A plain-English deep dive into business email compromise (BEC) and multi-factor authentication (MFA) for small and mid-sized businesses. Explains how BEC scams redirect payments, why email is the number-one attack vector, how MFA stops most account takeovers, why MFA is not bulletproof on its own, and the additional layers (email security, conditional access, and verifying payment changes by phone) that close the gaps. Construction and trades businesses are a common target.
MFA and business email compromise
Most serious attacks on small businesses start in the inbox, and the most expensive ones end with a payment going to the wrong bank account. Here is how business email compromise works, and why multi-factor authentication is the first thing to fix.
The short version
Business email compromise is a scam that uses a real or faked email account to redirect a payment, usually by asking you to change a supplier's bank details. It is one of the costliest attacks facing Australian businesses.
Multi-factor authentication is the single highest-value defence, because it stops the account takeovers most of these scams rely on. Turn it on everywhere before anything else.
MFA alone is not the whole answer. Pair it with email security, conditional access, and one simple rule: verify any change of bank details by phone, never by email.
What business email compromise actually looks like
It rarely looks like a hack. It looks like a normal email. A supplier writes to say their bank details have changed, could you update them for the next invoice. The email is polite, on-brand, and often comes from a real account the attacker has quietly broken into, so it passes every sniff test. You update the details, pay the invoice, and the money is gone.
Other versions impersonate the boss asking for an urgent transfer, or a staff member asking to change where their pay goes. The common thread is trust: the attacker does not break down the door, they get you to open it by looking like someone you already deal with.
Why email is the number-one way in
Email is where your business runs and where your trust lives, which is exactly why attackers target it. Get into one mailbox and they can read months of conversations, learn how you talk, see who pays whom, and wait for the right moment to strike. That is far more valuable than a smash-and-grab.
Most break-ins start with a stolen password, from a reused login, a phishing page, or a leak from some unrelated website. Which is why the first fix is the one that makes a stolen password useless on its own.
How MFA stops most of it
Multi-factor authentication means a password alone is not enough to sign in. You also need a second thing: a prompt on your phone, a code, or a security key. So when an attacker turns up with a stolen password, they hit a wall, because they do not have the second factor.
It is unglamorous and it is the highest-value control you can turn on. On its own, MFA blocks the overwhelming majority of account takeovers, which is why it is one of the ACSC Essential Eight strategies and why insurers increasingly require it. If you do one thing after reading this, make it turning MFA on everywhere.
MFA is not bulletproof, so add the layers that catch the rest
Attackers have adapted with fatigue prompts and phishing kits that capture codes, and some BEC does not need to break into an account at all. These layers close the gaps MFA leaves.
Multi-factor authentication
The single highest-value control. Even if a password is stolen or guessed, MFA stops the attacker getting in. It blocks the vast majority of account takeovers on its own.
Email security
Filtering that flags impersonation, lookalike domains, and known-bad senders before they reach the inbox, so fewer convincing fakes ever land.
Payment verification
A simple rule that any change to bank details is confirmed by a phone call to a known number, never by email alone. This one process stops most redirected payments.
Conditional access
Rules that challenge or block risky sign-ins, for example from an unusual country or an unmanaged device, so a stolen password plus a stolen code still is not enough.
The takeaway
Business email compromise works because it targets trust, not technology, and the losses are real. The good news is that the defences are well understood and mostly straightforward. Turn on MFA everywhere, put proper email security in front of your inboxes, and make it a firm rule that any change to payment details is verified by a phone call to a known number.
Those few controls stop the large majority of these scams. Getting them set up properly, and monitored so a compromise is caught early, is what our managed security service does day to day. Construction and trades businesses in particular, where big payments move between many parties, are worth a closer look at our construction IT support page.
Common questions
What is business email compromise?
Business email compromise (BEC) is a scam where an attacker either breaks into a real email account or convincingly impersonates someone, then uses that trust to redirect a payment or extract information. The classic version is a fake request to change a supplier's bank details, so your next payment goes to the attacker.
Does MFA stop business email compromise?
MFA stops the most common route in: account takeover from a stolen password. It is the highest-value single control you can turn on. But it is not a complete answer on its own, because some BEC relies on impersonation rather than breaking into an account, so you also need email security and a payment-verification process.
Is MFA enough on its own?
No. MFA blocks most account takeovers, but attackers have adapted with MFA-fatigue prompts and phishing kits that capture codes. Phishing-resistant MFA, conditional access, email filtering, and a simple rule to verify payment changes by phone close the remaining gaps.
How do construction and trades businesses get targeted?
Construction is one of the most targeted industries for payment redirection, because large progress payments move between many parties. A compromised or spoofed email asking to update bank details can divert a payment worth hundreds of thousands. The same controls apply: MFA, email security, and verifying any change of details by phone.