Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input

What is a Business Email Compromise scam?

A business email compromise scam, commonly known as a BEC, is when a business receives a legitimate looking email, from a supplier or someone in their business, requesting an urgent payment, payment of an invoice to a new account or update of account details.


How they contact you

Via a compromised email account, which could belong to a customer, supplier or even your own email account. Or it could appear to come from a similar looking address. A conversation may even be initiated by SMS.


What they're after

Scammers are waiting for the opportunity to initiate or redirect large payments.


Signs this may be a business email compromise scam

You receive an email/invoice from someone associated with your business requesting you update their account number.

Do not make any changes until you have verbally verified the request, using a number you have sourced yourself.

A CEO, executive or senior manager requests an urgent payment, or payment to a specific account.

Pause and verify. Always verbally confirm any requests for urgent payments or account changes, received via email, regardless of who the sender is.

A supplier or employee advises you they have not received payment.

Do not make any more payments until you investigate the payment history and emails, to check if there were any requests made to amend account details.

Tips

  • Always verbally confirm any requests for urgent or redirected payments.
  • Register your business for PayID by using your ABN and request this is how your account is credited.
  • Request to pay your suppliers using a PayID, PayID displays the registered payee name, so if it's not your intended recipient you will know something is possibly suspicious.
  • Use multifactor authentication and dual payment approvals where available.
  • Train your employees regularly on how to spot scams. Empower them to question any payment related requests and verbally verify account details are correct, by setting this as a process to follow.

Who should I contact and examples of business email compromise scams

 

  • Please report scams or suspicious activity immediately to Westpac at 132 032 or 61 2 9155 7700 (if calling from overseas).
  • Forward suspicious emails to  hoax@westpac.com.au or sms/text messages to 0497 132 032 then delete the email or message.
  • Report all suspicious activity to the Australian Cyber Security Centre at cyber.gov.au/report.
  • Contact IDCARE toll-free on 1800 595 160 or visit their website idcare.org. They provide free, confidential support and guidance to people who have been targeted by fraud, scams, identity theft or compromise.
  • Keep up to date on scams by subscribing to the government's scam email alerts from scamwatch.gov.au/subscribe.
  • Check out our latest scams, for copies of recently reported scams at westpac.com.au/scams.

Watch our helpful step-by-step video

As a business you need to constantly be on the lookout for scams. 

Business Email Compromise scam is one of the most common types.

It’s when criminals impersonate you or someone from your business or one of your suppliers using similar names, domains, or fake invoices. 

The scammer might: 

Pretend  to  be  you,  invoice  a  customer  or  a  supplier, and  have  a  payment  made  to  their  account details, rather than yours or, 

Pretend to be a CEO or employee from another company to get a payment from you or, 

Pretend to be an employee and have a salary payment redirected. 

There’s  a quick and easy way to make payments safer: Register for a PayID using your ABN. So, if a  customer  or  supplier uses  your  PayID  they’ll  be  able  to  verify  it’s  your  business.  PayID  doesn’t replace your BSB and account number, it’s just a safer way to pay because your customers will be sure they are paying you and only you. 

To set up PayID head to the Westpac app  

Search for PayID 

More information about how to create a PayID will appear on screen. Make sure you’re registered for Westpac Protect™ SMS Code or SecureID token and have an eligible account.  

Your ABN and name will appear based on what we have on record.  

You can select your ABN as your PayID type. This will mean that your PayID display name (or what will be returned to the customer) will be the legal name of your business, rather than its trading name. 

Select the account you wish to add PayID to. As a sole trader you can register up to two different PayIDs if you two different business accounts and want one for each.  

Then check the details and confirm you want to create a PayID.  

PayID is now set up for your business! 

Ask your existing customers or suppliers to use your PayID wherever possible.  

And when paying someone new, protect yourself by asking them for their PayID (or BPay billing code).  

For other ways to stay smart, safe, and secure from scammers visit the Westpac Security Hub. 

Website link appears on screen - www.westpac.com.au/security

Latest Scams

To stay in the loop, and stay protected, check out our list of the latest phishing scams impersonating Westpac.
 

Report a scam

If you receive any suspicious calls, emails or SMS messages, or notice unusual activity on your account, it’s important that you let us know.
 

Security Wellbeing Check

To help keep you up to date with the latest security features, we’ve introduced the Security Wellbeing Check. Found in the Westpac App, it checks your Westpac settings and suggests how you can improve the security of your banking facilities.

Things you should know

* Examples are based on one or more real scam reports received by Westpac. For privacy purposes real names have not been used.