Australian Businesses Targeted: 5 BEC Scams That Exposed Costly Weaknesses

1. Pure Glass WA

It was just one phone call—but it cost Western Australian company Pure Glass WA $50,000.

A scammer who claimed to be from Telstra contacted the small business and claimed they were calling about modem issues.

Since there had been connectivity issues the day before, the employee believed the ruse and reportedly downloaded software that gave the scammer control of the company’s computer.

From there, it is believed the scammer was able to enter the company’s accounts with a token code sent to a mobile phone number.

Two separate payments of $25,000 each were later sent to an AMP account called “Pure Glassess (sic)”. The description for each transaction in the company’s bank statement was also linked to a fake invoice.

Fact

Many BEC scams start with phone calls, not emails. Cybercriminals know that people are more likely to trust a voice than a message—especially if the caller uses the correct terminology and sounds credible.

2. Upwey-Tecoma Bowls Club

For this Victorian community bowls club, one cyberattack caused a loss of $120,000 at a time when it was most vulnerable.

After suffering extensive damage from floods in 2022, the club hired a contractor to rebuild its facilities and paid a $50,000 deposit. But after the contractor contacted the club two weeks later and asked where the money was, the club realised they’d been scammed.

Forensic specialists discovered that hackers had infiltrated the club’s email system and monitored communications for some time. They had also deleted the invoice sent by the contractor and replaced it with a near-identical version with only the BSB and account number altered.

Fact

Cybercriminals may monitor email exchanges for weeks or months to learn communication patterns, key contacts, and writing styles. This allows them to craft emails that mimic real senders and make fraudulent requests nearly impossible to spot.

3. Inoteq

Inoteq became mired in a classic invoice fraud scheme—but this time, it ended up in court.

The somewhat complex scam started when electrical contractor Mobius Group undertook work for Rio Tinto on behalf of Inoteq. Over March and April 2022, Mobius invoiced Inoteq for just over $235,000, but a nefarious third party had secretly sent fraudulent emails from Mobius.

One suspicious email listed new bank details (with a fraudulent invoice attached) and called on Inoteq to “kindly pay attention and update your records.” However, the company could not confirm whether the request was authentic because of a poor phone connection.

Instead, another email was sent to the Mobius AP department asking them to substantiate the change of bank details. However, that email was intercepted by the scammer who then provided a fraudulent letter that confirmed the new bank account.

Inoteq sent the full amount of $235,400 to the fraudster, and in the short time it took to uncover the scam, more than $190,000 was moved overseas. While just over $43,000 was recovered, Inoteq and Mobius went to court over who was responsible for the remainder.

Ultimately, the court ruled that Inoteq failed to adequately protect itself from fraud and ordered it to repay the unrecovered amount plus interest.

Fact

This type of scam is sometimes called vendor email compromise (VEC)—a targeted form of BEC where hackers take over real vendor accounts to manipulate invoices.

4. Unnamed Sydney hospital

A private Sydney hospital fell victim to a business email compromise scam with losses in the millions of dollars.

The lone perpetrator created multiple fake email accounts and impersonated actual businesses before convincing hospital clerks to transfer him funds. More than $3 million was defrauded in the scam, with $2 million distributed to overseas entities and bank accounts.

Following an investigation by NSW Police’s Cybercrime Squad under Strike Force Millbon, a 49-year-old Western Sydney man was arrested at his residence where multiple electronic devices were seized.

Tip

BEC scams cost Australian companies almost $84 million over the 2023-24 financial year. These scams account for 13% of reported cybercrimes with a financial loss and an additional 20% of crimes where no money was lost.

5. NSW Government

Government departments sometimes handle massive payments, which makes them attractive to cybercriminals.

The NSW Government learned this the hard way when it sent over $2 million to what it believed was a legitimate financial institution. A 24-year-old man was arrested in late 2024 for his part in moving the money offshore. However, it was reported that he was just one part of a broader overseas crime syndicate.

With cooperation between NSW Police and the Joint Policing Cybercrime Coordination Centre (JPC3), all of the $2.1 million was recovered.

Fact

In a BEC scam, time is critical. Once a wire transfer is executed, the window to identify the fraud and recover the funds before they are moved out of reach is extremely short.

Australian businesses need stronger payment controls

The five recent case studies above prove one thing: BEC fraud is not slowing down. Cybercriminals are finding new ways to infiltrate financial processes, deceive individuals, and reroute payments.

With losses ranging from tens of thousands to millions of dollars, no organisation is immune. From small sports clubs to government departments, BEC scams thrive on weak verification processes. And once the money is gone, recovering it can be extremely difficult.

CFOs and finance teams must take action to prevent their organisation from becoming the next cautionary tale. Robust cybersecurity and payment controls are essential to protecting your bottom line, reputation, and operations.

Eftsure’s Cybersecurity Guide for CFOs 2025 breaks down the latest fraud tactics and the steps you need to take to stay ahead. Download it today and equip your team to prevent business email compromise scams before they cause serious harm.