Industry news

66% surge in payment scams targeting CFOs, ACCC warns

Catherine Chipeta
5 Min
Payment redirection scams surge 66.6%, ACCC finds

Australians lost over $2 billion to scams in 2024 — and if you think that’s just consumers clicking dodgy links, think again. Increasingly, businesses are footing the bill, as scammers target the one department that holds the keys to the vault: finance.

From fake invoices to payment redirection scams and investment cons, finance teams are now prime targets for sophisticated fraudsters. And while many CFOs may see cybercrime as an IT problem, when scammers come for your payments, it’s your problem too.

In this article, we’ll break down what the National Anti-Scam Centre’s 2024 report means for finance leaders — and what you can do to stay out of this year’s headlines.

Scams are getting smarter — and they’re targeting finance

Scammers are running businesses too — albeit illegal ones. And like any business, they know where the money flows.

Here’s what the latest data tells us:

  • $2.03 billion in total scam losses — a quarter of which hit businesses.
  • Payment redirection scams (aka business email compromise or BEC)— where scammers impersonate suppliers or executives to trick businesses into sending funds to fraudulent accounts — surged 66.6%, totaling $152.6 million in losses.
  • False billing scams — fake invoices that slip through busy accounts payable teams —  caused $27.8 million in losses in 2024, making them a top threat to businesses.
  • Small businesses alone reported $13.1 million in direct losses, proving that no organization is too small to be targeted.

Bottom line: if you manage payments, your business is firmly on scammers’ radar.

3 scams every CFO and finance leader should worry about

1. Payment redirection scams

Payment redirection scams (or business email compromise) — often disguised as legitimate requests to update bank details — remain one of the most costly and sophisticated threats facing finance teams today.

How it works:

  • Scammers hack a supplier’s email or set up a fake one that looks nearly identical.
  • They send a convincing request to update bank account details.
  • Finance teams under pressure to process payments may comply without realizing the request is fraudulent — and by the time it’s discovered, the money is gone.

Why you should care: these scams bypass IT defenses and rely on human trust — making finance teams the last line of defense.

2. False billing scams (Fake invoices — and highly convincing)

False billing scams — also known as invoice fraud — remain a major threat to Australian businesses. These scams involve sending fraudulent invoices that appear to come from legitimate suppliers, often crafted with remarkable attention to detail. They can be timed to coincide with actual projects or payment cycles, making them difficult to detect without robust verification processes.

This isn’t a new problem. False billing scams cost Australian businesses $16.2 million in 2022. While that figure had declined from previous years, it highlights a persistent and evolving threat — and the latest 2024 data confirms that false billing remains one of the top scams affecting businesses.

How it works:

  • A fake invoice is submitted, often using a legitimate supplier’s name, branding, and context.
  • It may reference real projects or known contacts to seem authentic.
  • The invoice gets processed and paid — especially when teams are under pressure to meet payment deadlines.

Why you should care: even the best-run AP teams can be vulnerable when scammers invest time into impersonating trusted vendors. Without independent verification of bank details, businesses are exposed to serious financial losses.

3. Investment scams (Now targeting businesses, not just individuals)

While often associated with individuals, investment scams are increasingly targeting businesses and their executives. Scammers pitch “exclusive” high-return opportunities — especially in cryptocurrency or emerging markets — that turn out to be fraudulent.

How it works:

  • Scammers approach executives and business owners with what looks like a strategic investment or partnership opportunity.
  • Funds are transferred to what appears to be a legitimate investment.
  • And that’s the last you see of it.

How scammers get in (hint: it’s not just emails)

Scammers use a range of tactics to infiltrate payment processes — often combining multiple methods to make their fraud more convincing. Here’s what the latest ACCC data tells us about how they get in, and how much these attacks cost businesses:

  • Email: The number one way scammers target finance teams — especially for fake bank detail updates and fraudulent invoices. In 2024, there were 90,819 reports of email-based scams, highlighting how heavily scammers rely on email to impersonate suppliers and executives.
  • Phone: Scammers use phone calls to “confirm” fake invoices or impersonate senior executives demanding urgent payments. In 2024, $107.2 million was lost to phone-based scams, with these cases showing the highest median loss per victim ($3,900).
  • Fake websites and portals: Scammers create fake supplier portals, investment platforms, and impersonation sites that are almost indistinguishable from the real thing. In 2024, businesses and individuals lost $27.2 million through scams linked to fake websites and platforms.

These tactics often work in combination — for example, a fraudulent email request to change bank details followed by a phone call impersonating the supplier to “confirm” the request. Without independent verification processes in place, these scams can slip through even experienced teams.

Why most payment controls aren’t enough

Training and firewalls are important, but on their own, they won’t stop a scammer impersonating your supplier.

Why businesses are still falling victim:

  • AP teams are under pressure to process payments quickly and meet deadlines.
  • Manual vendor checks fail when people are overwhelmed.
  • Scammers impersonate trusted people and brands.
  • Once money is sent, it’s usually gone.

Even though banks are stepping up scam prevention, the responsibility to catch scams before payment still falls on finance teams.

What finance leaders should do — starting now

Three things you can do today:

  1. Independently verify bank details — every time. Call suppliers directly on a trusted number.
  2. Strengthen your approval workflows. Add dual authorization and second-level checks.
  3. Educate finance and AP teams on how scams work. Share real tactics and red flags to watch for.

Want practical steps to protect your finance team?

If you’re thinking about how to defend your business from payment redirection, false billing, and other scams targeting finance teams, our Cybersecurity Guide for CFOs is a good place to start.
It covers:

  • The real tactics scammers are using to target finance teams and payments.
  • How to build stronger, scam-proof payment processes.
  • The controls CFOs should have in place today to reduce risk.

Download the guide here

Book a demo
See how real-time vendor verification and payment protection can stop scams before they happen — without slowing down AP.
Request a demo

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.

Request Demo