Finance
Human Resources
Technology
Australian business

Invoice Fraud and Payment Redirection Scams: The SME Playbook

A business owner comparing two near-identical invoices on screen, one genuine and one fraudulent with altered bank account details highlighted.
Scale Suite manages finance and HR for growing Australian businesses. Drop the team a message here →

Payment redirection scams cost Australians $166.8 million in 2025, up 9.3 per cent from $152.6 million the year before. Total combined scam losses rose 7.8 per cent to $2.18 billion in 2025, so overall losses are not falling. False billing is one of only a handful of top-five categories to record a year-on-year increase, even as reported losses sit 29.7 per cent below the 2022 peak. For small businesses, false billing was the most frequently reported scam type of all. The mechanics are unglamorous: no hacking of bank vaults, just an email that looks right, a bank account number that is wrong, and a payment that leaves on time to the wrong destination. This playbook covers how the fraud actually runs, the eight controls that stop it, and the first-hour response if money has already moved.

Published: July 2026


What Is a Payment Redirection Scam?

A payment redirection scam, often called business email compromise or BEC, is fraud that intercepts or imitates legitimate business communication to send a real payment to a criminal’s account. The invoice is usually genuine. The amount is usually genuine. Only the bank details have changed.

It arrives in three main forms.

  • The compromised supplier. A criminal gains access to a supplier’s mailbox, watches the invoice cycle, then emails you “updated bank details” from the supplier’s real address, sometimes as a doctored version of a real invoice. Everything checks out because everything except the account number is authentic.
  • The lookalike sender. No mailbox is compromised at all. The criminal registers a domain one character away from a supplier’s, or spoofs a director’s display name, and requests an urgent transfer or a change of payment details. These lean on urgency and authority: end of day, boss travelling, do not discuss.
  • The compromised you. Your own mailbox is breached, commonly through a phishing email that harvested a password. The criminal sets silent forwarding rules, edits your outgoing invoices so your customers pay the wrong account, or intercepts inbound supplier correspondence. Phishing remains the most common entry point, which is why the 65,361 phishing reports made in 2025 matter to businesses even when each individual phish looks trivial.

The common thread: the payment system worked perfectly. The verification system did not exist. For day-to-day accounts payable discipline that makes verification stick, see accounts payable management and outsourced accounts payable Australia. Scale Suite builds verification gates into finance services delivery because payment control and bookkeeping are the same discipline. National scam data is published by the National Anti-Scam Centre; report incidents via ReportCyber and Scamwatch.


Anatomy of an Attack

A typical incident runs like this. A staff member enters their email password on a convincing fake login page. The criminal logs in quietly, adds a mailbox rule that forwards supplier correspondence and deletes the evidence, and waits. Weeks pass. A progress claim, stock order or professional fee of meaningful size appears in the thread. The criminal sends the “our bank details have changed” email at the perfect moment, from the perfect address, sometimes attaching a modified copy of the genuine invoice.

Accounts payable updates the record, the payment run goes out, and the funds land in a mule account. From there the money is layered through further accounts or converted within hours. Recovery odds fall steeply with every hour that passes, which is why this playbook treats response speed as a control in its own right.

Consider the dollar reality with a hypothetical that mirrors hundreds of real reports: a building business pays an $84,600 progress claim to redirected details on a Thursday afternoon. The real supplier chases payment the following Wednesday. Six days have passed. By the time the bank recall request is lodged, the receiving account has been emptied. The business still owes the supplier the full $84,600, because paying a fraudster does not discharge the debt. The loss is not the payment. The loss is the payment twice: $169,200 of economic damage before legal fees, cashflow stress and management distraction.

A second common pattern hits outbound invoices. A design firm issues a $22,000 invoice. A criminal with mailbox access changes the BSB and account on the PDF the customer receives. The customer pays on time to the wrong account. The firm chases a debt that was already paid once to a criminal, while the customer believes they are clear. Trust damage can exceed the cash loss.


The Eight Controls That Stop It

None of these require enterprise software. All of them require the discipline to apply them without exception.

