Business Email Compromise: SME's $Million Fraud Risk in 2025

• business-email-compromise
• sme-fraud-prevention
• supplier-payment-scams

Small businesses face sophisticated email compromise scams targeting supplier payments. CommBank expert reveals prevention strategies for invoice fraud and banking detail manipulation attacks.

Small Business Email Compromise Crisis

Small to medium enterprises face unprecedented targeting by business email compromise scams in 2025, with criminals exploiting vulnerabilities in supplier payment processes. James Roberts, CommBank's general manager of fraud strategy, identifies this as one of the most damaging scams affecting SMEs, typically beginning with compromised email accounts and ending with funds transferred to criminals.

Unlike large organisations with dedicated IT departments and risk officers, SMEs focus primarily on growth and cashflow while lacking comprehensive cybersecurity infrastructure. Criminals systematically exploit this resource disparity, targeting businesses that prioritise operational efficiency over security protocols.

Critical Vulnerability Points

Two scenarios present maximum risk: new supplier first invoices and existing supplier banking detail changes. These payment moments require heightened verification as criminals specifically target these transactions knowing businesses expect legitimate payment requests.

The sophisticated nature involves criminals accessing genuine invoices through compromised supplier accounts, then altering banking details while maintaining authentic communication patterns. Victims process payments normally, discovering fraud only when suppliers follow up about missing payments weeks later.

Criminal Methodology

Attack sequences typically involve supplier email compromise through phishing or malware, followed by criminals monitoring communication patterns to identify invoice timing. They modify legitimate invoices with fraudulent banking details while inserting their contact information for verification calls.

Roberts highlights cases where businesses correctly attempted phone verification but spoke directly to criminals who confirmed fraudulent account details. This sophisticated approach demonstrates criminal understanding of standard verification procedures and preemptive countermeasures.

Essential Protection Framework

Prevention requires three critical business practices. First, always verify banking details through trusted phone numbers from existing records rather than invoice contact information. Second, train finance and administrative staff to recognise scam indicators and implement verification protocols. Third, treat urgent or unexpected payment requests with suspicion regardless of apparent sender legitimacy.

The verification process must use independently stored contact information to prevent criminal interception. Brief payment delays for verification procedures prevent devastating financial and reputational consequences that affect SME survival and stakeholder trust.