Invoice Fraud Prevention Checklist for Australian Small Businesses
Payment redirection (invoice fraud) is one of the most financially damaging scams hitting Australian small businesses. The pattern is simple: a criminal sends an invoice or 'updated bank details' message that looks like it comes from a real supplier — or from you. The fix is mostly process, not technology.
Verify every payment detail change
- Call the supplier on a number you already have on file — never a number from the email requesting the change
- Make verbal verification compulsory for every bank detail change, no exceptions for 'urgent' requests
- Record who verified, when, and on what number
- Treat urgency, secrecy, or pressure as a red flag in itself
Protect your own invoices from being faked
- Set up SPF, DKIM, and DMARC on your email domain so criminals cannot easily send mail as you
- Tell clients in writing how you will notify them of any bank detail change (and that you will never do it by email alone)
- Add a note to invoices: 'We will never change our bank details by email. Call us to verify.'
- Monitor for lookalike domains of your business name
Harden the accounts that move money
- Turn on multi-factor authentication for email and accounting software
- Use unique passwords (a password manager makes this practical)
- Limit who can approve payments and changes to payee details
- Review mailbox forwarding rules — criminals add hidden rules after compromising an inbox
If you've been hit
- Call your bank immediately — speed matters for recalling funds
- Report to ReportCyber (cyber.gov.au) and Scamwatch
- Preserve the scam emails (do not delete them)
- Warn the impersonated supplier and any other affected party
- Review how the email arrived and close that gap
General guidance only, drawn from practical experience and aligned with public Australian guidance from the ASD's Australian Cyber Security Centre (cyber.gov.au) and ACCC Scamwatch (scamwatch.gov.au). Check those sources for current official advice. This guide is not legal advice.