What is professional services payment fraud?

Professional services payment fraud includes fake invoices, payment redirection, BEC and supplier bank detail scams targeting law firms, consultancies, agencies and advisory firms.

Why are law firms targeted for payment fraud?

Law firms manage client money, trust accounts, urgent settlements and high-value supplier payments. Those workflows give criminals realistic reasons to request changed bank details.

How can Xero users prevent law firm payment fraud?

Xero users can reduce law firm payment fraud by verifying bank detail changes, separating duties, using dual approval and keeping audit evidence for every payment exception.

Is business email compromise the same as payment fraud?

Business email compromise is one common path into payment fraud. A compromised email account can be used to redirect invoices, supplier payments, payroll or client refunds.

Professional Services Payment Fraud: Xero Controls

Professional services payment fraud is not just a cyber problem. It is a finance control problem that can start with one believable email, one changed BSB, or one invoice that looks close enough to normal.

The numbers explain why finance leaders should care. The National Anti-Scam Centre Targeting Scams Report 2025 recorded $166.8 million in payment redirection scam losses in 2025. For law firms, consultancies, accounting practices and agencies using Xero, those losses often map directly to everyday accounts payable workflows.

In this article:

Professional services payment fraud is a workflow risk
Why law firms and consultancies are attractive targets
Common professional services payment fraud scenarios
Xero controls that reduce professional services payment fraud
Payment fraud checklist for professional services firms
Related Reading
Conclusion

Professional services payment fraud is a workflow risk

Professional services payment fraud usually succeeds because the request fits the rhythm of the firm. A partner asks for an urgent client refund. A barrister's clerk sends updated bank details. A software vendor asks for a subscription invoice to be paid before month end.

None of those requests look strange on their own. The risk appears when the finance process relies on memory, trust and email history instead of a repeatable control.

The ACCC Targeting Scams Report 2024 recorded $2.03 billion in total scam losses across combined Australian reporting sources. The same report showed how damaging impersonation and payment redirection can be for businesses that pay suppliers electronically.

Professional services firms are exposed because they often run lean finance teams. The same person may enter bills, maintain supplier records, prepare payment batches and respond to partner requests. That is efficient until a fraudster finds the one step where no second person checks the change.

The key shift is to treat bank details as a financial control, not an administrative field. A supplier name, ABN, email address and bank account should be verified together before the first payment and again whenever something changes.

That same principle applies to client refunds, trust account disbursements, payroll updates, contractor payments and project expense reimbursements. If money is leaving the firm, the payee details need evidence.

Why law firms and consultancies are attractive targets

Law firms, consultancies and advisory practices hold information that helps criminals make payment requests sound credible. Email threads mention clients, matters, retainers, invoices, milestones, settlements and project deadlines.

A generic phishing email is easy to ignore. A message that references a real matter number, a known supplier or a closing date is much harder to challenge.

Client money raises the stakes. Law firms may handle trust account movements, settlement funds, counsel fees, expert witness invoices and client refunds. A wrong payment can create financial loss, regulatory concern and client trust damage at the same time.

Partner pressure is normal. Professional services firms often respond quickly to senior staff, clients and referrers. Fraudsters use urgency because they know a finance manager may not want to slow down a partner's request.

Supplier relationships are fragmented. Firms pay barristers, consultants, contractors, software vendors, recruitment firms, landlords, insurers, marketing agencies and IT providers. One finance person may not know every supplier well enough to spot a subtle change.

Project billing creates plausible exceptions. Consulting firms and agencies often pay subcontractors, freelancers and specialist vendors on a project basis. New payees and one-off invoices are common, which makes fake or altered invoices harder to spot.

The Scamwatch business email compromise guidance warns that criminals impersonate suppliers, employees or executives to redirect business payments. For professional services firms, that impersonation can sit inside a real client or supplier conversation.

Common professional services payment fraud scenarios

Professional services payment fraud has a few repeat patterns. Finance teams should recognise them because each one needs a slightly different control.

Supplier bank account change

A known supplier emails the firm with new bank details. The message may explain that the supplier has changed banks, moved to a new finance system, merged entities or updated remittance instructions.

If the finance team updates Xero based on the email alone, the next invoice may be paid to a criminal account. The real supplier may only discover the issue weeks later when their statement remains unpaid.

Fake invoice for a real service

A fraudster sends an invoice for legal research, expert advice, IT support, design work, insurance, recruitment or software. The supplier name may be similar to a real provider, and the amount may sit just below a review threshold.

This works because professional services firms buy many intangible services. There may be no warehouse receipt, site supervisor or delivery docket to confirm the purchase.

Compromised client or supplier email

In a business email compromise attack, a real inbox is compromised and used to send payment instructions. The email address, signature, writing style and context may all look genuine.

