Small Business Scam Protection in Australia 2025
Small businesses lost $152.6 million to Business Email Compromise scams in 2024, a 66% increase from 2023. Learn to protect your business from invoice fraud, ransomware, and vendor impersonation.
If you run a small business in Australia, you're in the crosshairs:
The numbers from 2024 tell a stark story: $152.6 million stolen through Business Email Compromise scams alone, with the average loss per business sitting at $55,000, up from $39,000 the year before. To make matters worse, nearly four in ten Australian small and medium businesses experienced ransomware attempts last year, with each incident costing an average of $97,000 to resolve.
According to the ACSC's Annual Cyber Threat Report , cybercriminals are deliberately targeting small businesses because you've got the resources worth stealing but typically fewer defences than the big players. It's a calculated strategy, and it's working. Cyber incidents targeting SMBs jumped 15% in the 2024-25 financial year, and here's the kicker: 39% of ransomware incidents were detected by the ACSC itself, not by the businesses being attacked.
How Business Email Compromise Really Works
The most common attack vector starts with something deceptively simple: someone in your office clicks a dodgy link or opens what looks like a legitimate attachment. That's all it takes. The malware gets in, captures login credentials for your email and banking systems, and then the real work begins.
Scammers don't rush. The Australian Federal Police reports they'll monitor your email conversations for weeks, sometimes months, learning your payment patterns and figuring out who pays who and when. They set up hidden email rules that automatically forward or delete messages containing words like "invoice," "purchase," or "payment." You won't notice because everything still seems to work normally on your end.
When the time's right (usually when they see a legitimate invoice about to be sent) they intercept it, change the bank account details, and send it on its way. The invoice looks completely legitimate because it basically is, just with different banking details. By the time you realise what's happened, the money's gone.
The construction sector has been hit particularly hard. The AFP warns that organised cybercrime groups, both domestic and offshore, are systematically targeting construction companies because of the high-value transactions and complex subcontracting chains involved. We're talking about invoices for hundreds of thousands of dollars being redirected into criminal accounts. Real estate, legal services, accounting firms, car dealerships, and travel companies are also prime targets, basically any industry that regularly handles large transfers of money.
The Invoice Fraud Epidemic
Parallel to email system hacking, there's been an explosion in vendor impersonation scams. Scamwatch reports that payment redirection scams surged 66.6% in 2024, with losses exceeding $30 million. False billing scams alone cost businesses $3.6 million across 422 reported incidents.
Sometimes scammers fully compromise a supplier's email system and send invoices from the real address with altered banking details. Other times they create near-identical email addresses, changing supplier@company.com to suppIier@company.com (notice the capital i instead of the lowercase L), or using company.com.au instead of company.com. Your eye skims right past the difference, especially when you're busy and the invoice looks otherwise legitimate.
Ransomware: The Other Threat You Can't Ignore
The ACSC dealt with 138 ransomware incidents in 2024-25, but here's what should worry you: they detected 39% of those incidents themselves before the affected businesses even knew they'd been hit. Think about that. Your systems could be compromised right now, with ransomware quietly encrypting your files or exfiltrating your data, and you might not find out until it's too late.
The landscape has shifted dramatically with the rise of Ransomware-as-a-Service (RaaS). About 70% of attacks now come from these organised networks that sell ransomware tools to affiliates. It's become an industry, complete with encryption tools, payment infrastructure, negotiation support, and customer service. This means even low-skill criminals can execute sophisticated attacks on Australian businesses.
When people hear "$97,000 average ransomware cost," they often think that's just the ransom payment. It's not. That figure includes business downtime and lost revenue while your systems are offline, IT recovery and forensic investigation costs, legal fees and regulatory compliance requirements, reputation damage and lost customers, and increased insurance premiums going forward. Many businesses never fully recover.
What You Actually Need to Do
The Australian Cyber Security Centre recommends what they call the Essential Eight, a set of baseline security controls that make it significantly harder for attackers to compromise your systems. This isn't optional anymore. Many cyber insurance providers now require proof you've implemented Essential Eight Maturity Level 2 before they'll honour claims.
The Essential Eight (ACSC's baseline security controls):
Many cyber insurance providers now require proof you've implemented Essential Eight Maturity Level 2 before they'll honour claims.
1. Application control: Stops unapproved or malicious programs from running.
2. Patching applications and OS: Fix security holes within 48 hours of updates being available.
3. Configure Microsoft Office macros: Block macros from the internet.
4. User application hardening: Block ads and untrusted content in web browsers.
5. Restrict administrative privileges: Not everyone needs admin rights.
6. Multi-factor authentication: Required for all users. Learn more about MFA implementation.
7. Regular backups: Daily backups of critical data, stored offline, tested quarterly.
8. Application whitelisting: Only approved applications can run on your systems.
The Payment Verification Protocol That Actually Works
The single most effective thing you can do:
Verify every payment change by phone. Not email, not text message. Phone. Call the supplier using a number you already have on file, not one provided in the email. If someone sends you an invoice with new banking details, pick up the phone before you process that payment.
Establish a verbal confirmation policy for all invoices over $5,000.
Require two people to approve payments above certain thresholds.
Send a confirmation email to the original contact after you've made a payment.
Maintain a database of verified supplier contact details and bank accounts.
Test payment trick:
Make a small test payment to any new bank account before you send the big transfer. If it's a scam, you'll find out when someone calls asking where their money is, and you'll only be out fifty bucks instead of fifty thousand.
What to Look For
Train your team to spot the red flags. Emails requesting urgent payment or account changes, especially ones that pressure you to act immediately. Slight variations in email addresses, even one character different. Invoices with new bank details that arrive without any heads-up phone call. Unusual language or formatting from suppliers you've worked with for years. Requests to bypass normal approval processes or keep payment changes confidential. Emails sent at odd hours, outside normal business times.
Enable multi-factor authentication on all business email accounts (it blocks 99.9% of automated attacks). Implement email filtering and anti-phishing tools. Set up alerts for login attempts from unusual locations. Regularly audit email forwarding rules and auto-delete rules to catch anything suspicious. Use email authentication protocols like SPF, DKIM, and DMARC. Mark external emails with warning banners so staff know when something's coming from outside your organization.
If You Get Hit
Contact your bank immediately, within 24 hours if possible. The faster you report a fraudulent transfer, the better your chances of recovery. Report to ReportCyber , which connects you directly to AFP and ACSC assistance. Report to Scamwatch to help track trends and warn other businesses.
Engage cybersecurity forensics to figure out how they got in and close that hole. Change all compromised credentials (email, banking, everything). Audit your email rules and forwards to remove anything malicious the scammers set up. Notify affected suppliers, clients, and partners about the breach. Contact your cyber insurance provider, assuming you've got Essential Eight documentation in place. And document everything, every communication, transaction, and recovery action. You'll need it for insurance claims and possibly legal proceedings.
For more detailed recovery steps, check out our guide on what to do if you've been scammed.
The Bottom Line
ASIC has issued high-alert warnings specifically for small businesses, noting that these scams are getting more sophisticated by the day. Verification protocols and staff training aren't optional extras anymore—they're standard operating procedure. The threat isn't going away. If anything, it's accelerating. But with the right systems in place and a team that knows what to watch for, you can make your business a much harder target than the one down the road.