
Payment redirection scams cost Australians $166.8 million in 2025, up 9.3 per cent from $152.6 million the year before. Total combined scam losses rose 7.8 per cent to $2.18 billion in 2025, so overall losses are not falling. False billing is one of only a handful of top-five categories to record a year-on-year increase, even as reported losses sit 29.7 per cent below the 2022 peak. For small businesses, false billing was the most frequently reported scam type of all. The mechanics are unglamorous: no hacking of bank vaults, just an email that looks right, a bank account number that is wrong, and a payment that leaves on time to the wrong destination. This playbook covers how the fraud actually runs, the eight controls that stop it, and the first-hour response if money has already moved.
Published: July 2026
A payment redirection scam, often called business email compromise or BEC, is fraud that intercepts or imitates legitimate business communication to send a real payment to a criminal’s account. The invoice is usually genuine. The amount is usually genuine. Only the bank details have changed.
It arrives in three main forms.
The common thread: the payment system worked perfectly. The verification system did not exist. For day-to-day accounts payable discipline that makes verification stick, see accounts payable management and outsourced accounts payable Australia. Scale Suite builds verification gates into finance services delivery because payment control and bookkeeping are the same discipline. National scam data is published by the National Anti-Scam Centre; report incidents via ReportCyber and Scamwatch.
A typical incident runs like this. A staff member enters their email password on a convincing fake login page. The criminal logs in quietly, adds a mailbox rule that forwards supplier correspondence and deletes the evidence, and waits. Weeks pass. A progress claim, stock order or professional fee of meaningful size appears in the thread. The criminal sends the “our bank details have changed” email at the perfect moment, from the perfect address, sometimes attaching a modified copy of the genuine invoice.
Accounts payable updates the record, the payment run goes out, and the funds land in a mule account. From there the money is layered through further accounts or converted within hours. Recovery odds fall steeply with every hour that passes, which is why this playbook treats response speed as a control in its own right.
Consider the dollar reality with a hypothetical that mirrors hundreds of real reports: a building business pays an $84,600 progress claim to redirected details on a Thursday afternoon. The real supplier chases payment the following Wednesday. Six days have passed. By the time the bank recall request is lodged, the receiving account has been emptied. The business still owes the supplier the full $84,600, because paying a fraudster does not discharge the debt. The loss is not the payment. The loss is the payment twice: $169,200 of economic damage before legal fees, cashflow stress and management distraction.
A second common pattern hits outbound invoices. A design firm issues a $22,000 invoice. A criminal with mailbox access changes the BSB and account on the PDF the customer receives. The customer pays on time to the wrong account. The firm chases a debt that was already paid once to a criminal, while the customer believes they are clear. Trust damage can exceed the cash loss.
None of these require enterprise software. All of them require the discipline to apply them without exception.
There is a ninth control hiding in plain sight: reconciliation cadence. A ledger reconciled weekly surfaces a redirected payment in days; a ledger reconciled quarterly surfaces it after the recovery window has closed. This is one of the quiet arguments for treating bookkeeping as an operating function rather than a compliance chore. At Scale Suite, accounts payable runs with verification gates and weekly reconciliation precisely because payment control and bookkeeping are the same discipline wearing different clothes. See internal controls for small business and paying suppliers on time for process design that does not trade speed for blindness.
If you implement nothing else this month, implement call-back verification and dual authorisation. Those two stop most redirection losses.
If you have 30 minutes next, lock MFA on email and audit for silent forwarding rules.
If you have a half day, clean the vendor master, write the outbound invoice warning line, and train the three people who touch payments.
Budget is rarely the blocker. Exception culture is: “we know this supplier” is exactly the sentence criminals engineer.
Speed is the whole game. Work the list in order.
If you still owe the real supplier $84,600 after funding a fraud, the immediate finance job is liquidity. Model the hit in a cash flow forecast calculator and the 1-month cash forecast calculator. Pause non-critical spend, speak to the bank about a temporary facility if needed, and do not “save cash” by delaying super or BAS: those create a second crisis on top of the first.
