The Three-Second Check That Prevents a Five-Figure Mistake

Most invoice fraud isn't a heist. It's a typo you were meant to trust. An email arrives from a supplier you've paid a dozen times, asking you to update their bank details. The logo is right. The invoice number follows the sequence. Only the BSB and account number are new. In a busy accounts-payable week, that payment goes out — and the money is gone before anyone notices the real supplier never sent the email.

It works because it doesn't look like fraud. It looks like admin.

Why the Classic Controls Keep Failing

The accounts payable team at most Australian businesses has some version of the same controls: check the ABN, look up the business online, maybe call the supplier if something feels off. These controls are not useless. But they are incomplete — and increasingly insufficient against the way payment fraud actually operates in 2026.

An ABN lookup confirms a number is registered. It does not tell you that the email requesting the banking change was sent from a domain registered three weeks ago. It does not tell you the sender's domain has no DMARC policy, meaning anyone can impersonate it. It does not tell you the invoice attached to the email came from a server in Eastern Europe. The gap between what a basic ABN check reveals and what you need to know to safely authorise a payment is exactly where business email compromise lives.

The ACCC's Scamwatch data is consistent: payment redirection is now the highest-value fraud category targeting Australian businesses, and the median loss is climbing every year. The attacks are not getting more sophisticated — they are getting more targeted. Fraudsters research their victims. They know the supplier's name, the invoice cadence, the contact person. The email reads like it was written by someone who knows how your business works, because it was.

The First Habit: Treat Banking Changes as Verification Events

Legitimate bank-detail changes almost never arrive by email alone. A supplier who has been paid reliably for two years does not typically update their BSB and account via an email with no prior phone conversation. When that email arrives — however legitimate it looks — the response should be a phone call. Not to a number on the email. Not to a number on the new invoice. To the number already in your accounting system, or to a number found independently.

This single control defeats the vast majority of payment-redirection attacks. It costs one phone call. It requires no technology. It has no downside if the request is genuine — the supplier will confirm it took two seconds. If the request is fraudulent, that phone call is the moment the fraud fails.

"The supplier rang us two days later asking where their payment was. That was the first time we realised the email had never come from them. The money was already gone."

The call-back control sounds obvious. It is. It is also skipped routinely — because the email looks right, because the week is busy, because it feels unnecessarily suspicious to call a supplier you have paid for years. The fraudster is counting on exactly that calculation.

The Second Habit: Check the Sender, Not the Display Name

Most email clients display the sender's name, not the underlying address. "Accounts — Smith Plumbing" looks identical whether it arrived from accounts@smithplumbing.com.au or from accounts-smithplumbing@outlook.com. Clicking on or hovering over the sender name to reveal the actual address takes two seconds. It is almost never done.

For a supplier whose invoices have always arrived from @smithplumbing.com.au, a banking-change request from any other domain is an immediate red flag. But the check goes further than the domain itself. A domain registered last month — even one that looks legitimate — is a near-certain indicator of a fraudulent setup. Legitimate suppliers have domains with history. Fraudulent setups use domains registered days or weeks before the attack, because they only need the domain to survive long enough to collect one payment.

Checking domain age via WHOIS or certificate transparency takes ten seconds. A structured verification tool surfaces it automatically alongside email infrastructure checks: whether the domain has SPF and DMARC configured, whether it appears in spam and phishing databases, and whether the web presence matches what you would expect from a real operating business. The combination of a young domain, missing DMARC, and no established web presence is a signature. It shows up in almost every payment-redirection fraud investigated after the fact.

The Third Habit: Make Verification a Step, Not a Scramble

The reason these checks get skipped is not negligence. It is friction. If verifying a supplier requires opening four browser tabs, knowing how to read a WHOIS record, and spending thirty minutes cross-referencing government registers — it will not happen consistently. It will happen when someone has time, which in a busy AP function means it will happen rarely.

The fix is not training people to be more careful. The fix is making the careful thing the easy thing. A verification that takes 60 seconds, runs automatically against ABR, ASIC, domain registrars, DNS records, and threat intelligence databases, and produces a timestamped report — is a verification that actually happens. Every time. For every supplier. As part of the standard workflow.

What a Complete Supplier Check Covers

A verification that is actually fit for purpose covers more than the ABN. The eight checks that matter are:

• ABN status and age — active, and how long has it been registered?
• GST registration — is it consistent with the entity type and claimed invoicing?
• ASIC company status — has the underlying company been deregistered while the ABN stays active?
• Web presence — does a real website exist, on HTTPS, with an established history?
• Domain age — when was the domain first registered? Under six months is a WARN.
• Email infrastructure — are SPF and DMARC present? Is the domain mail-capable at all?
• Reputation — has the domain appeared in phishing or spam threat databases?
• Address consistency — does the registered postcode match the stated state?

None of these checks is slow. Individually, each takes seconds. Run simultaneously and reported as a single assurance score, they take a minute. The result is a PASS, WARN, or FAIL on each dimension — and a number that tells you whether this supplier warrants more scrutiny before money moves.

The Audit Trail That Saves You Twice

There is a second benefit to systematic verification that rarely gets discussed: it protects you even when fraud succeeds. A timestamped report showing that you verified this supplier on this date, across these eight checks, with these results, is evidence of reasonable due diligence. That evidence matters when you are talking to your insurer, your auditor, or your board about what went wrong.

"We checked the ABN" is not a demonstrable control. A saved verification report with a timestamp and a methodology is. The difference between these two positions — in an insurance claim or an audit — can be the difference between a covered loss and a personal liability.

The money you don't lose is the best kind. But the paper trail that protects you when loss happens anyway is the second-best kind.