Skip to main content
OutflowGuard
Back to Blog

Healthcare Payment Fraud Australia: Medical Practice Controls

9 June 202610 min read
healthcare payment fraudmedical practice fraudpayment fraud preventionXero securitybusiness email compromise

Healthcare payment fraud Australia is a broader risk than many practice owners realise. The National Anti-Scam Centre Targeting Scams Report 2025 shows payment redirection scams caused $166.8 million in reported losses in 2025, and those losses often start with a familiar-looking invoice or bank detail change.

For medical practices, the risk is not limited to Medicare billing compliance. GP clinics, dental groups, allied health providers and specialist practices also pay landlords, pathology providers, medical suppliers, IT vendors, locums, nurses and contractors. Each payment creates a chance for a criminal to redirect money before the finance team notices.

In this article:

Healthcare payment fraud in Australia is not only Medicare fraud

When people hear healthcare fraud, they often think of Medicare claims, false billing or provider compliance. Those are serious issues, but they are not the only finance risk inside a medical practice.

Healthcare payment fraud in Australia also includes invoice redirection, supplier impersonation, payroll bank account changes, fake contractor invoices and unauthorised updates to supplier records. These attacks target the practice's outgoing payments rather than government reimbursement systems.

That distinction matters because a practice can be fully focused on clinical billing compliance and still lose money through a simple accounts payable failure. A real supplier email thread may be compromised. A fake invoice may copy the wording and branding of a known vendor. A bank account change may be entered into Xero without a second person checking it.

The Scamwatch business email compromise guide warns that scammers impersonate suppliers, employees or executives to redirect business payments. In healthcare, those messages can look convincing because the practice already manages urgent supplier requests, patient issues and time-sensitive operational costs.

Medical practice team reviewing healthcare payment fraud risks before approving supplier payments

The practical lesson is simple. Medicare compliance protects one part of the practice. Payment controls protect the money leaving the practice every week.

Why medical practices are attractive payment fraud targets

Healthcare businesses combine sensitive data, busy operations and regular supplier payments. That makes them attractive to criminals who want a realistic payment request to pass through without challenge.

High supplier volume. A clinic may pay pathology providers, medical consumable suppliers, equipment maintenance firms, cleaning services, software vendors, insurance providers and rent. The more suppliers in the workflow, the harder it is for one person to remember what is normal.

Lean finance teams. Many practices rely on a practice manager, an outsourced bookkeeper or a small accounts team. The same person may receive invoices, enter bills, update supplier details and prepare payment batches.

Urgency is normal. Medical practices often deal with urgent equipment repairs, locum cover, patient refunds and operational deadlines. Fraudsters use that pressure to push through payments before normal checks happen.

Outsourced bookkeeping creates distance. A bookkeeper may know the Xero file but not every real-world supplier relationship. If a bank detail change arrives by email, they may not know whether the request feels unusual.

Trust-based approval is common. Practice owners are busy. If a payment run looks routine and the supplier name is familiar, they may approve quickly without opening the supporting documents.

The OAIC Notifiable Data Breaches Report: July to December 2024 also shows why healthcare remains under pressure from cyber and data risk. Health service providers were the top reporting industry for notifiable data breaches in that period, with 121 notifications.

That does not mean every data breach becomes payment fraud. It does mean healthcare organisations already operate in a high-risk environment where compromised accounts, stolen information and supplier impersonation can make payment requests harder to verify.

Common healthcare payment fraud scenarios

Healthcare payment fraud usually succeeds because it looks like normal administration. The request may arrive in the right email thread, reference a real supplier and match an expected service.

Finance manager checking medical supplier invoices for fraud and bank detail changes

Supplier bank account change scam

A known supplier appears to email the practice with new BSB and account details. The message may mention a system migration, a merger, a new finance contact or a changed remittance process.

If the practice updates Xero and pays the next invoice, money can go straight to the scammer. The fraud may only be discovered when the real supplier follows up on an unpaid account.

Fake medical equipment invoice

A practice receives an invoice for equipment, maintenance, consumables or fit-out work. The amount may be plausible, the supplier name may be similar to a real vendor and the invoice may sit just below an approval threshold.

This is especially risky when multiple locations or practitioners order items independently. Finance may not know whether a purchase was expected.

Business email compromise in a clinic workflow

A supplier, practice manager or senior clinician email account is compromised. The attacker watches real conversations, then sends payment instructions at the right moment.

Because the email comes from a trusted inbox, the finance team may treat it as genuine. MFA and cyber training help reduce this risk, but payment verification still needs to happen before funds leave.

Payroll and contractor redirection

A nurse, receptionist, locum or contractor appears to request a bank account update. If the request is accepted through email alone, the next payroll or contractor payment may be redirected.

