What is real-time payments fraud in Australia?

Real-time payments fraud happens when criminals trick a business into sending instant payments through NPP, PayID or bank transfer channels before the request is properly verified.

Can NPP payments be reversed after fraud?

NPP payments move quickly, so recovery is harder once funds leave the account. Businesses should contact their bank immediately, preserve evidence and report the incident.

Is PayID safe for business payments?

PayID can make payments easier, but it does not prove a supplier request is legitimate. Businesses still need supplier verification, approval controls and audit evidence.

How can Xero teams reduce NPP fraud risk?

Xero teams can reduce NPP fraud risk by verifying supplier changes, requiring dual approval, monitoring new payees and reviewing high-risk payments before release.

Real-Time Payments Fraud in Australia: NPP and PayID Controls

In 2025, Australians reported $2.18 billion in scam losses, and payment redirection scams accounted for $166.8 million, according to the National Anti-Scam Centre Targeting Scams Report 2025. For finance teams, the risk is simple: real-time payments fraud in Australia moves faster than most manual controls.

Australia's New Payments Platform has made account-to-account payments faster, richer and more useful. That speed is good for legitimate suppliers, payroll, refunds and urgent disbursements. It also means Xero finance teams need to move fraud checks before payment release, not after bank reconciliation.

In this article:

What real-time payments changed in Australia
Why real-time payments fraud risk is different
Where NPP and PayID scams enter finance workflows
Controls Xero teams should apply before release
What to do if an instant payment has already gone
Related Reading
Conclusion

What real-time payments changed in Australia

The Reserve Bank of Australia explains that the New Payments Platform enables real-time payments between Australian bank accounts. Australian Payments Plus describes the NPP as infrastructure for fast, data-rich payments that can operate around the clock.

For finance teams, the technical detail matters less than the operational shift. Payments that once moved in batches or settled with more visible delay can now move near instantly. A supplier payment can be prepared, approved and released before another person has time to notice a suspicious change.

PayID adds another layer. Instead of typing a BSB and account number, a payer may use a mobile number, email address, ABN or organisation identifier. That can reduce some data-entry friction, but it does not confirm the commercial legitimacy of the request.

The key lesson is not that NPP or PayID are unsafe. The payment rails are not the problem. The risk sits in the business process that decides who should be paid, which account should receive the money and whether the request has been independently checked.

If that process is weak, instant payment speed turns a small control gap into a cash-loss event.

Why real-time payments fraud risk is different

Real-time payments fraud is different because it compresses the decision window. A fraudulent invoice, supplier bank detail change or executive payment request may only need to pass one rushed approval before funds are gone.

Traditional finance controls often rely on delay. Someone reviews a batch tomorrow. Someone notices an odd reconciliation item next week. Someone asks why a supplier bank account changed during month-end close.

Those checks still matter, but they are too late to be the primary defence against real-time payments fraud in Australia. With NPP and PayID workflows, the most important control point is before release.

The Scamwatch business email compromise guide warns that criminals impersonate suppliers, executives or employees to redirect payments. The request may reference a real invoice, project, email thread or supplier relationship. That is why simple visual checks often fail.

For an Australian SMB using Xero, the fraud usually looks ordinary until the money leaves:

A supplier email account is compromised, or a lookalike domain is used.
The finance team receives a request to update payment details, use a PayID or process an urgent invoice.
A staff member updates the supplier record or prepares the payment in the normal workflow.
Approval happens quickly because the payment looks familiar.
Funds are released through bank transfer, NPP or another fast payment channel.
The fraud is discovered during supplier follow-up, reconciliation or month-end review.

That timeline is why post-payment reconciliation is not enough. It can confirm what happened, but it rarely prevents the loss.

Where NPP and PayID scams enter finance workflows

Most public PayID scam advice focuses on consumers and marketplace sellers. That advice is useful, but it misses the finance-team version of the problem.

In a business, fraud rarely arrives as an obvious PayID scam. It arrives inside normal accounts payable work.

Supplier bank detail changes. A criminal asks the team to replace known supplier details with a new account or PayID. The message may appear to come from a real supplier contact. If the team verifies using the phone number or email in the request, they may be speaking to the attacker.

New supplier setup. A fake supplier can be created with plausible business details, a real ABN-looking format and a convincing invoice. Once the supplier exists in Xero, future payments may look less suspicious.

Urgent invoice pressure. Payment requests sent late in the day, before a public holiday or during a project deadline can bypass normal scepticism. Real-time rails make it tempting to release the payment immediately.

Executive impersonation. A criminal may impersonate the managing director, CFO or operations lead and ask for an urgent payment. If the approver has bank authority and the request looks senior, the control can fail in seconds.

