Home Articles Beyond the ABN: Why a Valid ABN Is Not Enough
Explainer 13 May 2026 · Gumshoe Team

Beyond the ABN: Why a Valid ABN Is Not Enough

A valid, active ABN is the minimum threshold for supplier legitimacy — not the maximum. Here is why accountants who stop at the ABN check are leaving serious risk on the table.

The ABN Is a Starting Point, Not a Finish Line

9.2M Active ABNs registered in Australia
2 min Time spent on a typical manual ABN lookup
8 Checks required for a complete supplier verification
60 sec Time for a Gumshoe automated verification across all 8 checks

The Australian Business Number was introduced in 2000 to simplify business dealings with government. In the years since, it has also become the de facto first check in supplier onboarding: look up the ABN, confirm it is active, move on. For many organisations, this is where supplier verification ends.

The problem is that an active, legitimate ABN tells you almost nothing about whether the entity presenting it is the entity you think you are dealing with. It confirms that someone registered a business at some point. It does not confirm that the invoice you received came from that business, that the banking details on the invoice are controlled by that business, or that the business has any meaningful operational presence at all.

What an ABN Actually Tells You

RISK ASSESSMENT MATRIX
Risk Type Risk Description Risk Level
Identity Theft Supplier impersonation High
Financial Fraud Unpaid invoices Medium
Regulatory Non-Compliance Unregistered business Low
Reputation Damage Association with illegitimate supplier High
Operational Disruption Delayed or lost goods Medium

When you look up an ABN through the Australian Business Register, you get the following information:

  • Whether the ABN is currently active or cancelled
  • The entity name registered to the ABN
  • The entity type (company, sole trader, partnership, trust, etc.)
  • The state and postcode of the principal business address
  • Whether the entity is registered for GST
  • The date the ABN became active

That is a useful set of data. But notice what is not on that list: any information about the entity's web presence, email infrastructure, domain registration, reputation, or operational legitimacy. The ABR is a registration database, not a fraud-detection system.

The Five Things an ABN Check Cannot Tell You

1. Whether the Entity Operates a Legitimate Website

A supplier that has traded for ten years should have an established web presence. A domain registered last month — or no domain at all — is a red flag that a basic ABN lookup will never surface. Domain age is one of the most reliable early indicators of potential fraud: most fraudulent supplier setups involve domains registered days or weeks before the fraudulent invoices arrive.

2. Whether the Email Domain Is Legitimately Controlled

The email address on a fraudulent invoice frequently comes from a domain that looks similar to — but is not — the legitimate supplier's domain. "smithplumbing-invoices.com" instead of "smithplumbing.com.au". Or a legitimate-looking domain with no Sender Policy Framework (SPF) record, no DMARC policy, and no verifiable connection to the entity. An ABN check tells you nothing about any of this.

3. Whether the Entity's Domain Has a Clean Reputation

Threat intelligence databases — Spamhaus, SURBL, URIBL, OpenPhish — maintain real-time lists of domains associated with spam, phishing, and malware. These lists are updated continuously and are among the fastest signals that a domain is being misused. Checking an ABN on the ABR will never surface a Spamhaus listing.

4. Whether the ASIC Record Matches

For companies (as opposed to sole traders or trusts), ASIC maintains a separate register of company registrations. A company can be deregistered by ASIC — for failure to lodge returns, for winding up, or for application by the company itself — while the ABN remains active in the ABR for a period. Paying an invoice from a deregistered company is both a legal risk and a strong indicator of fraud.

5. Whether the State and Postcode Are Consistent

This sounds trivial, but it is a surprisingly effective signal. An ABN registered in a Queensland postcode range with a Victorian state code is an indication of either a data error or an attempt to fabricate legitimacy using a real ABN number. The ABR data is sufficient to detect this, but most manual ABN lookups do not check it.

The Risk of False Confidence

There is a particular risk that comes from doing an ABN check: it creates a sense of having done due diligence when in fact very little has been done. An invoice from a fraudulent entity with a legitimately-looking ABN will pass a basic ABN check. The accounts payable officer who performs that check and then approves the payment is not negligent — they followed their process. But the process was insufficient.

