suspicious emails, text messages and phone calls. Criminals try to convey authority by impersonating someone senior in your business, or create panic by insisting a matter is urgent.

Empower your employees to trust their instincts and question emails, even if it does appear to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team.

2. Raise awareness

Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future. For handy tips and tools, check out raising employee awareness.

3. Create safe payment processes

It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed or if a request seems out of the ordinary. Once confirmed, you can safely action payments or changes to account details.

4. Check your email settings

Check your email account settings for any auto-forward rules that you didn’t set up.

5. Keep your software up-to-date

Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it is always up to date. Keep your Apps on your computers and devices up to date too.

To find out more about protecting your hardware and software, see the basics of computer security.

6. Use strong passwords and 2FA

Using strong passwords and two-factor authentication (2FA) will protect the security of your email account. Two-factor authentication means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they will not be able to get into your account because they will not have the 2FA code.

Check out our 6 simple ways to protect your passwords.

7. Review your business' online profile

Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.

8. Talk to your NAB Connect banker

If you’re a NAB Connect business customer, ask your banker how to add extra layers of security to protect your funds. Having a secondary authoriser in place for payments on NAB Connect, and setting up 2FA are examples of additional security layers.

Helpful resources

Safely storing your data

Your stored business data travels in and out of your network. What key controls can you put in place to ensure it’s safe?

Building employee awareness of cyber safety

Empower your employees to help manage your online security risks

Understanding the value of your business data

Protecting valuable business data from cyber crime is everyone’s business.

How to protect your website from being compromised

Learn how to protect your website against online attacks.

Cyber safety

Stay informed

Report a suspicious NAB message
Report a suspicious text

047 NAB 0003