Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input

What is a Business Email Compromise scam?

A business email compromise scam, commonly known as a BEC or a payment redirection scam, is when a recipient receives a legitimate-looking email requesting a payment to new or updated account details.

This type of scam can impact everyone, not just businesses.

Emails could be from a supplier, someone known to you from within a business, a request for an urgent payment, payment of an invoice, including deposits to real estate agents or conveyancers, or even requests made to your HR department to redirect your salary.

Scammers will usually contact you via email, which has been compromised. The compromised email account could belong to the sender or even your own. It could appear to come from a similar-looking address or one that’s made to look like your email. A conversation may even be initiated by SMS.

Examples of scams*

Priya in human resources received an email from Simon, saying he was having technical difficulties with the HR system and could she change his bank account details.

After the next pay day, Simon called HR and complained about not being paid. HR advised Simon his pay had gone to his new account, per his recent email request. Simon advised he had not changed accounts and had not sent an email to do so.

Further investigations determined HR had received an email from an email address that appeared the same as Simon's and they had processed the change without verbally confirming the request.

ScamSpot: a series of 2-minute bites to help spot the latest scams

Signs this may be a scam

An email/invoice requesting you pay to a new account number.

Even if such requests came from someone associated with you, do not make any changes until you've verbally verified the request, using a number you sourced yourself.

A CEO, executive or senior manager requests an urgent payment, or payment to a specific account.

Pause and verify. Always verbally confirm any requests for urgent payments or account changes, received via email, regardless of who the sender is.

A supplier or employee advises you they have not received payment.

Do not make any more payments until you investigate the payment history and emails, to check if there were any requests made to amend account details.

Tips to minimise the risk of being scammed

  • Always verbally confirm any requests for urgent or redirected payments.
  • Register your business for PayID by using your ABN and request this is how your account is credited.
  • Request to pay your suppliers using a PayID, PayID displays the registered payee name, so if it's not your intended recipient you will know something is possibly suspicious.
  • Use multifactor authentication and dual payment approvals where available.
  • Train your employees regularly on how to spot scams. Empower them to question any payment related requests and verbally verify account details are correct, by setting this as a process to follow.

What you can do if you
come across a scam

Let us know

Get support and stay in the know

  • IDCARE provides free, confidential support and guidance to those impacted by fraud, scams, identity theft or compromise. Call them toll-free on 1800 595 160 or visit
  • Keep up to date on scams by subscribing to the government's scam email alerts from
  • Check out our latest scams, for copies of recently reported scams at

Set up PayID to prevent Business Email Compromise Scams

Watch our helpful step-by-step video

As a business you need to constantly be on the lookout for scams. 

Business Email Compromise scam is one of the most common types.

It’s when criminals impersonate you or someone from your business or one of your suppliers using similar names, domains, or fake invoices. 

The scammer might: 

Pretend  to  be  you,  invoice  a  customer  or  a  supplier, and  have  a  payment  made  to  their  account details, rather than yours or, 

Pretend to be a CEO or employee from another company to get a payment from you or, 

Pretend to be an employee and have a salary payment redirected. 

There’s  a quick and easy way to make payments safer: Register for a PayID using your ABN. So, if a  customer  or  supplier uses  your  PayID  they’ll  be  able  to  verify  it’s  your  business.  PayID  doesn’t replace your BSB and account number, it’s just a safer way to pay because your customers will be sure they are paying you and only you. 

To set up PayID head to the Westpac app  

Search for PayID 

More information about how to create a PayID will appear on screen. Make sure you’re registered for Westpac Protect™ SMS Code or SecureID token and have an eligible account.  

Your ABN and name will appear based on what we have on record.  

You can select your ABN as your PayID type. This will mean that your PayID display name (or what will be returned to the customer) will be the legal name of your business, rather than its trading name. 

Select the account you wish to add PayID to. As a sole trader you can register up to two different PayIDs if you two different business accounts and want one for each.  

Then check the details and confirm you want to create a PayID.  

PayID is now set up for your business! 

Ask your existing customers or suppliers to use your PayID wherever possible.  

And when paying someone new, protect yourself by asking them for their PayID (or BPay billing code).  

For other ways to stay smart, safe, and secure from scammers visit the Westpac Security Hub. 

Website link appears on screen -

Latest Scams

To stay in the loop, and stay protected, check out our list of the latest phishing scams impersonating Westpac.

Report a scam

If you receive any suspicious calls, emails or SMS messages, or notice unusual activity on your account, it’s important that you let us know.

Security Wellbeing Check

To help keep you up to date with the latest security features, we’ve introduced the Security Wellbeing Check in the Westpac App.

Things you should know

* Examples are based on one or more real scam reports received by Westpac. For privacy purposes real names have not been used.