Is your domain protected against spoofing? BlackFlag Advisory assesses your full email security posture as part of every passive GRC assessment. No systems accessed.

Request an Assessment →
Home / Intelligence / Email Phishing & Spoofing
Email Security & Threat Intelligence

Email Phishing & Domain Spoofing:
Why Your Business Is Probably Vulnerable Right Now

Cluny Archibald
Founder, BlackFlag Advisory
April 2026
8 min read

There is a reasonable chance that right now, today, someone could send an email to your most important client, your Board Chair, or your bank — and that email would display your name, your domain, and your brand. It would look identical to a genuine communication from your organisation. And there is nothing in place to stop it.

No malware required. No system breach. No sophisticated nation-state capability. Just an unprotected domain, a motivated attacker, and a target who has every reason to trust what they are reading.

This is domain spoofing. It is not a theoretical risk. It is the mechanism behind the single most financially damaging category of cybercrime affecting Australian businesses today — and the overwhelming majority of organisations have left the door wide open.

The Reality of Your Current Exposure

  • Without email authentication records, any server on the internet can send email as your domain — right now, without accessing your systems
  • Business email compromise cost Australian organisations over $84 million in reported losses in a single year — and most incidents go unreported
  • The average BEC payment redirected in Australia exceeds $50,000 — many are significantly higher
  • Attackers do not need to be technically sophisticated — spoofing tools are freely available and require no specialist knowledge to operate
  • Your clients, suppliers, and staff have no way to detect a spoofed email without specialist knowledge — they will trust it

How Your Domain Becomes a Weapon Against You

Email was built on trust. When the protocols that underpin modern email were designed, the internet was a small, collaborative network of academic institutions. Authentication was not a consideration — the assumption was that everyone on the network could be trusted.

That assumption has not been true for decades. But the infrastructure remains. And it means that any mail server, anywhere in the world, can claim to be sending on behalf of your domain. Unless you have specifically published authentication records that tell receiving servers what to verify, they have no mechanism to challenge that claim.

Most Australian organisations have not published those records. When a passive assessment of your domain is conducted — the kind BlackFlag Advisory performs without touching a single system — the absence of proper authentication configuration is immediately visible. It takes seconds to determine whether your domain can be spoofed. Attackers run the same checks before they act. An unprotected domain is a green light.

What an Attacker Sees Before They Target You Before launching a business email compromise attack, a threat actor checks your domain's email authentication configuration using the same publicly available tools any security professional uses. If the records are absent or misconfigured, the message is unambiguous: there is no technical barrier to impersonating your organisation. Any email they send in your name will arrive in the recipient's inbox with nothing to flag it as suspicious. The reconnaissance takes less than 60 seconds.

What Happens When It Goes Wrong

Business email compromise attacks do not announce themselves. They are designed to be invisible — to exploit trust so completely that the victim does not realise what has happened until the money has moved, the credentials have been captured, or the sensitive document has been delivered to the wrong hands.

The following scenarios are composites of real attack patterns documented by the ACSC and the Australian Federal Police. They happen to organisations of every size, across every industry — including professional services firms whose entire value proposition rests on client trust.

Attack Scenario — Invoice Fraud
The Supplier Who Wasn’t

An attacker identifies your organisation as a regular payer to a known supplier — information gathered entirely from your public web presence, LinkedIn, and industry directories. They send an email to your accounts payable contact from what appears to be your CEO’s address, advising that the supplier has changed their banking details and requesting that the next payment be redirected.

The email is professionally written. It references the supplier by name. It comes from ceo@yourcompany.com.au. Your accounts payable officer has received dozens of emails from that address. There is nothing visually or contextually suspicious about this one.

The payment is processed. The funds are transferred to an account controlled by the attacker and immediately moved offshore. The real supplier follows up on the overdue invoice three weeks later.

Average loss in this scenario: $45,000–$250,000. Recovery rate from offshore accounts: near zero.
Attack Scenario — Client Impersonation
Your Brand, Their Fraud

You are not always the target. Sometimes your domain is the weapon used against your clients. An attacker impersonates your firm in communications with people who trust you — sending engagement letters, fee invoices, or requests for sensitive documents that appear to originate from your organisation.

Your client receives an invoice from accounts@yourfirm.com.au for work you have legitimately performed. The banking details on the invoice have been quietly changed. They pay. You follow up on the outstanding balance. The conversation that follows — with a client who has just discovered they paid to an account you have never heard of — is one of the most damaging a professional services firm can have.

You did not send the email. But it came from your domain. The reputational damage is yours regardless.