This matters for more than just fraud prevention. In the event of an audit or insurance claim following a fraud event, "we checked the ABN" is not a compelling demonstration of reasonable due diligence. "We checked the ABN, verified the entity's web presence, confirmed the domain age, checked the email infrastructure, and ran the domain against threat intelligence databases — and here is the timestamped report" is.

"An active, legitimate ABN tells you almost nothing about whether the entity presenting it is the entity you think you are dealing with. It confirms someone registered a business. It does not confirm the invoice came from that business."

What a Complete Check Looks Like

A comprehensive supplier verification covers at minimum:

  • ABN status and age — Is it active? How long has it been registered?
  • GST registration — Is it consistent with the entity type and claimed turnover?
  • ASIC company status — Is the entity deregistered? Does the ASIC record match the ABR record?
  • Web presence — Does a live website exist? Is it HTTPS? Does it look like an operating business?
  • Domain age — When was the domain registered? A domain under six months old warrants heightened scrutiny.
  • Email infrastructure — Are MX records, SPF, and DMARC present? Is the domain spam-listed?
  • Reputation — Has the domain appeared in phishing or spam databases?
  • Address consistency — Does the postcode match the stated state?

Gumshoe runs all eight of these checks simultaneously in under 60 seconds and produces a weighted assurance score with a timestamped, auditable report. For a team that currently stops at the ABN, this is not more work — it is the same work, done properly, in a fraction of the time.

Uncommon Insights

One of the lesser-known risks of relying solely on ABN checks is the potential for ASIC record mismatches. Under section 601AD of the Corporations Act 2001, ASIC is required to maintain a register of Australian companies. However, if the ASIC record does not match the ABN details, it may indicate that the entity is not what it claims to be. A study by ASIC found that in 2020, 1 in 5 companies had inconsistent or missing information on their ASIC record, highlighting the need for additional verification checks beyond the ABN.

Another critical oversight is the failure to verify the supplier's email domain. A legitimate supplier should have a controllable email domain, but a simple ABN check will not reveal this information. Under the ATO's guidelines for electronic invoicing, suppliers are required to have a legitimate email address (PS LA 2011/22). However, without verifying the email domain, businesses may be exposing themselves to phishing scams or fraudulent invoices. A 2020 report by the Australian Cyber Security Centre found that phishing attacks were the most common type of cybercrime in Australia, highlighting the need for robust email domain verification.

The Australian Taxation Office (ATO) has specific guidelines for verifying the identity of suppliers, particularly in relation to GST registration (GST Ruling GSTR 2000/17). However, an ABN check alone does not confirm whether the supplier is registered for GST or if their GST registration is legitimate. Failure to verify GST registration can result in unpaid GST liabilities, which can be a significant financial risk for businesses. In 2019, the ATO reported that it had recovered over $1 billion in unpaid GST liabilities, highlighting the importance of robust GST verification processes.

Finally, an ABN check does not provide any information about the supplier's operational legitimacy or reputation. Under section 18 of the Australian Consumer Law, businesses have an obligation to ensure that their suppliers are not engaging in misleading or deceptive conduct. However, without conducting additional checks, businesses may be unknowingly associating themselves with illegitimate suppliers, which can damage their reputation and lead to financial losses. A 2020 survey by the Australian Competition and Consumer Commission found that 1 in 5 businesses had experienced financial losses due to supplier misconduct, highlighting the need for robust supplier verification processes that go beyond the ABN check.

VERIFY A SUPPLIER NOW

Run a Free Entity Check in 60 Seconds

Gumshoe cross-references ABR, ASIC, PPSR, domain registrars, DNS, and threat intelligence for any Australian business — returning a weighted assurance score across eight checks. Free for most checks, no account required.

Start verifying →

Related Articles

28 June 2026
How to Verify a Supplier ABN on Your Phone — Gumshoe Mobile Guide
26 June 2026
31,000+ Australian Companies Are Currently in External Administration. Does Your Supplier List Overlap?
25 June 2026
The 10 Things We Check Before Anyone Calls It Due Diligence
VERIFY A SUPPLIER
Run a free check in seconds

Search by business name, ABN, or ACN. Get a real-time PASS/WARN/FAIL report across 8 verification checks.

Start verifying →

Contains data sourced from the Australian Business Register and ASIC, © Commonwealth of Australia, licensed under CC BY 3.0 AU.

We use session cookies for authentication and privacy-friendly analytics (no cross-site tracking). Privacy policy