What are the latest payment fraud statistics in Australia?

Australian scam losses reached $2.18 billion in 2025, while AusPayNet reported $854 million in Australian card fraud for FY25.

How much is lost to payment redirection scams in Australia?

The National Anti-Scam Centre reported $166.8 million in payment redirection scam losses in 2025, up from $152.6 million in 2024.

What payment fraud risks should CFOs monitor in 2026?

CFOs should monitor supplier bank detail changes, invoice edits, payment batch exceptions, card-not-present exposure and unreconciled outflows.

Are invoice fraud and payment redirection the same?

They overlap. Invoice fraud often uses fake or altered invoices, while payment redirection tricks a business into sending a real payment to the wrong account.

Payment Fraud Statistics Australia 2026: CFO Guide

Payment fraud statistics Australia 2026 should be on every CFO's risk dashboard. The National Anti-Scam Centre reported $2.18 billion in combined scam losses in 2025, including $166.8 million lost to payment redirection scams alone.

Those numbers are not just consumer scam data. For Australian SMBs using Xero, the most relevant risks sit inside everyday finance work: supplier bank detail changes, invoice approvals, payment batches, card payments, reconciliation gaps and email-based impersonation.

This guide translates the latest public statistics into practical finance controls for CFOs, finance managers and bookkeepers who need to protect supplier payments without slowing accounts payable.

In this article:

Payment fraud statistics Australia 2026: the headline numbers
What the statistics mean for Xero-using finance teams
Payment redirection scams and BEC: the CFO control gap
Invoice fraud and card fraud: different risks, different controls
How CFOs should respond in 2026
Related Reading
Conclusion

Payment fraud statistics Australia 2026: the headline numbers

The latest Australian data shows a mixed picture. Some fraud categories are stabilising, while payment redirection and card-not-present fraud remain large enough to warrant board-level attention.

The National Anti-Scam Centre Targeting Scams Report 2025 recorded $2.18 billion in combined scam losses across 481,523 reports. Within that total, payment redirection scams caused $166.8 million in losses.

The previous year's Targeting Scams Report 2024 recorded $2.03 billion in combined scam losses across 494,732 reports. It also reported $152.6 million in payment redirection losses, making payment redirection one of the highest-loss categories relevant to business finance teams.

AusPayNet's July 2024 to June 2025 fraud statistics reported $854 million in fraud on Australian payment cards, down from $868 million in FY24. The fraud rate fell to 71.8 cents per $1,000 spent.

That decline is welcome, but it does not mean finance teams can relax. AusPayNet's calendar year 2024 fraud statistics reported $913 million in card fraud, up 20%, with overseas card-not-present fraud reaching $454 million.

For CFOs, the useful takeaway is not one single number. It is the pattern across categories.

Payment redirection scams are a direct accounts payable risk. They target real invoices, real suppliers and real payment runs.
Card fraud remains material. Card-not-present exposure matters for corporate cards, subscriptions, online supplier payments and delegated purchasing.
Reported losses understate actual exposure. Many businesses do not report near misses, failed attempts, internal control weaknesses or losses recovered privately through banks or insurers.
SMBs are not too small to be targeted. The same reports show losses across consumers, businesses and payment channels, while Xero's own small business survey points to invoice fraud inside normal accounting workflows.

What the statistics mean for Xero-using finance teams

Payment fraud statistics Australia 2026 searches often surface national totals, card fraud dashboards and scam education pages. Those are useful, but CFOs need to turn them into controls inside their accounting workflow.

For a Xero-using business, payment fraud usually passes through five points:

A supplier record is created or edited.
Bank details or payment instructions change.
An invoice is approved for payment.
A payment batch is prepared and authorised.
The bank feed and reconciliation process confirm money has left.

Each point can look normal in isolation. A supplier email may look genuine. A new bank account may be explained as a routine update. An invoice may match a current project or purchase order. A payment batch may be approved because the due date is close.

The risk appears when those events are not reviewed together. That is why a CFO should not treat payment fraud as only an IT or cyber awareness issue.

A useful finance view asks practical questions:

Which supplier bank details changed this week?
Who approved the change, and was the approval independent?
Did the invoice amount, payment reference or bank account change shortly before payment?
Are there round-dollar invoices, duplicate bills or unusual payment timing patterns?
Did reconciliation happen quickly enough to catch an error before the next payment run?

These questions connect national business payment fraud statistics Australia readers care about with the daily records inside Xero.

For a deeper control view, see our guide on how to verify supplier bank details in Australia and our practical checklist for accounts payable internal controls in small businesses.

Payment redirection scams and BEC: the CFO control gap

Payment redirection scams are often discussed alongside business email compromise, or BEC. The Scamwatch business email compromise guide explains the basic pattern: a criminal impersonates a supplier, staff member or trusted party and convinces the business to send money to the wrong account.

