Cybercriminals are now targeting the property and real estate sector with a series of business email compromise scams designed to steal money from unsuspecting people and companies.

Due to the large amounts of money involved in these scams, it's important to stay vigilant to any potential scams. As such, we're going to take a look at what a business email compromise scam is, the types of business email compromise scams and what to do in response.

Just remember that if you need support or someone to talk to, our Sonder support team is available 24/7 to chat whenever you need it.


What is a business email compromise scam?

A business email compromise scam is when cybercriminals use email to abuse trust in business processes in order to scam organisations and companies out of money or goods.

These scams are very similar to the usual slew of texting and email scams. Cybercriminals impersonate business representatives or legitimate organisations using similar names, domains and fraudulent logos, and try to gain unsuspecting people's trust. In some cases, cybercriminals use compromised email accounts and pretend to be trusted co-workers. We'll dive into these in more depth in the next section.

Types of business email compromise scams

There are three main types of business email compromise scams:

  • Invoice fraud: Criminals compromise a vendor’s email account and are able to gain access to legitimate invoices. The criminals then edit contact and bank details on those invoices and send them to customers with compromised email accounts. The customer pays the invoice, thinking they are paying the vendor, but instead sends that money to criminals’ bank accounts.

  • Employee impersonation: Criminals compromise a work email account and impersonate that employee. They can then use this identity to commit fraud in a number of ways. One common method is to impersonate a person in power (such as a Chief Executive Officer or Chief Financial Officer) and have a false invoice raised. Another method is to request a change to a worker’s banking details so that funds from the aforementioned false invoice or the worker's salary are then sent to criminals’ bank accounts.

  • Company impersonation: Criminals register a domain with a name very similar to a large, known, and trusted organisation. Criminals then impersonate the organisation in an email to a vendor and request a quote for a number of expensive goods. Criminals negotiate for the goods to be delivered to them prior to payment. While the goods are delivered to a specified location, the invoice is sent to a legitimate organisation, which never ordered or received the goods.

What to do

There are a number of things you can do to prevent getting scammed or compromised:

  • Be vigilant against phishing - These are scams that are made to appear as if they were sent from individuals or organisations you think you know.

  • Strong passphrases and multi-factor authentication - These are among the most effective security controls you can implement to prevent unauthorised access to computers, applications and online services.

  • Have protective business processes in place - This helps establish a clear and consistent business process for workers to verify and validate requests for payment and sensitive information.

If you've sent money, personal details or banking details to a scammer, you will need to:

  • Contact your bank immediately.

  • Report the incident to the Australian Cyber Security Centre (ACSC) here.

  • Change your password for your email account and any other affected accounts, notify anyone affected, and protect your stakeholders or anyone involved with a warning notice informing everyone of the scam.

Related reading:


If you have any questions or need extra support, we're here to help you anytime in any language. Simply start a chat with us via the home screen of the Sonder app.

Information sourced from: Australian Cyber Security Centre #1, Australian Cyber Security Centre #2, and Scamwatch

Image credit: Torsten Dettlaff at Pexels

All content is created and published for informational purposes only. It is not intended to be a substitute for professional advice.

Did this answer your question?