Beyond the direct loss: professional indemnity implications, regulatory scrutiny, and client relationships that rarely survive the conversation.
Attack Scenario — Credential Harvest
The Entry Point Nobody Saw

An attacker sends a password reset notification to a senior staff member, appearing to come from a platform your organisation uses daily. The email is convincing because it is sent from a spoofed version of a domain your staff member recognises. The link leads to a convincing replica of a login page. The credentials entered are captured immediately.

With valid credentials to your systems, the attacker does not need to spoof anything else. They are inside. They read emails for weeks — learning payment cycles, client relationships, pending transactions, Board deliberations — before acting. The spoofed email that started the chain was detected by no security tool, flagged by no spam filter, and questioned by nobody.

The average dwell time — the period between initial access and detection — is over 200 days. Everything that happens in that window is invisible to you.

Initial access achieved via a single spoofed email. By the time detection occurs, the damage is already done.

The Numbers That Should Concern Your Board

$84M+
Reported BEC losses in Australia in a single year — most incidents go unreported
200+
Average days an attacker remains undetected in a compromised environment
<1%
Recovery rate for funds transferred offshore in BEC fraud — once it moves, it is gone

These figures represent only the losses that are reported. The ACSC consistently notes that business email compromise is significantly under-reported — particularly in professional services, where organisations are reluctant to disclose that a client’s funds were misdirected through their impersonated domain. The true scale of losses is materially higher than any published figure suggests.

The reputational arithmetic is straightforward. A single successful attack that results in a client losing money through your impersonated domain does not stay private. It becomes a reference point in every future client conversation, every due diligence inquiry, every regulatory interaction. For a firm whose value is built on trust and competence, that conversation dwarfs the direct financial loss in its consequences.

Why Most Organisations Remain Exposed

The authentication gap persists not because the fix is difficult, but because the exposure is invisible. There is no error message. No warning. No system alert indicating that your domain is unprotected. The absence of authentication is silent — until an attacker exploits it.

Many organisations believe they are protected because they have implemented some authentication configuration. This is frequently more dangerous than having nothing at all. Partial configurations — records that exist but are not enforced at a level that actually stops spoofed email reaching inboxes — create a false sense of security that prevents organisations from recognising they remain exposed.

A common configuration seen in passive assessments is a monitoring-only policy that generates reports nobody reads and stops nothing. An organisation that has implemented this believes it has addressed the risk. It has not. Spoofed emails are still reaching inboxes. The only difference is that the attacker’s activity is theoretically logged — in a report that nobody is reviewing.

The Subdomains You Have Forgotten About Your primary domain is only part of the exposure. Every subdomain your organisation has ever registered — old project microsites, legacy client portals, test environments, acquired business domains — presents the same spoofing risk if unprotected. Attackers specifically target secondary domains precisely because organisations focus their attention on the primary domain and leave the rest exposed. A passive assessment identifies all domains associated with your organisation, not just the one on your business card.

The Question Your Board Should Be Asking

The right question is not “have we done something about email security?” The right question is: if someone sent an email impersonating our organisation to our most important client today, would anything stop it reaching their inbox?

For most Australian businesses, the honest answer is no. And that answer has consequences — financial, regulatory, and reputational — that compound the longer the exposure remains unaddressed.

The attack does not announce its arrival. It arrives as a trusted email from a familiar domain, processed by a staff member who has no reason to question it, on an ordinary Tuesday afternoon. The first indication that something has gone wrong is a phone call from a client asking why their payment bounced, or a supplier chasing an invoice you have already paid, or a Board member asking why their login credentials stopped working.

The organisations that discover their exposure through a structured assessment control the narrative and the remediation timeline. The organisations that discover it through an incident do not. If you cannot answer with certainty whether your domain is fully protected — not just whether some records exist, but whether they are enforced at a level that actually stops spoofed email — that uncertainty is itself the answer.

A BlackFlag Advisory assessment will tell you exactly where you stand, what the specific risk is for your organisation, and what a Board-level response looks like — before anyone else makes that determination for you.

Find Out If Your Domain Is
Being Used Against You

A BlackFlag Advisory passive assessment identifies your full email security exposure — including the gaps that partial configurations leave open and the domains attackers would target first. No systems accessed. No test emails sent. Board-ready report within 5 business days.

Request an Assessment →
What the Assessment Covers

Primary domain authentication posture and enforcement level. All identified subdomain and legacy domain exposure. Analysis of whether existing records actually stop spoofed email or merely log it. Findings presented at Board level, mapped to the ASD Essential Eight. Delivered within 5 business days of domain submission.