Business Email Compromise (BEC) is one of the fastest-growing cybercrime threats in Australia, affecting businesses of all sizes and industries. These sophisticated scams involve cybercriminals impersonating trusted individuals or organisations to manipulate financial transactions or steal sensitive information.
The financial and reputational consequences of BEC are severe, and the legal responsibilities of businesses under Australian law are becoming increasingly important.
This guide, written by our experienced data and privacy lawyers, explains what BEC is, the legal responsibilities of businesses under Australian law, when a business may be liable for losses and practical risk mitigation strategies to protect your organisation.
Key Takeaways
Businesses have a duty of care to prevent foreseeable cyber threats, including BEC.
Under negligence laws, failure to adopt reasonable cybersecurity measures can make businesses liable for customer losses.
Privacy Act 1988 (Cth) requires businesses to safeguard personal information from misuse and unauthorised access.
BEC scams often involve invoice manipulation, phishing, spoofing, or hacking.
Mitigation strategies include multi-factor authentication, employee training, cyber insurance, and compliance with Australian privacy laws.
What is Business Email Compromise (BEC)?
Business Email Compromise is a form of fraud where cybercriminals exploit email systems to deceive businesses and redirect funds.
Common BEC methods include:
Spoofing: Using a disguised email address to appear legitimate.
Hacking:Gaining unauthorised access to a business’s email or IT systems.
Phishing: Sending fraudulent emails that trick staff into revealing information or approving transactions.
How Does Business Email Compromise Work?
A typical BEC scam involves intercepting or manipulating legitimate business communications, such as invoices, to redirect payments to fraudulent accounts. By the time the fraud is discovered, the funds are often irretrievable.
Legal Responsibilities of Businesses in Australia
Duty of Care and Negligence
Under Australian negligence law, businesses owe a duty of care to clients, suppliers, and stakeholders. This includes taking reasonable steps to protect against foreseeable cyber risks, such as BEC scams.
Key elements of negligence in BEC cases include:
- Duty of Care: Businesses must adopt reasonable cybersecurity measures to protect sensitive information.
- Breach of Duty: A breach occurs if a business fails to meet the expected standard of care, such as neglecting to implement adequate email security protocols.
- Causation: The plaintiff must prove that the business’s breach directly caused the loss.
- Damages: If negligence is established, the business may be liable for financial losses and reputational damage.
Statutory Obligations
Obligations for businesses also arise under the:
Privacy Act 1988 (Cth)
The Privacy Act requires businesses to take reasonable steps to protect personal information from misuse, loss, and unauthorised access. Failure to comply can result in regulatory penalties from the Office of the Australian Information Commissioner (OAIC).
Corporations Act 2001 (Cth)
Under this Act, companies must maintain proper financial records and prevent fraud, which includes implementing adequate cybersecurity measures.
Who is Liable for Business Email Compromise Incidents?
Spoofed Emails
If cybercriminals spoof a business’s email address (without hacking systems), the business is usually not liable. Customers remain responsible for paying valid invoices.
Hacked Emails
If hackers gain access to a business’s systems and alter invoices, the business may be liable for customer losses. Liability arises when the business fails to implement reasonable cybersecurity safeguards, breaching its duty of care.
To better understand your legal obligations in the event of a data breach, read our article on Data Breaches and Information Security.
Case Law and Precedents in Australia
Although Australian courts have limited direct BEC case law, they apply general negligence principles.
Courts assess whether businesses:
Met industry standards for cybersecurity.
Took reasonable steps to prevent foreseeable risks.
Had internal controls to verify financial transactions.
To learn from recent incidents and sharpen your cyber-resilience, check out our article Data Breach Risks: Recent Lessons.
How to Prevent Business Email Compromise
To prevent BEC, businesses should:
Implement Robust Cybersecurity Measures
- Use Multi-Factor Authentication (MFA) for email accounts
- Conduct regular cybersecurity audits
- Install advanced email security systems
Train Employees
- Educate staff on recognising phishing attempts
- Establish protocols for verifying financial transactions
Strengthen Internal Controls
- Implement strict verification processes for payments
- Regularly review and update financial authorisation procedures
Invest in Cyber Insurance
Cyber insurance policies can cover financial losses from BEC scams and provide additional support for incident response.
Collaborate with Authorities
Report BEC incidents to the:
- Australian Cyber Security Centre (ACSC); and
- law enforcement agencies like the Australian Federal Police (AFP).
For guidance on embedding privacy into your operations from the ground up, see our article on Privacy by Design for SMEs.
Frequently Asked Questions (FAQs)
What is Business Email Compromise (BEC)?
BEC is a type of cybercrime where attackers manipulate email communications to defraud businesses or individuals, often by redirecting payments to fraudulent accounts.
Can a business be held liable for BEC losses?
Yes, if a business fails to implement reasonable cybersecurity measures and this failure leads to a BEC incident, it may be held liable under negligence laws in Australia.
What are the legal obligations of businesses under the Privacy Act 1988?
The Privacy Act requires businesses to take reasonable steps to protect personal information from misuse, loss, and unauthorised access.
How can businesses prevent BEC incidents?
Businesses can prevent BEC by implementing robust email security systems, training employees on cybersecurity practices, and strengthening internal financial controls.
Prepare your business for cyber incidents by following our Data Breach Response Plan Checklist.
What should I do if my business falls victim to a BEC scam?
Conduct a forensic examination of email systems, report the incident to authorities, and consider engaging legal and cybersecurity experts to recover losses and prevent future attacks.
By understanding the legal implications of BEC and adopting proactive measures, Australian businesses can protect themselves and their customers from this growing cyber threat.
For experienced legal advice on cybersecurity and negligence matters, contact our team today.