For CFOs, the danger is that BEC looks like a people problem when it is really a process problem. Training staff to spot suspicious emails helps, but it does not create evidence that a supplier change was independently verified.

A strong process separates four decisions:

Is the supplier legitimate? Confirm ABN, trading name, contact details and relationship owner.
Is the bank detail change legitimate? Verify through a known phone number or existing verified contact, not the details in the change request.
Is the invoice legitimate? Match the invoice to purchase orders, contracts, delivery evidence or project approvals.
Is the payment legitimate today? Review batch exceptions before releasing funds.

Many SMBs combine those checks into one person's judgement. That works on quiet days, then breaks during month-end, staff leave, public holidays, urgent project deadlines or supplier pressure.

The CFO control gap is the space between email, Xero and the bank. A criminal only needs one weak handoff. A finance team needs every handoff to leave evidence.

Payment redirection scams Australia statistics should therefore trigger a review of approval design, not just another reminder email to staff.

Invoice fraud and card fraud: different risks, different controls

Invoice fraud and card fraud both appear in payment fraud reporting, but they need different controls.

Xero has reported that 18% of surveyed Australian small businesses had experienced invoice fraud, with an average false payment of $15,500, according to its Australian invoice fraud media release. That figure matters because it comes from the same ecosystem many Australian SMB finance teams use every day.

Invoice fraud often exploits trust. The invoice may look like a normal PDF. The supplier may be real. The amount may be plausible. The only fraudulent element may be a changed bank account, altered payment reference or intercepted email trail.

Card fraud is different. It often arises through stolen card details, compromised online merchants, subscription misuse, weak employee card controls or card-not-present attacks. AusPayNet's card fraud data is useful here, but it does not replace supplier payment controls.

Treat each risk with its own prevention layer:

Invoice fraud controls. Require independent verification for new suppliers, bank account changes and invoices that differ from expected patterns.
Payment redirection controls. Hold payments after bank detail changes until a second approver records verification evidence.
Card fraud controls. Limit card access, review merchant categories, reconcile subscriptions and monitor card-not-present activity.
Internal misuse controls. Separate supplier maintenance from payment approval where practical, then review audit logs regularly when small-team segregation is difficult.
Reconciliation controls. Investigate unmatched, delayed, reversed or unusual outflows promptly.

Our guide to invoice fraud red flags for finance teams covers the warning signs in more detail.

How CFOs should respond in 2026

The best use of payment fraud statistics Australia 2026 data is not fear. It is prioritisation.

A CFO does not need to build a bank-grade fraud team to improve payment controls. Most SMBs can reduce exposure by making the riskiest finance events more visible and harder to approve alone.

Start with these measures.

1. Track supplier bank detail changes

Supplier bank detail changes should be treated as high-risk events, not routine admin. Each change should show who requested it, who verified it, who approved it and which contact channel was used.

If that evidence lives in email threads, it will be hard to audit later. Keep the verification record close to the supplier and payment workflow.

2. Create a payment hold rule

Introduce a short hold for payments to suppliers whose bank details recently changed. The hold does not need to slow every payment. It should target the small subset of payments where fraud risk is highest.

A practical rule might be: any supplier bank detail change in the last 7 to 14 days requires secondary review before the next payment is released.

3. Measure exceptions, not just losses

Losses are a lagging indicator. By the time a loss appears in the board pack, the control failure has already happened.

CFOs should monitor leading indicators such as:

Number of supplier bank detail changes per month.
Percentage of changes verified by a second person.
Payments released within 48 hours of a bank detail change.
Duplicate invoice attempts.
Round-number invoices outside normal supplier patterns.
Reconciliation delays for high-value outflows.

4. Review Xero access and audit evidence

User permissions, audit trails and API-connected tools all matter. If too many people can edit suppliers, approve bills and release payment files, fraud prevention relies heavily on trust and memory.

Review who can edit contacts, approve bills, export payment files and connect third-party tools. Then check whether suspicious activity would be visible quickly enough to act.

5. Make reporting easy

Near misses are valuable. If a bookkeeper spots a suspicious email or a finance manager blocks a bank detail change, record it.

A simple incident log helps the CFO see whether fraud attempts are increasing, which suppliers are being impersonated, and whether controls are working under pressure.

Conclusion

The latest payment fraud statistics Australia 2026 readers need to know are clear enough: scam losses remain in the billions, payment redirection losses are rising, and card-not-present fraud remains a material exposure.

For CFOs, the practical question is whether those national numbers are visible inside your own finance workflow. If supplier changes, invoice approvals, payment batches and reconciliation exceptions are reviewed separately, risk can slip through the gaps.

OutflowGuard helps Xero-using Australian SMBs monitor supplier bank detail changes, flag suspicious outflows and create approval evidence without turning accounts payable into a bottleneck. The goal is simple: catch the risky change before the money leaves.