What is ACN fraud in Australia?

ACN fraud in Australia happens when criminals misuse company registration details to impersonate a real business, create trust, and redirect payments.

How do I verify an ACN?

Verify an ACN by searching ASIC registers, confirming the company name and status, then comparing those details with the supplier invoice and ABN record.

Does a valid ACN prove a supplier is legitimate?

No. A valid ACN proves a company exists, but it does not prove the invoice, sender, bank account or payment request is genuine.

Can Xero verify supplier ACNs automatically?

Xero stores supplier and invoice details, but finance teams still need controls to verify ACNs, ABNs, GST status and bank detail changes before payment.

ACN Fraud Australia: Verify Suppliers Before Payment

ACN fraud Australia searches are increasing because criminals no longer need to invent a business from scratch. They can copy a real Australian company's name, ACN, ABN, address and branding, then use those details to make a fake invoice look safe.

The payment risk is not theoretical. The National Anti-Scam Centre's Targeting Scams Report 2025 recorded $2.18 billion in combined scam losses and $166.8 million in payment redirection losses. For finance teams using Xero, an ACN check is useful, but it is only the first step before supplier details or bank accounts are trusted.

In this article:

What ACN fraud Australia means for finance teams
Why a valid ACN does not prove an invoice is safe
How to verify an ACN with ASIC and ABN Lookup
Supplier verification checklist for Xero teams
Red flags that point to business registration fraud
Related reading
Conclusion

What ACN fraud Australia means for finance teams

An Australian Company Number, or ACN, is a unique number issued to a registered company. It helps identify the legal company behind a business name, contract or invoice.

That makes an ACN useful for finance checks. It also makes it attractive to criminals.

In an ACN fraud Australia scenario, the criminal may not create a completely fake company. Instead, they copy the public details of a real company and use them to impersonate the supplier your team expects to pay.

A typical attack can look like this:

The criminal researches a real supplier. They find the legal name, ACN, ABN, website, address and invoice style from public records or leaked documents.
They send a realistic invoice or onboarding form. The document shows a valid ACN and may include a familiar logo, correct trading name and plausible contact details.
They change the payment destination. The bank account belongs to the criminal, even though the company registration details look legitimate.
The finance team approves payment. The Xero contact, bill or payment batch looks tidy enough to pass a quick review.
The real supplier follows up later. By then, the money may already have moved through several accounts.

This is why supplier verification must answer more than one question. It is not enough to ask, "Does this ACN exist?" The better question is, "Does this registered company, this invoice, this sender and this bank account all belong together?"

Why a valid ACN does not prove an invoice is safe

A valid ACN proves that a company is registered. It does not prove that the person emailing your accounts payable team is authorised to represent that company.

That distinction matters because many fraud controls stop too early. Someone checks the ACN, sees that ASIC has a matching company, then treats the invoice as verified.

ASIC guidance on checking a company or business is the right place to start. It can help you confirm whether a company or business name is registered and whether the details match what you have been given.

The ABN Lookup is also useful. It can show ABN status, GST registration and entity details that finance teams should compare against the invoice and Xero contact record.

But neither lookup proves bank account ownership. Neither confirms that a supplier changed payment instructions. Neither tells you whether a suspicious email came from the real supplier.

Think of verification in four layers:

Entity verification. Does the company exist, and do the ACN, ABN, legal name and GST details match public records?

Representative verification. Is the person requesting onboarding, invoice approval or a bank change authorised by the supplier?

Bank account verification. Has the supplier confirmed the BSB and account number through a trusted channel, not just the same email thread?

Workflow verification. Did your team follow an approved process before changing the supplier record or releasing payment?

If any layer is missing, the ACN check gives false comfort. It may prove the company exists while leaving the payment exposed.

How to verify an ACN with ASIC and ABN Lookup

A practical ACN fraud Australia control should be simple enough for a busy finance team to repeat. It should also create evidence for later review.

Use this workflow before adding a new supplier, paying a first invoice, changing bank details or approving an unusual payment.

