A BEC is an email that appears to come from someone senior in your business, and urgently asks you to do something like make a payment or transfer funds. Also known as ‘CEO phishing’, the email address may look like it’s from your managing director, chief executive officer or chief financial officer. Criminals hope the urgent tone and the apparent seniority of the sender will make you act without checking the request is real.

A BEC email could be sent from:

  • a simple email address such as ‘iamceo1@gmail.com’
  • an email address very similar to a senior business person, for example john@s1ight.com.au instead of john@slight.com.au
  • what appears to be a correct email address, but if you reply the email goes to a different address
  • the impersonated sender’s real email address, which happens if a criminal has stolen the email credentials from a previous phishing email, or with malicious software.

For example:

How to help protect your business from BEC emails

Read the 4 tips below, and then check your understanding with our questions.

  1. Create a safe payment process. Create a process where people responsible for making payments must carefully check a requester’s email address, and call to confirm the request is real using the contact details they have on file.
  2. Use multi factor authentication (MFA). This means adding an extra authentication method in order to access a system, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they will not be able to get into your account because they will not have the 2FA code.
  3. Create a confirmation process. Create a process to confirm any unexpected requests for payments from Senior managers
  4. Raise awareness. Help your employees understand more about the tricks and scams of fraudsters. If your business gets a BEC phishing email or a fake invoice, safely share it around so your employees know what to look out for.


Carl is a financial assistant in a small business. He receives an unexpected email from the owner of the business. It reads:

How should Carl respond?

He should reply and ask the sender for more information.

Incorrect. He shouldn’t reply, because if the email is fraudulent, he will be replying to the criminal. He should phone Martin to check the email is real, using the contact details he has on file.

Phone to verify the email is real using a contact number for Martin that he has on file.

Correct. Always phone to check an email like this is legitimate, and make sure you use the contact details you have on file, not the ones in the email itself, which will most likely be fake.