  • 1. Call-back verification on any new or changed bank details. This is the single highest-value control in payments. Any request to change an account number, from any party, for any reason, is verified by phoning a number you source independently: from your existing records, a prior contract or the supplier’s official website. Never the number on the email or the new invoice, because the fraudster wrote those. Make it policy, apply it to every change including ones apparently from the owner, and accept that it adds five minutes to a process that protects five-figure sums.
  • 2. Dual authorisation on payments. In your banking platform, separate the person who creates a payment from the person who releases it, with a second approver mandatory above a set threshold. A second set of eyes on the payee name and account is a last line of defence that costs nothing.
  • 3. Vendor master discipline. Bank details live in one controlled record, not in whichever email arrived last. Changes to that record follow the call-back process, are logged with who verified what and when, and batch payment files are reviewed against the master before release.
  • 4. Name checking at the point of payment. Australian banks have been progressively rolling out account name checking, known as Confirmation of Payee, which compares the account name you enter against the name on the receiving account. Where your bank offers it, use it, and treat any mismatch or partial match as a hard stop until verified by phone. It is a strong extra layer for new payees; it does not replace call-back verification, because criminals adapt account names too.
  • 5. Email hardening. Multi-factor authentication on every mailbox without exception, alerts on new forwarding or deletion rules, and modern authentication only. On the outbound side, set up SPF, DKIM and DMARC on your own domain so criminals cannot easily impersonate you to your customers. Your customers paying a fake version of your invoice is your problem commercially, whatever the legal position.
  • 6. Segregation of duties, even in a small team. The person who reconciles the bank should not be the only person who can pay from it. In a five-person business this can be as simple as the owner releasing payments a bookkeeper prepares. The structure matters more than the headcount.
  • 7. Outbound invoice hygiene. Print a standing line on every invoice: our bank details will never change by email; verify any change by phone on the number below. It costs one sentence and inoculates your customers against the most common attack on you. Use a clean template from an invoice generator and keep wording consistent.
  • 8. Pattern training for anyone who touches payments. The tells repeat: urgency, secrecy, a change of bank details, a new remittance email address, a domain one character off, pressure to skip process. Fifteen minutes of training twice a year, with real examples, turns your team into a detection layer. The goal is a culture where pausing a payment to verify is praised, never punished.

There is a ninth control hiding in plain sight: reconciliation cadence. A ledger reconciled weekly surfaces a redirected payment in days; a ledger reconciled quarterly surfaces it after the recovery window has closed. This is one of the quiet arguments for treating bookkeeping as an operating function rather than a compliance chore. At Scale Suite, accounts payable runs with verification gates and weekly reconciliation precisely because payment control and bookkeeping are the same discipline wearing different clothes. See internal controls for small business and paying suppliers on time for process design that does not trade speed for blindness.


Decision framework: which controls first

If you implement nothing else this month, implement call-back verification and dual authorisation. Those two stop most redirection losses.

If you have 30 minutes next, lock MFA on email and audit for silent forwarding rules.

If you have a half day, clean the vendor master, write the outbound invoice warning line, and train the three people who touch payments.

Budget is rarely the blocker. Exception culture is: “we know this supplier” is exactly the sentence criminals engineer.


If Money Has Already Moved: The First Hour

Speed is the whole game. Work the list in order.

  1. Call your bank immediately and ask for an urgent recall and trace on the payment. Banks cooperate with each other and with the Australian Financial Crimes Exchange to freeze funds, but only funds that are still there.
  2. Report to ReportCyber, the Australian Cyber Security Centre’s online reporting service, which routes the incident to law enforcement. Also report to Scamwatch so the pattern is visible to the National Anti-Scam Centre.
  3. Notify the real counterparty by phone. If their mailbox was the compromised one, every one of their customers is exposed right now.
  4. Preserve the evidence. Keep the emails including full headers, the fraudulent invoice, and the payment records. Do not delete anything.
  5. Assume compromise until proven otherwise. Reset passwords across the business, enforce MFA, and audit every mailbox for forwarding rules and unfamiliar sign-ins. If your systems were the entry point, the next payment is already being watched.
  6. Assess your privacy obligations. If personal information was accessed, the Notifiable Data Breaches scheme may require assessment and notification.
  7. Notify your insurer if you hold cyber or crime cover, and check the policy’s conditions on timeframes.
  8. Support the humans. The staff member who processed the payment followed an email that was designed by professionals to be followed. Fix the process, not the person, and point anyone whose identity details were exposed to IDCARE.


Cashflow after a double payment

If you still owe the real supplier $84,600 after funding a fraud, the immediate finance job is liquidity. Model the hit in a cash flow forecast calculator and the 1-month cash forecast calculator. Pause non-critical spend, speak to the bank about a temporary facility if needed, and do not “save cash” by delaying super or BAS: those create a second crisis on top of the first.


Related resources and next reading


FAQ

What is a payment redirection scam in simple terms?
A criminal convinces your business to pay a real invoice into the wrong bank account, usually by emailing “updated bank details” from a compromised or imitated email address. The payment is real, the invoice is real, the account is the fraud.

How do scammers change the bank details on an invoice?
Most commonly by compromising a mailbox on either side of the transaction through phishing, then either editing invoice PDFs in transit or sending a change-of-details email at the moment a large payment falls due. Lookalike domains that differ by one character do the same job without any hacking at all.

