Invoice fraud is one of the most common forms of business fraud in Australia, and it takes multiple forms: externally generated fake invoices submitted by third parties, business email compromise (BEC) attacks that intercept legitimate invoices and redirect payment, and internal manipulation by employees with access to the payables system. The losses are often significant — and frequently unrecoverable once payment has been made.
Types of invoice fraud
Business email compromise
BEC attacks targeting accounts payable are among the most prevalent. An attacker compromises a supplier's email account (or spoofs it convincingly) and sends what appears to be a legitimate invoice or payment redirection notice. The business pays, the money goes to a fraudster's account, and the real supplier follows up weeks later with the real invoice. The Australian Cyber Security Centre has consistently identified BEC as one of the highest-value cybercrime types affecting Australian businesses.
Fictitious vendor invoices
Employees with payables access create vendor accounts for fictitious suppliers and submit invoices for services not rendered. These are typically for amounts small enough not to trigger individual approval thresholds, but recurring over time.
Third-party solicitation fraud
Businesses receive unsolicited invoices for directory listings, domain renewal, or regulatory compliance services they never ordered. Some recipients pay without verification, particularly in environments where payables processing is high-volume or under-resourced.
Verification controls that matter
- Vendor master file controls: new vendor accounts should require dual authorisation and be matched against ABN Lookup before being activated. Changes to existing vendor bank details should trigger a mandatory callback to the vendor on a number from the master file — not from the email containing the change request.
- Three-way matching: match every invoice to a purchase order and goods receipt before payment. Invoices with no corresponding PO should require explicit supervisor authorisation.
- Bank account change protocols: any instruction to redirect payment to a new bank account should require out-of-band verification — phone confirmation using a number you independently source, not the number in the email.
- Duplicate invoice checking: your payables system should flag invoices with the same amount, same vendor, or same invoice number submitted within a short period.
What you can recover when fraud has occurred
Recovery of funds paid to a fraudster is difficult. If payment was made to a domestic account, your bank may be able to place a hold if you act within hours of discovering the fraud — but banks have no general obligation to reverse an authorised payment. If funds have been moved offshore, recovery is rarely possible through civil means. AFCA can assist where a financial institution's conduct is in question, but where the fraud was external and the business was the victim, civil recovery from the fraudster is the primary option — which is usually worthless if the fraudster is overseas or unknown.
The practical implication is that prevention is the only reliable protection. Contact Merion if you are dealing with a disputed payment or seeking advice on documentation for a potential recovery.