Search the ASIC register. Use ASIC Connect search registers or ASIC's company and business search guidance to confirm the company exists.
Compare the legal name and ACN. Check the invoice, supplier form, contract and Xero contact record. Watch for small spelling differences, extra words, missing Pty Ltd details or a business name used as if it were a legal entity.
Check the ABN. Search ABN Lookup and confirm the ABN is active. Check whether the entity name, trading names and GST status line up with the invoice.
Confirm GST before paying GST. If the supplier charges GST, make sure the ABN record supports that. A mismatch does not always prove fraud, but it should trigger a hold and review.
Check the website and email domain. Compare the supplier's real website with the domain used in the request. Lookalike domains, new free-mail addresses and changed signatures deserve extra scrutiny.
Verify by trusted callback. Call a known supplier contact using a number already on file or sourced independently. Do not rely on the phone number inside the suspicious email or invoice.
Attach evidence. Save screenshots, notes, call logs or approval evidence against the supplier record, bill or internal checklist.
Require a second approval. A second person should review the evidence before bank details are changed or payment is released.

This process is not about slowing every invoice to a crawl. It is about adding friction at the moments criminals exploit: new suppliers, changed details, urgent invoices and high-value payments.

Business.gov.au scam guidance also recommends treating unexpected payment or account changes carefully. Finance teams should turn that advice into a written accounts payable process, not leave it as general awareness training.

Supplier verification checklist for Xero teams

Xero makes it easy to create contacts, enter bills and prepare payments. That speed is helpful, but it also means a bad supplier record can move from inbox to payment run quickly.

For more detail on the payment side, see our guide on how to verify supplier bank details in Australia. For the broader payment attack pattern, read what is payment redirect fraud.

Use this checklist before a supplier is trusted in Xero:

Supplier legal name matches the ASIC record.
ACN matches the supplier's registered company details.
ABN is active and matches the correct entity.
GST registration supports any GST charged on invoices.
Trading name or business name links back to the correct legal entity.
Invoice name matches the Xero contact name or has a documented reason for the difference.
Email domain matches the supplier's known domain.
Bank details are confirmed through a trusted callback.
Bank detail changes are approved by someone who did not enter the change.
Evidence is attached or recorded before payment.
Dormant suppliers are rechecked before being paid again.
High-value or urgent payments receive extra review.

The most important control is separation of duties. The same person should not be able to create a supplier, change bank details, approve the bill and release the payment without another set of eyes.

That is especially important for small teams. In many Australian SMBs, one finance manager or bookkeeper wears several hats. If that person is under pressure at month-end, a neat invoice with a valid ACN can slip through.

Red flags that point to business registration fraud

Business registration fraud rarely appears as one obvious warning sign. It is usually a cluster of small inconsistencies.

Treat these red flags as reasons to pause payment and verify independently:

The ACN is real, but the invoice contact is new. A valid company number paired with a new person, new email domain or unfamiliar phone number should trigger callback verification.

The ABN is active, but the trading name does not line up. Some legitimate suppliers have complex structures, but unexplained name differences need documentation.

GST is charged when the ABN record does not show GST registration. This may be an error, but finance teams should not ignore it.

The bank details changed close to the payment date. Criminals often time changes just before a scheduled run so staff feel pressure to act quickly.

The request relies on urgency or secrecy. Phrases such as "must be paid today" or "do not call the old contact" should slow the process down, not speed it up.

The supplier asks you to use details inside the same email. Independent verification means using known records, not the contact details supplied by the request itself.

The Xero contact has duplicate or near-match suppliers. Similar supplier names, old records and multiple contacts for the same vendor can hide a fraudulent change.

Scamwatch's business email compromise guidance covers payment redirection and supplier impersonation patterns that finance teams should recognise. The operational lesson is clear: when something changes, pause before payment.

If details do not match, use a simple escalation path:

Put the bill or payment on hold.
Contact the supplier through a trusted channel.
Ask for corrected documentation if needed.
Record the mismatch and verification outcome.
Require manager approval before payment proceeds.
Report suspected fraud through the appropriate internal and external channels.

The aim is not to accuse every supplier of fraud. It is to protect the business, protect the supplier relationship and make sure a public registration number is not doing more work than it can safely do.

Conclusion

ACN checks are worth doing. ASIC and ABN Lookup give finance teams a reliable starting point for confirming whether an Australian company exists and whether basic registration details match.

But ACN fraud Australia risks do not end at the register. A criminal can use real company details on a fake invoice, impersonate a supplier contact, or request a bank change that sends the next payment to the wrong account.

The safest approach is layered verification: check the ACN, check the ABN, confirm GST status, verify the sender, confirm bank details through a trusted callback and require a second approval before payment.

OutflowGuard helps Xero-using finance teams strengthen that last mile by monitoring supplier bank detail changes, alerting the right people and supporting dual approval before risky changes turn into lost money.