The Hidden Cost of Supplier Fraud in Australia

The Scale of the Problem

The Australian Competition and Consumer Commission's most recent Scamwatch data puts business losses from payment redirection and invoice fraud at over $3.1 billion annually. That figure has grown every year for the past decade. What makes it particularly alarming is that most of these losses are not the result of sophisticated cyberattacks. They are the result of someone paying an invoice they should not have paid — to an entity they should have checked but did not.

Supplier fraud sits at the intersection of two well-understood problems: identity fraud and process failure. The fraud itself is usually simple. What enables it is the absence of a systematic check at the point of onboarding a new supplier or when banking details change.

Where the Losses Actually Occur

A common misconception is that supplier fraud is mostly a large-enterprise problem. In fact, the ACCC's data consistently shows that small and medium businesses — those with 2 to 50 employees — account for the majority of reported losses. This is not because they are more frequently targeted. It is because large organisations typically have purchase-order systems, multi-approver payment workflows, and dedicated fraud teams. Small businesses rely on trust, familiarity, and the judgement of one or two people in accounts.

The three most common supplier fraud vectors in Australia are:

• Business email compromise (BEC): A fraudster either compromises a supplier's email account or creates a convincing lookalike domain and requests updated banking details. The invoice that follows looks legitimate because it references real purchase orders and uses the supplier's branding.
• Fictitious supplier creation: A new supplier is created in the vendor master — sometimes with insider assistance — and invoices are submitted for services or goods never delivered. The ABN is real but the business is a shell.
• Existing supplier impersonation: A fraudster registers a domain extremely similar to a legitimate supplier's domain (e.g., smithplumbing-au.com instead of smithplumbing.com.au) and begins submitting invoices or requesting payment-detail changes.

The Cost That Does Not Appear in Loss Statistics

The direct financial loss is only part of the story. Supplier fraud generates significant indirect costs that rarely appear in reported figures:

• Investigation time: A typical fraud incident requires 40 to 80 hours of internal investigation before it is resolved or written off. At professional services billing rates, this alone can exceed the original fraud amount.
• Remediation and legal costs: Banks in Australia are under no obligation to recover payments made to fraudulent accounts where the payer authorised the transaction. Legal recovery is expensive and rarely successful.
• Audit and compliance costs: Following a fraud event, most businesses are required by their insurers or directors to commission an external audit of their AP processes. This typically costs $15,000 to $50,000.
• Reputational damage: If the fraud involves a compromise of the business's own systems — meaning the fraudster accessed your email or accounting software — suppliers and customers may need to be notified under the Notifiable Data Breaches scheme.
• Insurance premium increases: A successful fraud claim will typically trigger a 20–40% increase in cyber and crime insurance premiums at renewal.

Why Existing Controls Fail

Most small businesses do some form of supplier checking. They look up the ABN on the ABR website. They check that the ABN is active. They may even call the supplier to confirm banking details. These controls are not useless — but they are incomplete, and increasingly insufficient against modern fraud techniques.

An ABN lookup tells you that a number is registered and active. It does not tell you that the entity behind the number has an operating web presence, that the email domain the invoices arrive from is legitimately controlled by that entity, that the domain has not been registered in the past six months, or that the banking details you are about to pay have been confirmed by an authorised person.

The gap between what a basic ABN check tells you and what you need to know to safely pay an invoice is exactly where supplier fraud lives.

A Different Way to Think About Verification

The most effective supplier verification programmes treat every new vendor relationship — and every change to an existing vendor's banking details — as a risk event requiring a structured response. This means checking not just whether the ABN is valid, but whether the entity's web presence, email infrastructure, domain age, and reputation signals are consistent with a legitimate, operating business.

For a compliance officer or senior accountant, this used to mean opening four or five different browser tabs and spending 40 minutes manually checking each signal. Gumshoe runs all of those checks automatically in under 60 seconds, stores a timestamped verification record, and produces a report your auditors can actually use.

The cost of verifying a supplier properly is measured in seconds. The cost of getting it wrong is measured in tens of thousands of dollars — and sometimes more.

What Good Practice Looks Like

The Australian Payments Network, ASIC, and the ACCC have all published guidance on supplier verification best practice. Common recommendations include:

• Verify all new suppliers before creating a vendor record in your accounting system
• Re-verify any supplier requesting a change to banking or payment details, by calling a number you already hold — not one provided in the request
• Maintain a timestamped audit trail of verification checks for each supplier
• Apply enhanced due diligence to suppliers you have not previously dealt with or that have been referred through an unusual channel
• Review and re-verify suppliers that have been inactive for more than 12 months

None of these requirements are onerous. What has historically made them difficult is the time they take when done manually. Automated verification removes that barrier — making best practice the path of least resistance rather than an additional burden on an already stretched team.

"The gap between what a basic ABN check tells you and what you need to know to safely pay an invoice is exactly where supplier fraud lives."

The Bottom Line

Supplier fraud is not a technology problem. It is a process problem with a technology solution. The businesses that get defrauded are not naive or careless — they are busy, under-resourced, and operating with processes designed for a world where fraud was less sophisticated than it is today.

The answer is not more vigilance. It is better tooling. A systematic verification check that takes 60 seconds and produces an audit-ready report is something any business can build into their AP process — and that most fraudsters cannot overcome.

Uncommon Insights

One of the lesser-known risks associated with supplier fraud is the potential for Australian businesses to inadvertently breach the Corporations Act 2001 (Cth), specifically sections 180-184, which deal with director duties and responsibilities. In cases where a company has failed to properly verify a supplier, resulting in a significant financial loss, directors may be found to have breached their duty of care and diligence. This could lead to personal liability and reputational damage.

ASIC's Regulatory Guide 252 (RG 252) highlights the importance of robust identity verification processes in preventing identity fraud, which is a key component of supplier fraud. However, many Australian businesses are still not meeting these standards, leaving them exposed to potential regulatory action. Furthermore, the ATO's guidelines on GST and ABN verification (GSTB 2000/17) emphasize the need for businesses to verify the identity of their suppliers, but these guidelines are often overlooked or misunderstood.

Counterintuitively, the use of electronic invoicing and payment systems can actually increase the risk of supplier fraud if not properly implemented. The ATO's Electronic Commerce Guide (NAT 75000) outlines the requirements for secure electronic transactions, but many businesses are not meeting these standards, leaving them vulnerable to invoice tampering and other forms of supplier fraud. In fact, the ACCC's Scamwatch data shows that businesses using electronic invoicing systems are more likely to fall victim to supplier fraud.

Enforcement patterns suggest that ASIC and the ATO are increasingly taking a more proactive approach to addressing supplier fraud, with a focus on prevention and education. However, this also means that businesses can expect greater scrutiny and potential penalties for non-compliance. For example, ASIC's recent enforcement action against a number of businesses for failing to comply with RG 252 has resulted in significant fines and reputational damage. Australian businesses would do well to take heed of these warnings and review their supplier verification processes to ensure they are meeting the required standards.