Supplier and invoice fraud is no longer about fake vendors or obvious anomalies. It is happening within approved suppliers, through legitimate-looking invoices, inside fully compliant workflows.

The scale of the problem in Australia is significant. According to the Australian Competition and Consumer Commission's National Anti-Scam Centre, Australians reported $2.03 billion in combined scam losses in 2024, with payment redirection scams ranking among the top five loss categories nationally.¹ In the business context, payment redirection scams, also known as business email compromise, saw a 66.6% increase in reported incidents in 2024, with losses exceeding $30 million across Australian organisations.²

These figures represent only what is reported. Fraud researchers consistently note that actual losses are materially higher, as many incidents are never disclosed, particularly in larger organisations where reputational considerations shape reporting decisions.

This is not fringe risk. It is operational reality.

You can pass audit and still be exposed. The question is not whether your controls exist. It is whether they were ever designed to catch this.

‍

1. Supplier onboarding does not equal supplier integrity

Due diligence is front-loaded. ABN checks, contracts, credit reviews. These are legitimate and necessary steps. But fraud does not need a fake supplier.

It exploits real suppliers with compromised communications. A single intercepted email can redirect payments without triggering any onboarding control, because the supplier in your system is entirely genuine. Only the bank account has changed.

2. Three-way matching confirms invoices, not bank accounts

Three-way matching is widely regarded as a foundational control. And it is, for what it was designed to do. It validates:

• That the price matches the purchase order
• That the quantity matches the goods receipt
• That the invoice aligns with what was ordered and delivered

What it does not validate is who you are actually paying. A perfectly matched invoice can still direct funds to a fraudster's account. The control works exactly as designed. The problem is that the design does not reach far enough.

3. Bank detail changes remain the single biggest vulnerability

The most common fraud scenario is also the simplest. A supplier requests updated bank details. The request arrives by email. It looks legitimate. The timing feels routine. The process is followed.

And the payment is lost.

Even organisations with callback verification procedures are exposed. Time pressure in accounts payable, reliance on email as a trusted channel, and the human tendency to extend good faith to familiar suppliers all create conditions where verification fails in practice, even when it exists in policy.

Australian legal precedent has reinforced this exposure. In Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239, the Queensland District Court held that where payment details change, the payer bears responsibility to independently verify them.³ A more recent case involving Inoteq resulted in the court ordering the company to repay unrecovered funds after finding its verification procedures inadequate, despite the fraud originating from a compromised supplier email account.⁴

The direction of travel in Australian courts is clear: following a process is not the same as discharging a duty. Where verification was available and not taken, the payer may bear the loss.

‍

For CFOs, Controllers, and Audit Committees, this creates a structural problem that sits directly within their accountability.

Controls are tested for compliance, not for adversarial scenarios. Responsibility for supplier risk is typically fragmented across procurement, accounts payable, IT, and risk functions, with no single owner accountable for the full payment journey. And the systems that underpin these workflows assume data integrity rather than data manipulation.

Fraud operates precisely across these gaps.

An organisation can achieve 100% purchase order compliance, pass its internal audit, satisfy its external reviewers, and still be systematically exposed to payment fraud, because the question these frameworks ask is whether the process was followed, not whether the outcome was verified.

This is the same structural blind spot identified in procurement leakage research: governance validates the form of the transaction, not its substance.

The question is no longer whether you have controls. It is whether your controls were built for the threat that actually exists.

‍

Australian regulators are moving decisively in this space, and the direction of travel has significant implications for finance leaders.

The Scams Prevention Framework Act 2025, which passed Federal Parliament in February 2025, establishes the first legislative framework of its kind globally. While its initial scope covers banks, telecommunications companies, and digital platforms, it creates binding obligations to prevent, detect, disrupt, respond to, and report scams, with penalties of up to $50 million per offence for regulated entities that fail to take reasonable steps.⁵ The framework is explicitly designed to expand to additional sectors over time.

For APRA-regulated entities, the obligations under CPS 220 (Risk Management) and SPG 223 already require continuous monitoring of operational risks, including fraud. APRA's expectation is not that controls exist in policy, but that they demonstrably work in practice.⁶

ASIC has separately warned businesses about rising exposure to invoice and payment scams, particularly through email compromise, noting that digital communication channels can no longer be treated as inherently trustworthy for payment instructions.⁷

Taken together, the regulatory message to Australian CFOs is unambiguous: fraud prevention has moved from an operational matter to a governance responsibility. And the accountability sits at the top of the organisation.

‍

For most of the past two decades, supplier governance focused on three questions: Is this supplier financially viable? Can they deliver? Are they performing to contract?

Those questions remain relevant. But they are no longer sufficient.

Today, supplier governance must also address whether the identity of the supplier in your systems is actually intact, whether the communication channels you use to receive payment instructions are secure, and whether the bank account you are paying today is the same one that was verified at onboarding.

This is not exclusively a procurement risk, a cyber risk, or an operational risk. It is all three simultaneously, and it falls directly in the CFO's line of sight because the financial consequence lands on the balance sheet.

As the Australian Cyber Security Centre has noted, business email compromise is not primarily a technology failure. It is a process and governance failure, exploiting the gap between who organisations believe they are paying and who they are actually paying.⁸

‍

The organisations that are reducing their exposure have made one critical shift in how they think about payment governance. They have moved from asking 'did we follow the process?' to asking 'did we verify the outcome?'

In practice, that means:

• Independent validation of bank account ownership before payment, using tools that confirm the account belongs to the intended recipient rather than relying on email-based instructions
• Eliminating email as a trusted channel for payment instruction changes, treating any bank detail update received by email as unverified until confirmed through a separate, independently sourced contact
• Continuous supplier monitoring rather than point-in-time onboarding checks, recognising that a supplier verified two years ago may have compromised systems today
• Adoption of secure invoicing frameworks such as Peppol eInvoicing, which removes the human touchpoint from invoice submission and payment instruction entirely
• Cross-functional ownership of supplier payment risk, with clear accountability that sits above procurement, accounts payable, and IT individually

None of these steps require wholesale system transformation. They require a deliberate decision to treat payment verification as a control objective in its own right, not as an assumption embedded in a process that was built for a different threat environment.

‍