Can you reverse a BPAY payment made to a fraudulent account?

BPAY payments cannot be unilaterally reversed by the sending bank. Once processed, funds must be recovered from the biller's financial institution. If that account is controlled by a fraudster, recovery is very unlikely — prevention is the only reliable strategy.

What is BPAY fraud and how does it target businesses?

BPAY fraud occurs when criminals substitute legitimate biller codes with fraudulent ones on invoices or in accounting systems. When your AP team pays the invoice, funds go to the fraudster rather than the real supplier. Businesses are targeted through fake invoices, BEC attacks, and social engineering.

How do I verify a BPAY biller code is legitimate before paying?

Always verify BPAY biller codes directly with the supplier using a phone number from their official website — not from the invoice. Cross-check against previous invoices, use your bank's BPAY lookup, and never update biller codes based on email requests alone.

Who is responsible if a business makes a BPAY payment to a scammer?

In most cases, the business bears the loss. The ePayments Code offers stronger protections to consumers than businesses. If the payment was authorised (even based on deception), banks are generally not liable. This makes prevention controls critical.

How does business email compromise (BEC) lead to BPAY fraud?

In a BEC attack, fraudsters compromise a supplier's or your own company's email account and intercept invoice communications. They replace the legitimate BPAY biller code with a fraudulent one. The payment looks routine — but the funds go directly to the attacker.

BPAY Payment Fraud: What Australian Businesses Need to Know

BPAY is one of Australia's most trusted payment systems. Over 60,000 billers use it. Millions of payments are processed every day without incident.

That trust is exactly what makes it valuable to fraudsters.

Australian businesses are losing significant sums each year to BPAY fraud — not because BPAY's infrastructure is compromised, but because the processes surrounding it are. Criminals are not hacking BPAY. They are hacking the accounts payable workflows your finance team relies on to enter biller codes.

According to the ACCC, Australians lost a record $3.3 billion to scams in 2023. Business email compromise (BEC) — the primary delivery mechanism for BPAY fraud targeting companies — remains one of the most costly cyber-enabled crimes reported to the ASD, with average losses per business incident around $39,000.

In this article:

Why BPAY is a fraud target
How BPAY fraud happens: the six main types
Red flags your AP team should know
Prevention controls that actually work
What to do if your business has already been hit
Related reading

Why BPAY is a fraud target

BPAY was designed for consumers paying bills — utilities, rates, insurance, phone. It is simple, reliable, and widely accepted. Those same features make it attractive to fraudsters.

When a business pays via BPAY, they enter a biller code and a reference number. The bank processes it. The money moves. Unlike bank transfers, there is no account name to verify against.

This is the gap. Fraudsters do not need to compromise BPAY's systems. They only need to substitute a legitimate biller code with one that routes to their own account — before your team enters it.

Scamwatch formally categorises false billing as a distinct scam type targeting businesses. It specifically covers fraudulent invoices with fake BPAY biller codes sent to accounts payable teams. These are not opportunistic attacks. They are targeted, professional, and increasingly common.

How BPAY fraud happens: the six main types

Understanding how BPAY fraud reaches your AP team is the first step to stopping it.

1. False billing

Criminals send convincing invoices bearing fraudulent BPAY biller codes. They often impersonate real billers: the ATO, utility companies, council rates, telecommunications providers. The invoices look legitimate because they are designed to.

Your bookkeeper processes what appears to be a routine bill. The funds reach the fraudster's nominated account. The real biller eventually contacts you about non-payment — by which time recovery is nearly impossible.

2. Business email compromise (BEC) redirection

This is the most costly variant. A fraudster compromises either your supplier's email account or your own company's inbox. They monitor correspondence, then intercept an invoice exchange.

The legitimate BPAY biller code on an invoice is replaced with a fraudulent one. The invoice is forwarded as if nothing changed. Your AP team pays what looks like a normal supplier invoice. The only indication something went wrong is when the supplier follows up for payment.

The ASD's Annual Cyber Threat Report identifies BEC as one of the top financial cybercrime threats targeting Australian businesses. The average loss per BEC incident for businesses is approximately $39,000.

3. Phishing for internet banking credentials

Criminals use fake bank login pages to capture internet banking usernames and passwords. Finance team members are frequent targets because they have high payment limits and regular banking access.

Once credentials are stolen, the attacker logs in outside business hours and makes BPAY payments to billers they control. By the time the next reconciliation run in Xero surfaces the discrepancy, the money is gone.

A caller claims to be from your utility company, the ATO, or even your bank. They explain there has been a system migration and your BPAY biller code has changed. They have an air of authority and urgency.

They provide a new biller code. You update your records. Your next payment reaches the fraudster.

This tactic specifically targets smaller businesses where a single person handles AP and has no independent process to verify biller code changes.

5. Insider fraud

Not all BPAY fraud comes from outside. An employee with access to your accounting system can manipulate biller codes in supplier records. A real supplier's BPAY details are replaced with fraudulent ones. Payments go to the employee's nominated account or an account they control.