What is a payment redirection scam in simple terms?
A criminal convinces your business to pay a real invoice into the wrong bank account, usually by emailing “updated bank details” from a compromised or imitated email address. The payment is real, the invoice is real, the account is the fraud.
How do scammers change the bank details on an invoice?
Most commonly by compromising a mailbox on either side of the transaction through phishing, then either editing invoice PDFs in transit or sending a change-of-details email at the moment a large payment falls due. Lookalike domains that differ by one character do the same job without any hacking at all.
Can the bank recover money sent to a scammer?
Sometimes, and the odds are almost entirely a function of speed. Funds are typically moved through mule accounts within hours, so a recall requested the same day has a real chance and a recall requested the next week rarely does. Call the bank before you do anything else.
Do we still owe the supplier if we paid a fraudster?
Generally yes. Paying a criminal does not discharge the debt to the genuine supplier, which is why a redirected payment is effectively a double loss. Who bears it can depend on whose systems were compromised and what each party did, which is a commercial and legal negotiation you do not want to have.
Should we verify every change of bank details by phone?
Yes, every one, using a phone number sourced independently of the request. It is the single control with the best return in all of payments. The moment you allow exceptions for trusted suppliers or urgent requests, you have described exactly the transactions criminals target.
What is Confirmation of Payee?
An account name checking service Australian banks have been rolling out that compares the payee name you enter against the actual name on the destination account before you pay. Treat a mismatch as a stop sign. Use it as a layer on top of call-back verification, not instead of it.
Who do I report invoice fraud to in Australia?
Your bank first, then ReportCyber for law enforcement routing, and Scamwatch so the National Anti-Scam Centre sees the pattern. If identity information was exposed, IDCARE provides free support.
Are small businesses really targeted more than big ones?
Small businesses combine meaningful payment values with thin controls, which is the exact profile criminals prefer, and false billing was the most frequently reported scam type for small businesses in the latest national data. Reported losses also understate the truth, because many incidents are absorbed quietly and never reported.
Does cyber insurance cover payment redirection losses?
Some policies do under social engineering or funds transfer fraud extensions, often with sub-limits and strict conditions such as mandatory verification procedures. Read the conditions before the incident: a policy that requires call-back verification will not pay if the control was skipped.
What is the minimum control set for a five-person business?
Call-back verification for every bank detail change, dual authorisation on payments above a low threshold, MFA on all email, weekly bank reconciliation, and a standing line on invoices that bank details never change by email.
Scale Suite is a Sydney-based provider of outsourced finance teams and fractional CFO services for Australian SMEs. We deliver weekly bookkeeping, payroll, BAS/IAS lodgement, cashflow reporting, management accounts, and strategic fractional CFO oversight, all as a fully embedded team that works inside your business.
CA-qualified, Xero Certified, and registered BAS Agents, we replace fragmented bookkeepers and once-a-year accountants with one responsive finance function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.
Visit Scale Suite | View Our Finance Services | View Our HR Services | Get Your Free Proposal
We review and check this guide periodically. At the time of writing (July 2026), all information was current. Scale Suite is a registered BAS Agent, not a licensed tax advisor or financial advisor. This content is general information only and does not constitute professional tax, financial, or legal advice. Some details may change over time.
Scale Suite is a Sydney-based provider of outsourced finance and HR services for Australian SMEs. We deliver bookkeeping, financial reporting, payroll processing, fractional CFO support, recruitment, employee onboarding, people and culture support, and fractional HR oversight, all as a fully embedded team that works inside your business.
Employment Hero Gold Partner, CA-qualified, and Xero Certified, we replace fragmented finance and HR processes with one responsive, senior-level function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.
30 minutes with our team.
We'll review your current finance setup, compare the full cost of an internal hire against our embedded team, and show you exactly what your finance function should cost at your stage of growth.
You'll leave with a clear view of what's working, what's missing, and where you'd save.
No lock-in contracts. 30-day money-back guarantee.
Prefer to book directly? Grab a time here.

