Training on Business Email Compromise for Payment Handling
Staff learn about email scams that change payment details and how to report them.
Plain language
This control is about training staff who handle payments to recognise email scams that change payment details. It's crucial because if scammers trick your staff into sending money to a fraudulent account, your business could lose a significant amount of money, damaging both your finances and reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel dealing with banking details and payment requests are advised of what business email compromise is, how to manage such situations and how to report it.
Why it matters
Failure to train staff on business email compromise can lead to misdirected payments, financial loss and reputational damage.
Operational notes
Provide regular BEC-focused training for staff handling banking details, and require immediate reporting of suspicious payment-change emails.
Implementation tips
- Management should organise regular training for employees who deal with accounts and payments. The training should cover how to identify suspicious emails and what changes to look out for, like altered payment details. Use real-world examples to highlight common scam tactics.
- The finance manager should ensure there is a procedure in place to verify any requested changes to payment details. This can be done by setting up a dual verification process, where a phone call is made to an established contact number before any changes are made.
- IT support staff should configure email systems to flag suspicious emails. This can involve setting up filters that detect common red flags, such as mismatched email addresses and changes in language style.
- Managers should encourage a 'reporting culture' where any suspected scam emails are quickly reported to IT or a chosen internal team. This can be facilitated by outlining a simple process in an internal memo or guide, ensuring all employees know who to contact.
- HR should integrate cybersecurity awareness into the onboarding process for new hires. Include a section on recognising and reporting scams, and ensure this is reinforced with refresher courses throughout the year.
Audit / evidence tips
-
Asktraining records: Request records of staff training sessions related to email scam and payment handling
Goodshows that all relevant staff have been trained within the last year
-
Askthe procedure document: Request the documented process for verifying changes to payment details
Goodis a well-defined, simple procedure that has been communicated to staff
-
Aska demonstration of email filters: Request IT to show proof of configured email filters for scam detection
Goodincludes recently updated filters with logs showing blocked or flagged emails
-
Askincident records: Request a report of any reported incidents of suspected email scams
Goodincludes detailed incident notes showing timely reporting and resolution actions
-
Askonboarding records: Request evidence of cybersecurity awareness components in the onboarding process
Goodincludes consistent use of materials and ongoing education plans
Cross-framework mappings
How ISM-1740 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 6.8 | ISM-1740 requires personnel handling payment details to know what BEC is and how to report it through the organisation’s processes | |
| link Related (1) expand_less | ||
| Annex A 6.3 | Annex A 6.3 requires an organisation-wide, role-appropriate security awareness and training programme with regular updates to relevant po... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.