Payroll redirection is not always large enough to trigger extra approval, which makes it easy to overlook.

Duplicate or altered invoices

An invoice may be resent with changed bank details, a slightly altered invoice number or a revised total. In a busy month-end close, the duplicate can be paid before reconciliation catches it.

For Xero users, this is where supplier history, invoice numbers, payment timing and bank account changes should be reviewed together rather than in isolation.

Where fraud enters a Xero payment workflow

Xero gives finance teams useful records, approvals and reconciliation visibility. It does not remove the need for payment-specific controls.

Healthcare payment fraud Australia risks usually enter the workflow at one of seven points:

  1. Supplier setup. A new supplier is created with incomplete ABN, contact or bank verification.

  2. Bank detail entry. A BSB and account number are added or changed without independent confirmation.

  3. Bill capture. An invoice arrives by email, upload or integration and is treated as routine because the supplier name looks familiar.

  4. Approval. The approver checks the amount and category but does not inspect whether payment details changed.

  5. Batch preparation. Multiple bills are grouped together, which can hide a high-risk item among ordinary payments.

  6. Bank release. The payment file or bank transfer is released without matching the payee details back to trusted supplier records.

  7. Reconciliation. The payment is matched after funds leave, which is useful for accounting but too late to prevent the loss.

Healthcare finance team reviewing Xero payment controls before releasing a supplier batch

The highest-risk moment is usually a supplier bank detail change. If that change is wrong, every later approval may simply approve the wrong destination with more confidence.

This is why medical practices should treat bank detail changes like a controlled event, not a routine admin update.

Payment controls every medical practice should use

Good controls do not need to slow the practice to a crawl. The goal is to make risky changes visible, force a second check when money could be redirected and keep evidence of what was verified.

Verify every supplier bank detail change

Call the supplier using a known phone number from your records, their official website or a previous trusted contract. Do not use the phone number in the email requesting the change.

Record who verified the change, when it was verified and which source was used. A short note in your supplier record or approval system is better than relying on memory.

Separate setup, approval and release where possible

Perfect segregation of duties is hard in a small practice. Still, the same person should not be able to create a supplier, change bank details and release payment without review.

For small teams, use compensating controls. A practice owner, finance manager or external accountant can review new suppliers and bank changes before the next payment run.

Review payment batches before release

Before releasing a batch, scan for new suppliers, changed bank details, unusual amounts, urgent wording and payments just under approval thresholds. Do not review only the total batch value.

For healthcare groups with multiple sites, add location context. A supplier that is normal for one clinic may be unusual for another.

Lock down Xero permissions

Restrict who can add suppliers, edit contacts, approve bills and access bank payment workflows. Remove old staff, review bookkeeper access and require MFA for everyone with finance permissions.

Permissions should match the person's role today, not what they needed during setup years ago.

Document exceptions and near misses

If a supplier request feels unusual, document the review even if it turns out to be legitimate. Near misses are useful training examples for the team.

A simple exception log can show patterns over time, such as repeated supplier bank changes, invoices from new email domains or approval overrides during busy periods.

Train reception and admin staff

Payment fraud is not only a finance problem. Reception and admin staff may receive supplier calls, email attachments, refund requests or pressure from a person pretending to be a clinician or vendor.

Give the team a short script for suspicious requests:

  1. Do not update payment details from an email alone.

  2. Do not call the number provided in the change request.

  3. Forward the request to the approved finance contact.

  4. Record the request and wait for verification.

Use monitoring for high-risk changes

Manual callbacks are useful, but they fail when staff are rushed, absent or handling too many suppliers. Monitoring helps catch the changes that would otherwise blend into normal administration.

For Xero-based practices, continuous monitoring of supplier bank detail changes can provide an extra layer of defence. It helps the finance team see what changed, who changed it and whether the change needs approval before payment.

Medical practice finance controls checklist for preventing healthcare payment fraud in Australia

Conclusion

Healthcare payment fraud in Australia is not only a cyber issue, and it is not only a Medicare compliance issue. For medical practices, the day-to-day risk often sits in supplier payments, bank account changes, invoice approvals and Xero workflows.

The best defence is a practical control system that works under pressure. Verify supplier changes independently. Separate duties where possible. Review payment batches before release. Keep evidence. Train the people who receive requests before they reach finance.

OutflowGuard helps Australian Xero teams monitor supplier bank detail changes, flag suspicious activity and create a dual-approval trail before money leaves the account. For medical practices with lean finance teams, that extra visibility can be the difference between a near miss and a costly payment loss.

Back to Blog

Ready to secure your payments?

Join finance teams protecting their businesses from payment redirect scams.

Start your 14-day free trial. Cancel anytime.