Payment file manipulation. Some teams approve bills in Xero, export or prepare payments, then release them in the bank portal. If the bank portal controls are weaker than the accounting approval controls, the final payment destination may not get enough scrutiny.

The pattern is consistent. Fraud enters through supplier identity, payment details, invoice legitimacy or approval pressure. NPP and PayID increase the cost of missing those signals because the payment can move quickly.

This is also why payment redirection scams and instant payment risk belong in the same conversation. The scam method is social engineering. The payment rail determines how much time you have to recover.

Controls Xero teams should apply before release

Good controls do not need to slow every payment. They should add friction only when risk is higher. For Xero-based finance teams, the goal is controlled speed.

Verify supplier changes independently

Treat every supplier bank account or PayID change as a high-risk event. Do not verify using contact details provided in the change request.

Use a known phone number from your supplier master file, contract, previous onboarding pack or independently verified website. Record who completed the check, who they spoke with, the date, the number called and what was confirmed.

If the supplier cannot be reached, hold the payment. A delayed legitimate payment is easier to fix than an instant fraudulent payment.

Separate setup, approval and release

No single person should be able to create a supplier, update bank details, approve the bill, release the payment and reconcile it. Small finance teams may not have perfect segregation of duties, but they can still separate the riskiest steps.

A practical model is:

The bookkeeper prepares the bill or supplier change.
The finance manager verifies the supplier evidence.
The owner, CFO or second approver releases high-risk payments in the bank portal.
A separate month-end review checks supplier changes, high-value payments and exceptions.

This mirrors the logic behind dual approval payments: the second person should review the actual fraud risk, not just rubber-stamp a workflow status.

Hold risky payments for review

Not every payment needs the same level of review. Set rules that automatically trigger a hold or second approval for:

First payment to a new supplier.
Any changed bank account, BSB, account name or PayID.
Payments above a set dollar threshold.
Payments requested outside normal cycles.
Weekend or after-hours payment release.
Round-dollar invoices or amounts just below approval thresholds.
Supplier names that resemble existing suppliers.
Payments where invoice details and supplier records do not match.

These rules work best when they are written down and system-enforced. A checklist that lives in someone's head will fail when the team is busy.

Align Xero controls with bank portal controls

Xero approval is not the same as bank authorisation. A bill can be approved in Xero while the bank portal still allows one person to release the payment.

Review both systems together. Check Xero user permissions, supplier change access, bill approval workflows, bank authorisers, daily limits and MFA. A strong Xero process can be undermined by weak bank release authority.

The same applies in reverse. Two bank authorisers are useful, but only if the second authoriser can see the supplier verification evidence and payment purpose.

Use PayID as a signal, not proof

PayID can help reduce typing mistakes and may show information that helps the payer recognise the recipient. It should not be treated as a complete supplier verification control.

A plausible PayID name does not prove the invoice is legitimate. It does not prove the person requesting the change is authorised. It does not prove the supplier has changed details through the correct process.

Use PayID checks alongside callback verification, supplier master-file controls, invoice matching and dual approval.

What to do if an instant payment has already gone

If a suspicious real-time payment has already been released, speed still matters. The focus shifts from prevention to containment, evidence and recovery.

Call your bank immediately. Ask for the payment to be recalled, frozen or traced. Use the bank's fraud line, not a general enquiry queue if possible.
Stop related payments. Hold any pending payments to the same supplier, PayID, account number or invoice chain until the issue is understood.
Preserve evidence. Save emails, headers, invoices, chat messages, approval notes, bank confirmations and Xero history. Do not clean up the supplier record before evidence is captured.
Report the incident. Report cyber-enabled fraud through ReportCyber and submit relevant scam information to Scamwatch. Your bank may also require a police event number or formal report.
Review all recent supplier changes. One compromised supplier request may not be the only change. Check recently edited contacts, new suppliers, unusual invoices and changed payment details.
Reset compromised access. If email compromise is suspected, involve IT immediately. Reset passwords, revoke active sessions and enforce MFA across email, Xero and bank access.
Document lessons learned. Capture exactly which control failed. Was it supplier verification, Xero permissions, bank authorisation, approval pressure or missing exception review?

The uncomfortable truth is that recovery may be uncertain once funds have moved. That is why the best real-time payments fraud control is pre-release verification.

Conclusion

Real-time payments are now part of normal Australian finance operations. NPP, PayID and faster bank transfers can make legitimate payments easier, but they also reduce the time available to catch fraud after the fact.

For Xero teams, the answer is not to fear instant payments. The answer is to move controls upstream: verify supplier changes, separate duties, hold risky payments, align Xero and bank approvals, and keep evidence that proves the check happened.

OutflowGuard helps Australian SMBs do that by monitoring supplier bank detail changes in Xero, alerting the right people and supporting dual approval before risky changes turn into real-time payment losses.