Payment redirection fraud cost Australian businesses AU$152.6 million in 2024, according to the ACCC’s National Anti-Scam Centre. That figure covers detected, reported losses. The actual number is higher, because businesses that discover fraud months after the fact and quietly recover payment don’t always report it.
The relevant question isn’t whether AP fraud happens. It clearly does, at scale, across industries, to businesses with experienced finance teams. The relevant question is when in your accounts payable cycle it’s most likely to happen. The answer isn’t random. Three specific moments carry most of the risk. Understanding where those windows are is the precondition for closing them.
The First Window: New Supplier Onboarding
When a new supplier is added to the vendor master, the business has no payment history against which to compare a fraudulent invoice. There’s no established account number to cross-reference. There’s no prior relationship with a contact person at the supplier. Everything is new, and every piece of new information needs to be verified rather than assumed.
Most Australian businesses don’t have a formal supplier onboarding process. A new supplier gets set up in Xero or MYOB when the first invoice arrives: supplier name entered, bank details from the invoice saved, ABN noted. That’s it. No verification of the ABN against the ATO’s ABR. No callback to the supplier’s main phone number to confirm they actually sent the invoice. No separate approval for the onboarding step itself.
Ghost vendor fraud exploits this gap directly. A fraudulent supplier entity is created in the vendor master using a plausible name and ABN, invoices are submitted for services never rendered, and because the vendor is in the system, the invoices look legitimate to the AP process. If the same person who created the vendor can also approve and pay invoices, there’s no second check at any point.
ABN validation is the baseline control. Every new supplier’s ABN should be verified against the ATO’s ABN Lookup before they’re added to the vendor master. This catches cancelled ABNs, suspended registrations, and ABNs that don’t match the supplier name on the invoice. It won’t catch a fraudster who’s registered a genuine ABN, but it removes the easiest frauds from the table immediately.
Pulsify’s validation and exception review layer handles ABN checking automatically at invoice intake, flagging new suppliers for a separate onboarding step before their invoices enter the approval queue.
The Second Window: Invoice Arrives With Changed Bank Details
This is the highest-value fraud vector for Australian businesses, and it’s what most of the ACCC’s AU$152.6 million figure reflects. An existing supplier submits an invoice with changed bank details. The change might come via email from an address that looks like the supplier’s, or it might be embedded in the invoice PDF itself. Either way, the business has a legitimate relationship with the supplier, which means the first instinct is to accept the change.
The fraud works because bank detail changes are sometimes legitimate. Suppliers do change banks. They do restructure their business entities and update payment details. A process that verifies every bank detail change through an independent callback is the right approach, but it requires the AP officer to recognise that a change has occurred in the first place. That recognition requires a comparison against the stored account details.
That comparison is the control. When an invoice arrives, the bank account number on the invoice should be automatically compared against the account stored for that supplier. If they don’t match, the invoice should be held and flagged before it reaches the approval queue. The flag should explain what changed and prompt the reviewer to verify through a channel independent of the invoice: a phone call to the existing contact, not a reply to the same email that contained the changed bank details.
The reason this control fails in manual processes is simple. The comparison depends on someone checking. Under invoice volume pressure, at end of month, during busy periods, the check gets skipped. Not out of negligence but because nothing in the process makes it mandatory.
For a look at how this control interacts with the broader invoice approval workflow, that page covers where validation sits relative to approval routing.
The Third Window: Single-Person Payment Authorisation
Segregation of duties is the principle that no single person should be able to complete a fraudulent transaction alone. In AP, this means the person who approves an invoice for payment shouldn’t be the same person who executes the payment run. Split these two functions and any fraud requires the cooperation of two people, which is substantially harder to arrange and maintain than one person acting unilaterally.
In a 10-to-30-person Australian business, segregation of duties is often ignored in practice, sometimes out of practical necessity. The bookkeeper approves invoices and processes payments. The financial controller approves and executes simultaneously. These aren’t malicious setups. They’re the result of one or two people being responsible for the entire AP function.
The risk is real, and it runs in both directions. An internal bad actor with unsegregated access can approve a payment to a fraudulent or ghost supplier without anyone else in the loop. An external attacker who has social-engineered the approver, by impersonating a supplier or creating payment urgency, can get a single authorisation rather than needing to compromise two people.
The practical control for small finance teams isn’t always a second full-time AP person. It can be a rule that payments above a certain threshold require a second review step, even if that’s the business owner reviewing a payment summary rather than individually approving each invoice. Or a second signatory requirement on the banking platform itself, separate from the AP approval. The goal is ensuring that no single person can complete the full cycle from invoice receipt to payment without another person seeing it.
Why These Three Windows Often Coexist
The three windows tend to be present in the same business at the same time. A growing Australian SMB adds new suppliers without a formal onboarding process, accepts bank detail changes at face value because the process doesn’t require a comparison check, and has one person managing both approvals and payments because that’s how it’s always worked.
None of this looks like an obvious failure from the inside. It looks like a lean, efficient process. It becomes an obvious failure when a fraud occurs and the business tries to identify where the control should have caught it.
The ACCC’s guidance on business email compromise is direct: most payment redirection fraud is preventable with controls that most businesses haven’t implemented. The controls map directly onto the three windows: verify new suppliers properly, confirm bank detail changes through an independent channel, and ensure no single person can approve and execute a payment without oversight.
For a practical look at how these controls apply during the approval stage specifically, the accounts payable invoice automation fraud gap article covers the pre-approval window where most fraud exposure concentrates.
Closing the Windows Before Something Goes Wrong
BECS payments in Australia are processed quickly and reversal isn’t guaranteed once funds have been sent. Recovery is possible but depends on both banks cooperating and the fraudster not having moved the funds. “We’ll follow up with the bank” is not a recovery strategy. The ACCC’s 2024 data makes clear that a large proportion of payment redirection losses are never recovered.
What makes these three windows particularly frustrating is that the controls aren’t complicated. ABN verification at onboarding takes seconds and costs nothing. Bank detail comparison on every invoice is a five-line system rule, not a manual step. A second checkpoint between approval and payment release is often just a configuration change in the banking platform. None of this requires a dedicated fraud team or a large finance operation.
The gap is that most AP tools don’t enforce these checks automatically. Xero records what it’s given. MYOB records what it’s given. The responsibility for the checks falls to whoever is processing invoices that day, under whatever volume and time pressure they’re under. A procedure document that says “always verify bank detail changes” is not the same as a system that holds the invoice until the verification happens.
For businesses that have outgrown manual checks and want the controls to run without depending on individual discipline, the AP automation page covers how Pulsify structures these checks into the workflow before any invoice reaches an approver.
Sources: ACCC National Anti-Scam Centre - Targeting Scams Report 2024 · ATO - ABN Lookup · ACCC - Business Email Compromise
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026