$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →
A$2.18B

in combined reported scam losses across Australia's five national reporting systems in 2025 — up 7.8% after a fall the year before

National Anti-Scam Centre, Targeting Scams report · Calendar 2025

34%

of cybercrime reports by Australian businesses were email compromise with no financial loss (19%) or BEC fraud with financial loss (15%) — the two most-reported business cybercrimes

ASD Annual Cyber Threat Report 2024–25 · Fiscal year July 2024 – June 2025

A$56,600

average self-reported cost of cybercrime per report for a small business, up 14% year on year (medium businesses: A$97,200, up 55%)

ASD Annual Cyber Threat Report 2024–25 · Fiscal year July 2024 – June 2025

The numbers

What Australia loses to payment fraud.

#1

false billing was the most-reported scam type by Australian small businesses, with A$2.0 million reported lost to it — of 2,228 small-business Scamwatch reports and A$9.5 million in reported losses overall

National Anti-Scam Centre — Scamwatch · Calendar 2025

150M+

Confirmation of Payee checks ran in the scheme's first year — payee-name checking only arrived in Australia in July 2025, and it warns rather than blocks; one participating bank alone saw 570,000+ payments abandoned after a no-match

Australian Banking Association / Australian Payments Plus · July 2025 – July 2026

A$50M

maximum penalty per breach under the Scams Prevention Framework Act 2025 for banks, telcos, and platforms — a framework that does not mandate reimbursing victims

Scams Prevention Framework Act 2025 · In force from 21 February 2025

Behind the numbers

How these losses actually happen.

Australia's National Anti-Scam Centre combines data from Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE, and ASIC into one annual picture. For 2025 it shows A$2.18 billion in reported scam losses across 481,523 reports — and after a big drop in 2024, losses turned upward again.

For businesses, the standout category is payment redirection: a criminal intercepts or impersonates legitimate business email and redirects an invoice payment to an account they control. It cost A$166.8 million in 2025 — the second-largest scam category by losses — and grew 9.3% in a year when romance, investment, and remote-access scams all shrank. In Scamwatch data, false billing was the most-reported scam type by small businesses.

The cybercrime picture says the same thing: in the year to June 2025, email compromise and BEC fraud were the two most-reported cybercrimes by Australian businesses, together roughly a third of all business reports. Average self-reported costs jumped for every business size band.

Recovery is the weakest link. ASIC's review of the four major banks found customers bore 96% of scam losses, with banks reimbursing or compensating only 2–5%. Australia's answer has been prevention infrastructure — Confirmation of Payee and the Scams Prevention Framework — rather than UK-style mandatory reimbursement. Once a fraudulent invoice is paid, the money is overwhelmingly gone.

What the system covers

Confirmation of Payee arrived in 2025. Reimbursement didn't.

Until July 2025, a standard Australian transfer (BSB + account number) performed no check that the account name matched — money went wherever the number pointed. Confirmation of Payee, a A$100 million bank-funded system, changed that: by 2026 it was live across more than 100 institutions, returning match, close match, or no match on first-time payments.

CoP is a warning service, not a block. The payer can proceed past a no-match, and it protects the keystroke moment — not the upstream problem of a supplier's bank details being swapped inside a compromised email thread, where the fraudster supplies a name and account that match each other.

The Scams Prevention Framework Act 2025 puts prevent, detect, disrupt, and report obligations on banks, telcos, and digital platforms, with penalties up to A$50 million per breach. Unlike the UK's regime, it does not mandate reimbursement — redress runs case by case through dispute resolution, and ASIC found the major banks reimbursed or compensated only 2–5% of scam losses. No regulator or bank guarantees an Australian business gets back money paid against a fraudulent invoice.

What this means for you

Australian small businesses are payment redirection's primary target.

The National Anti-Scam Centre's data is blunt: false billing — which it describes as generally relating to payment redirection, also known as business email compromise — was the most-reported scam type by small businesses in 2025, and small businesses reported more scams and higher aggregate losses than medium and large businesses combined.

The per-incident economics are brutal for smaller firms: the average self-reported cost of cybercrime was A$56,600 for a small business in the year to June 2025 — up 14% in a year — and with major banks covering 2–5% of scam losses, an Australian SMB that pays a fraudulent supplier invoice should assume the money is unrecoverable.

Confirmation of Payee helps when someone keys a new payee. It cannot catch the classic scenario — a long-standing supplier's mailbox is compromised and a plausible "we've changed banks" note arrives mid-invoice-run. That is the control gap PayHQ closes: every incoming invoice is compared against the supplier record you verified, and a changed account is flagged for review before payment.

FAQ

Common questions about fraud in Australia.

How much did Australians lose to scams in 2025?

A$2.18 billion in combined reported losses across Scamwatch, ReportCyber, the AFCX, IDCARE, and ASIC — up 7.8% on 2024. The National Anti-Scam Centre notes many victims never report, so this is a floor.

Does Confirmation of Payee stop invoice fraud?

It helps at the moment of payment entry: since July 2025 Australian banks check whether the account name matches the number, and warn on a mismatch. But it doesn't block payments, and it can't detect a supplier bank-detail change made through a compromised email thread, where name and account match each other.

Will an Australian bank reimburse a scammed business?

Rarely. ASIC found the four major banks reimbursed or compensated only 2–5% of scam losses, with customers bearing 96%. The Scams Prevention Framework Act imposes prevention duties and large penalties, but no mandatory reimbursement — business victims generally carry the loss.

Sources & methodology

Where these numbers come from.

Every statistic on this page was checked against the named source in July 2026, and the figures quoted in the narrative come from the same verified set as the stat cards. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. When a figure cannot be verified against a primary source, we remove it rather than keep it.

Other regions

Compare with other markets.

Protect your supplier payments in Australia.

PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.