Can the bank recover money sent to a scammer?
Sometimes, and the odds are almost entirely a function of speed. Funds are typically moved through mule accounts within hours, so a recall requested the same day has a real chance and a recall requested the next week rarely does. Call the bank before you do anything else.

Do we still owe the supplier if we paid a fraudster?
Generally yes. Paying a criminal does not discharge the debt to the genuine supplier, which is why a redirected payment is effectively a double loss. Who bears it can depend on whose systems were compromised and what each party did, which is a commercial and legal negotiation you do not want to have.

Should we verify every change of bank details by phone?
Yes, every one, using a phone number sourced independently of the request. It is the single control with the best return in all of payments. The moment you allow exceptions for trusted suppliers or urgent requests, you have described exactly the transactions criminals target.

What is Confirmation of Payee?
An account name checking service Australian banks have been rolling out that compares the payee name you enter against the actual name on the destination account before you pay. Treat a mismatch as a stop sign. Use it as a layer on top of call-back verification, not instead of it.

Who do I report invoice fraud to in Australia?
Your bank first, then ReportCyber for law enforcement routing, and Scamwatch so the National Anti-Scam Centre sees the pattern. If identity information was exposed, IDCARE provides free support.

Are small businesses really targeted more than big ones?
Small businesses combine meaningful payment values with thin controls, which is the exact profile criminals prefer, and false billing was the most frequently reported scam type for small businesses in the latest national data. Reported losses also understate the truth, because many incidents are absorbed quietly and never reported.

Does cyber insurance cover payment redirection losses?
Some policies do under social engineering or funds transfer fraud extensions, often with sub-limits and strict conditions such as mandatory verification procedures. Read the conditions before the incident: a policy that requires call-back verification will not pay if the control was skipped.

What is the minimum control set for a five-person business?
Call-back verification for every bank detail change, dual authorisation on payments above a low threshold, MFA on all email, weekly bank reconciliation, and a standing line on invoices that bank details never change by email.


About Scale Suite

Scale Suite is a Sydney-based provider of outsourced finance teams and fractional CFO services for Australian SMEs. We deliver weekly bookkeeping, payroll, BAS/IAS lodgement, cashflow reporting, management accounts, and strategic fractional CFO oversight, all as a fully embedded team that works inside your business.

CA-qualified, Xero Certified, and registered BAS Agents, we replace fragmented bookkeepers and once-a-year accountants with one responsive finance function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.

Visit Scale Suite | View Our Finance Services | View Our HR Services | Get Your Free Proposal


Disclaimer

We review and check this guide periodically. At the time of writing (July 2026), all information was current. Scale Suite is a registered BAS Agent, not a licensed tax advisor or financial advisor. This content is general information only and does not constitute professional tax, financial, or legal advice. Some details may change over time.


Sources

  • National Anti-Scam Centre, Targeting Scams Report 2025 (total combined losses $2.18 billion, up 7.8%; payment redirection losses of $166.8 million, up 9.3%; small business false billing findings) (https://www.nasc.gov.au)
  • Scamwatch guidance on payment redirection and false billing scams (https://www.scamwatch.gov.au)
  • ReportCyber (https://www.cyber.gov.au/report-and-recover/report)
  • Australian Financial Crimes Exchange and IDCARE recovery pathway guidance
  • Australian Cyber Security Centre, ReportCyber and business email compromise guidance
  • Australian Financial Crimes Exchange
  • Office of the Australian Information Commissioner, Notifiable Data Breaches scheme guidance

About Scale Suite

Scale Suite is a Sydney-based provider of outsourced finance and HR services for Australian SMEs. We deliver bookkeeping, financial reporting, payroll processing, fractional CFO support, recruitment, employee onboarding, people and culture support, and fractional HR oversight, all as a fully embedded team that works inside your business.

Employment Hero Gold Partner, CA-qualified, and Xero Certified, we replace fragmented finance and HR processes with one responsive, senior-level function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.

Contact us

Book Your Free Assessment

30 minutes with our team.

We'll review your current finance setup, compare the full cost of an internal hire against our embedded team, and show you exactly what your finance function should cost at your stage of growth.

You'll leave with a clear view of what's working, what's missing, and where you'd save.

No lock-in contracts. 30-day money-back guarantee.

Prefer to book directly?
Grab a time here.

Thanks, you're in. Grab a time below.
Pick a 30-min slot that works and we'll see you there.

Prefer us to call you? We'll reach out with the details you've provided.
Oops! Something went wrong while submitting the form.
"A collage of five people in circular frames: a woman smiling by a blue door, a young man in an apron, a man in a shirt near shelves, a woman with long hair in an office, and a man in profile view."

Book your free 30-minute strategy call now

Schedule My Call