reported lost to payment redirection — Australia's term for BEC and invoice fraud — up 9.3% in a year when most major scam categories fell
National Anti-Scam Centre, Targeting Scams report · Calendar 2025
Australia measures scams better than almost anyone: one national dataset combining Scamwatch, ReportCyber, banks, and ASIC. It shows total losses rising again — with payment redirection, the local name for invoice and supplier fraud, one of the few categories still growing.
Last reviewed July 2026 · Every statistic card links to its source
in combined reported scam losses across Australia's five national reporting systems in 2025 — up 7.8% after a fall the year before
National Anti-Scam Centre, Targeting Scams report · Calendar 2025
reported lost to payment redirection — Australia's term for BEC and invoice fraud — up 9.3% in a year when most major scam categories fell
National Anti-Scam Centre, Targeting Scams report · Calendar 2025
of cybercrime reports by Australian businesses were email compromise with no financial loss (19%) or BEC fraud with financial loss (15%) — the two most-reported business cybercrimes
ASD Annual Cyber Threat Report 2024–25 · Fiscal year July 2024 – June 2025
average self-reported cost of cybercrime per report for a small business, up 14% year on year (medium businesses: A$97,200, up 55%)
ASD Annual Cyber Threat Report 2024–25 · Fiscal year July 2024 – June 2025
in self-reported BEC losses in a single year, averaging over A$55,000 per incident that involved financial loss
ASD Annual Cyber Threat Report 2023–24 · Fiscal year July 2023 – June 2024
of scam losses were borne by the customers of Australia's four major banks; banks reimbursed or compensated just 2–5% of losses
ASIC Report 761, scam prevention in the major banks · Fiscal year 2021–22 (published April 2023)
false billing was the most-reported scam type by Australian small businesses, with A$2.0 million reported lost to it — of 2,228 small-business Scamwatch reports and A$9.5 million in reported losses overall
National Anti-Scam Centre — Scamwatch · Calendar 2025
reported lost via bank transfer in Scamwatch reports — still the payment method scammers request most
National Anti-Scam Centre — Scamwatch · Calendar 2025
Confirmation of Payee checks ran in the scheme's first year — payee-name checking only arrived in Australia in July 2025, and it warns rather than blocks; one participating bank alone saw 570,000+ payments abandoned after a no-match
Australian Banking Association / Australian Payments Plus · July 2025 – July 2026
maximum penalty per breach under the Scams Prevention Framework Act 2025 for banks, telcos, and platforms — a framework that does not mandate reimbursing victims
Scams Prevention Framework Act 2025 · In force from 21 February 2025
Australia's National Anti-Scam Centre combines data from Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE, and ASIC into one annual picture. For 2025 it shows A$2.18 billion in reported scam losses across 481,523 reports — and after a big drop in 2024, losses turned upward again.
For businesses, the standout category is payment redirection: a criminal intercepts or impersonates legitimate business email and redirects an invoice payment to an account they control. It cost A$166.8 million in 2025 — the second-largest scam category by losses — and grew 9.3% in a year when romance, investment, and remote-access scams all shrank. In Scamwatch data, false billing was the most-reported scam type by small businesses.
The cybercrime picture says the same thing: in the year to June 2025, email compromise and BEC fraud were the two most-reported cybercrimes by Australian businesses, together roughly a third of all business reports. Average self-reported costs jumped for every business size band.
Recovery is the weakest link. ASIC's review of the four major banks found customers bore 96% of scam losses, with banks reimbursing or compensating only 2–5%. Australia's answer has been prevention infrastructure — Confirmation of Payee and the Scams Prevention Framework — rather than UK-style mandatory reimbursement. Once a fraudulent invoice is paid, the money is overwhelmingly gone.
Until July 2025, a standard Australian transfer (BSB + account number) performed no check that the account name matched — money went wherever the number pointed. Confirmation of Payee, a A$100 million bank-funded system, changed that: by 2026 it was live across more than 100 institutions, returning match, close match, or no match on first-time payments.
CoP is a warning service, not a block. The payer can proceed past a no-match, and it protects the keystroke moment — not the upstream problem of a supplier's bank details being swapped inside a compromised email thread, where the fraudster supplies a name and account that match each other.
The Scams Prevention Framework Act 2025 puts prevent, detect, disrupt, and report obligations on banks, telcos, and digital platforms, with penalties up to A$50 million per breach. Unlike the UK's regime, it does not mandate reimbursement — redress runs case by case through dispute resolution, and ASIC found the major banks reimbursed or compensated only 2–5% of scam losses. No regulator or bank guarantees an Australian business gets back money paid against a fraudulent invoice.
The National Anti-Scam Centre's data is blunt: false billing — which it describes as generally relating to payment redirection, also known as business email compromise — was the most-reported scam type by small businesses in 2025, and small businesses reported more scams and higher aggregate losses than medium and large businesses combined.
The per-incident economics are brutal for smaller firms: the average self-reported cost of cybercrime was A$56,600 for a small business in the year to June 2025 — up 14% in a year — and with major banks covering 2–5% of scam losses, an Australian SMB that pays a fraudulent supplier invoice should assume the money is unrecoverable.
Confirmation of Payee helps when someone keys a new payee. It cannot catch the classic scenario — a long-standing supplier's mailbox is compromised and a plausible "we've changed banks" note arrives mid-invoice-run. That is the control gap PayHQ closes: every incoming invoice is compared against the supplier record you verified, and a changed account is flagged for review before payment.
Australia's term for BEC-driven invoice fraud: a criminal intercepts or impersonates legitimate business email and redirects a genuine invoice payment to an account they control. It cost Australians a reported A$166.8 million in 2025, second only to investment scams.
A$2.18 billion in combined reported losses across Scamwatch, ReportCyber, the AFCX, IDCARE, and ASIC — up 7.8% on 2024. The National Anti-Scam Centre notes many victims never report, so this is a floor.
It helps at the moment of payment entry: since July 2025 Australian banks check whether the account name matches the number, and warn on a mismatch. But it doesn't block payments, and it can't detect a supplier bank-detail change made through a compromised email thread, where name and account match each other.
Rarely. ASIC found the four major banks reimbursed or compensated only 2–5% of scam losses, with customers bearing 96%. The Scams Prevention Framework Act imposes prevention duties and large penalties, but no mandatory reimbursement — business victims generally carry the loss.
Every statistic on this page was checked against the named source in July 2026, and the figures quoted in the narrative come from the same verified set as the stat cards. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. When a figure cannot be verified against a primary source, we remove it rather than keep it.
PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.