Business email compromise (BEC) fraud involving fake or intercepted invoices has become one of the most significant sources of financial loss for Australian businesses. The typical scenario: a fraudster intercepts an email between a supplier and customer, substitutes the supplier's bank account details with their own, and the customer makes payment to the fraudster's account believing they are paying the genuine supplier. The supplier then follows up with the real invoice. The result is that the customer has paid twice — once to a fraudster, once (potentially) to the real supplier — or is being pursued for a debt they believe they have already paid.
Who is liable for the payment to the fraudster
This question is legally complex and fact-specific. The general starting point is that a payment made to the wrong account due to fraud by a third party does not discharge the underlying debt — the customer still owes the supplier. The customer's recourse is against the fraudster, not the supplier. From the supplier's perspective, they have not been paid and can pursue the customer for the outstanding invoice.
However, if the fraud was facilitated by the supplier — for example, if the supplier's email system was the one compromised, if the supplier sent an email with incorrect bank details, or if the supplier's invoice template was copied — there may be an argument that the supplier's negligence contributed to the loss. Australian courts have considered these scenarios, and the outcome depends heavily on the facts.
The receiving bank's position
The customer may have a claim against their own bank if the bank failed to verify the payee account details in circumstances where they should have identified the fraud — but banks have limited obligations to verify account ownership under current Australian payment system rules. The AFCA process is available if the customer believes their bank failed in its obligations, but success is not guaranteed.
ASIC and AFCA have been consulting on whether banks should bear greater responsibility for "authorised push payment" fraud (where the customer authorised the payment, not knowing it was fraudulent). Similar reforms in the UK in 2024 shifted significant liability to banks. Australian reform may follow, but is not yet in place as of 2026.
Recovery from the fraudster
In most cases, the fraudster's account is quickly emptied and closed. The chance of civil recovery from the fraudster is low. Reporting to the Australian Federal Police and ACSC (Australian Cyber Security Centre) is appropriate but rarely results in recovery.
Practical steps when fraud is discovered
- Contact your bank immediately to request a recall of the payment — the sooner the better, as funds can be recalled if they have not yet been moved from the receiving account.
- Contact the receiving bank directly to request a freeze on the account.
- Report to ReportCyber (Australian Federal Police / ACSC) and to ACCC's Scamwatch.
- Notify your insurer — cyber insurance policies often cover BEC losses.
Contact Merion if you are a supplier whose invoice was intercepted and you are now dealing with a customer who disputes the debt on the basis of fraudulent payment.