That is why visual checks are not enough. If the account itself has been compromised, the fraudulent request may arrive from the address the firm already trusts.

Partner or executive payment request

A partner, director or senior consultant appears to request an urgent payment. The message may mention a confidential matter, a client emergency or a time-sensitive project cost.

These requests are dangerous because they bypass normal admin channels. A small firm with a culture of trust may approve the payment because the senior person's name is on it.

Client refund redirection

A client appears to ask for refund or settlement proceeds to be paid to a different account. The request may come after a real matter, project cancellation or overpayment.

Client refund fraud can be especially sensitive because the firm may not be paying a supplier. It may be releasing money that belongs to the client, which makes evidence and approval discipline more important.

Xero controls that reduce professional services payment fraud

Professional services payment fraud prevention should focus on the moments where Xero data changes or money is approved. Training helps, but controls need to work on a busy Friday afternoon when the team is under pressure.

Verify supplier bank detail changes outside email

Every new or changed bank account should be verified through an independent channel. Do not reply to the email that requested the change. Use a phone number already held on file, a known partner contact, or a separately verified supplier portal.

Record who verified the details, when they verified them and what evidence was used. A callback that is not recorded becomes hard to prove during an audit or insurance review.

For a deeper process, read How to Verify Supplier Bank Details in Australia. The same framework applies to law firms, consultancies and agencies.

Separate setup, approval and payment release

One person should not be able to create a supplier, change bank details, approve the bill and release the payment without review. Small teams may not have perfect segregation of duties, but they can still separate the highest-risk steps.

For example, a bookkeeper can enter the bill, a finance manager can verify the bank details, and a partner can approve the payment batch. The control is not about slowing every payment. It is about making risky changes visible before money leaves.

Use dual approval for changed details and high-value payments

Dual approval is most valuable when a payment includes a new supplier, changed bank details, a first-time payment, a large amount or a client money movement. These are the moments where a second reviewer adds real protection.

The reviewer should check the supplier record, invoice, bank details, approval history and verification evidence together. Reviewing the invoice amount alone is not enough.

Our guide to dual approval payments covers this in more detail. The principle is simple: a second person should see the change before the bank sees the payment.

Review Xero history and supplier records regularly

Xero records can help finance teams see what changed and when. Regular review of supplier details, bill history and payment patterns can reveal changes that were missed during the normal workflow.

A monthly review should look for suppliers with recent bank detail changes, duplicate names, missing ABNs, unusual round-number invoices and payments to new accounts. These checks are not glamorous, but they are often where weak controls show up first.

Keep audit evidence for exceptions

Professional services firms often need to explain decisions after the fact. That might be to a partner, client, insurer, auditor or regulator.

For every payment exception, keep a short record of the reason for the exception, the approval, the verification evidence and the final outcome. A simple note is better than relying on someone remembering the conversation later.

Payment fraud checklist for professional services firms

Use this checklist before your next payment run. It is written for Xero finance teams, but the control logic applies to most accounting workflows.

List recent supplier changes. Review every supplier or contact with new or edited bank details since the last payment run.
Confirm verification evidence. Check that each bank detail change was verified through an independent channel and recorded.
Flag first-time payees. Treat new suppliers, contractors and refund recipients as higher risk until their details are confirmed.
Review high-value payments. Require a second reviewer for large payments, trust or client account movements, and unusual project costs.
Check invoice context. Match the invoice to the matter, project, purchase approval or engagement record before payment.
Look for duplicate or similar suppliers. Similar names can hide fake suppliers or altered records.
Separate duties where possible. Avoid giving one person full control over supplier setup, bill approval and payment release.
Record exceptions. If a payment is urgent, document why the normal process changed and who accepted the risk.
Report suspicious activity quickly. Use the Scamwatch statistics and reporting resources as a starting point, and contact your bank immediately if a payment may have been redirected.
Review controls monthly. Payment fraud prevention is not a one-off policy. It needs a recurring review cadence.

The checklist works because it targets the path fraud usually takes. It does not assume every invoice is fake. It focuses attention on bank details, unusual requests and points where one person has too much control.

For CFOs and finance managers, the most important question is not whether the firm trusts its people. It is whether the firm can prove that a risky payment was verified before release.

Conclusion

Professional services payment fraud is effective because it hides inside normal work. A changed supplier account, urgent partner request or client refund can look routine until the money has already gone.

Australian law firms, consultancies and advisory firms should treat payment controls as part of everyday financial governance. That means independent verification, dual approval for risky changes, clear audit evidence and regular review of Xero supplier records.

OutflowGuard helps Xero users monitor supplier bank detail changes, trigger alerts and support dual approval workflows before funds leave the business. If your firm still relies on email checks and spreadsheet reviews, now is the time to tighten the process.