This type of fraud is harder to detect because it bypasses external verification entirely. It relies on weak internal controls — specifically, insufficient user permission settings in Xero and no dual-authorisation requirement.

6. Malware on finance workstations

Keyloggers and other malware installed on a finance team member's computer capture banking credentials and monitor for payment activity. Fraudsters use the captured credentials to execute BPAY payments after hours, when the activity is least likely to be noticed until the following morning.

Red flags your AP team should know

Training your team to recognise anomalies before payment is processed is one of the most cost-effective fraud controls available.

Unsolicited biller code update requests. Any email or call advising that a supplier's BPAY biller code has changed should be treated as high-risk until independently verified.

Invoices from new billers with large amounts. A first invoice from a supplier your business has not used before, especially if the amount is substantial, warrants verification before payment.

Urgency and pressure. Legitimate suppliers do not pressure you to pay immediately using a method you have not used before. Urgency is a fraud signal, not a service standard.

ATO or government agency BPAY invoices. The ATO does communicate via post and email, but any unexpected invoice with a BPAY biller code should be verified directly through ato.gov.au or by calling 13 28 66.

Slight variations in supplier contact details. BEC attackers often use email addresses that differ from the real supplier's by one character. Check the sender domain carefully on any invoice that includes updated payment details.

Prevention controls that actually work

Verify biller codes out of band

Never update a BPAY biller code based solely on an email or invoice. Call the supplier using a number sourced from their official website — not a number provided in the suspicious communication. Document the verification call, including who you spoke to and when.

This single control stops the majority of BEC-enabled BPAY fraud before it happens.

Implement dual authorisation for new and modified payees

No single person in your AP team should be able to both update a supplier's BPAY details and authorise a payment to that supplier. Separating these responsibilities — even in a small team — removes the opportunity for both insider fraud and social engineering to succeed alone.

If you are running Xero, review your user permission settings. Ensure that staff responsible for data entry cannot also approve payments above a set threshold. See our guide to segregation of duties for small finance teams for practical approaches when headcount is limited.

Establish a formal biller code change policy

Document your process for updating BPAY biller codes. Who can authorise a change? What verification must occur? Who must approve before the change is recorded in your accounting system?

A written policy — even a single page — provides a reference point for staff and a paper trail for any future investigation.

Review user permissions in Xero

Xero offers granular user role settings. Finance staff who process bills and payments should not have administrator-level access. Accounts payable staff with invoice-only access cannot approve payments above certain thresholds without a second authorisation.

Review your Xero user roles periodically, especially after staff changes. Former employees with retained access represent a meaningful insider fraud risk.

Run regular supplier payment audits

Periodically review your BPAY payment history for patterns: new biller codes appearing for established suppliers, unusually large payments to billers used infrequently, payments to multiple billers with similar reference numbers. Many of these patterns surface quickly when you look at your data systematically.

Our finance manager fraud detection checklist includes a monthly review process designed for lean finance teams.

What to do if your business has already been hit

Speed matters. BPAY payments are not reversible at the sender's request — recovery depends entirely on what can be done at the receiving institution before the funds are moved.

Step 1: Contact your bank immediately. Call your bank's fraud team and report the payment. Ask them to contact the biller's financial institution and request a funds hold. Every hour of delay reduces recovery chances.

Step 2: Report to Scamwatch. Lodge a report at scamwatch.gov.au. This supports law enforcement and contributes to national fraud intelligence. It also creates a formal record of the incident, which may be relevant to insurance claims.

Step 3: Report to the ASD if the fraud was cyber-enabled. If a BEC attack or phishing campaign was involved, report to the Australian Signals Directorate via cyber.gov.au/report. The ASD tracks BEC campaigns and your report may be connected to a broader investigation.

Step 4: Review your insurance coverage. Check whether your cyber insurance policy covers social engineering losses. Many policies exclude them unless a specific endorsement was purchased. Speak with your broker about whether your incident is claimable and what documentation is required.

Step 5: Conduct an internal review. Understand how the fraud occurred before resuming normal AP operations. Was a biller code updated without verification? Did an email compromise occur? Close the gap before it is exploited again.

Conclusion

BPAY is not the vulnerability. Your AP process is.

Fraudsters target the moment between receiving an invoice and entering a biller code into your banking platform. That window — a few minutes of routine work — is where Australian businesses are losing tens of thousands of dollars per incident.

The good news is that this type of fraud is preventable. Verification calls, dual authorisation, clear biller code change policies, and regular supplier audits close most of the exposure. None of these require large investments or complex technology.

If you want automated monitoring to catch supplier payment detail changes in your Xero environment before they reach the payment stage, OutflowGuard does exactly that — with a free tier that lets you audit your existing data before committing to anything.

Prevention is cheaper than recovery. And unlike a BPAY payment, the decision to act is always reversible.