Invoice Fraud Is Exploding in Australia — Here Is How to Spot It

Invoice fraud has become the single biggest cybercrime category targeting Australian small businesses, with the ACCC's Scamwatch recording hundreds of millions in losses annually — and those are only the reported cases. The actual figure is estimated to be three to five times higher because businesses are often too embarrassed to report, or do not realise they are victims of fraud until much later.

How Modern Invoice Fraud Works

Business Email Compromise (BEC): Attackers gain access to a legitimate email account and monitor communications. They learn the payment schedule, the amounts, the names involved, and the writing style. At a strategic moment, they send a convincing email from the legitimate address claiming that bank account details have changed. The email is grammatically perfect, uses correct names, and references real invoice numbers.

Domain Spoofing: Attackers register a domain that looks almost identical to your supplier's — replacing an 'l' with a '1', or using '.com' instead of '.com.au'. They send invoices that appear genuine in every respect except for that one character difference in the email address.

AI-Generated Invoices: The latest technique uses AI to generate pixel-perfect replicas of your actual supplier's invoices, including logos, fonts, and formatting — with only the bank account details changed.

Who Is Most at Risk?

Any business that processes invoices by email is at risk. However, businesses in the construction, legal, real estate, and professional services sectors are particularly targeted due to high transaction volumes and the regularity of large payments. Businesses that deal with many suppliers — meaning invoice verification is difficult to prioritise — are especially vulnerable. And businesses where the finance function is handled by a single person with little oversight are frequent targets.

The One Rule That Prevents Most Invoice Fraud

Implement a simple policy: any request to change a bank account or payment destination must be verified by phone before processing. Call the supplier on a number you already have — not one provided in the suspicious email or invoice. This single policy prevents the vast majority of invoice fraud attacks. The phone call needs to be to a number you have used before or sourced independently — not the number provided in the email or invoice that may itself have been modified by the attacker.

Technical Controls That Help

Enable multi-factor authentication on all email accounts — this is the most effective way to prevent criminals from accessing your email to monitor payment communications. Configure DMARC on your business domain to prevent criminals from spoofing your email address when attacking your clients and suppliers. Implement email security filtering that flags emails from lookalike domains. And consider using a dedicated accounts payable email address that has stricter access controls and monitoring.

Recovering From Invoice Fraud

If your business has already been a victim of invoice fraud, act immediately. Contact your bank within minutes if possible — domestic transfers can sometimes be reversed if reported quickly enough. Contact the receiving bank's fraud team directly. Report to the ACCC via Scamwatch and to the Australian Federal Police for amounts over $5,000. Document everything for your insurance claim if you have business crime or cyber insurance. Many policies cover business email compromise losses if the right controls were in place.

IntrusionX helps Melbourne small businesses implement the technical and procedural controls that prevent invoice fraud. Contact us for a free assessment of your current email security and payment processes.

Building a Fraud-Resistant Payment Culture

Beyond technical controls, the most durable protection against invoice fraud is a payment culture where verification is normalised — not treated as a sign of distrust. When your team understands that the phone call to verify a new bank account is a standard procedure (not a personal affront to the supplier), it becomes easy to enforce consistently. Communicate this policy to your suppliers proactively: "Our policy requires us to verify any bank account changes by phone — please expect a call from us if you ever update your details." This communication is professional, creates no friction with genuine suppliers, and specifically deters attackers who rely on the assumption that your team will not call. IntrusionX helps Melbourne small businesses implement these combined technical and procedural fraud prevention controls — contact us for a free assessment.