LEGALAUDIT

Scam Watch

How can you recognize BEC against Australian SMB — vendor BSB swap?

TLDR

Australian Cyber Security Centre (ACSC) reports BEC is the 1 loss category for Australian businesses, A$84M+ in 2024. Attacker compromises supplier's Microsoft 365 mailbox via OAuth consent phishing, then emails AP a 'new BSB / account'...

How it works

Australian Cyber Security Centre (ACSC) reports BEC is the 1 loss category for Australian businesses, A$84M+ in 2024. Attacker compromises supplier's Microsoft 365 mailbox via OAuth consent phishing, then emails AP a 'new BSB / account'...

Red flags

  • Urgent pressure to click, pay, or share codes immediately.
  • A link or sender that does not match the official organization.
  • Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What to do

  1. 1Australian Cyber Security Centre (ACSC) reports BEC is the 1 loss category for Australian businesses, A$84M+ in 2024.
  2. 2WHAT TO DO: enforce phone callback verification, monitor M365 for malicious inbox rules via cyber.gov.au Essential Eight; use BSB lookup at apca.com.au.
  3. 3IF VICTIM: notify both banks within 24h for trace, file ReportCyber at cyber.gov.au, audit M365 for OAuth grants and revoke.

Source

ACSC

Source reviewed by Mythos Forensic Team

https://www.cyber.gov.au/threats/types-threats/business-email-compromise

FAQ

Is BEC against Australian SMB — vendor BSB swap a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What should I do first?

Australian Cyber Security Centre (ACSC) reports BEC is the 1 loss category for Australian businesses, A$84M+ in 2024.; WHAT TO DO: enforce phone callback verification, monitor M365 for malicious inbox rules via cyber.gov.au Essential Eight; use BSB lookup at apca.com.au.; IF VICTIM: notify both banks within 24h for trace, file ReportCyber at cyber.gov.au, audit M365 for OAuth grants and revoke.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.