What is Australia's Scams Prevention Framework?

Australia's Scams Prevention Framework is a national regime for preventing, detecting, disrupting and responding to scams across designated sectors such as banks, telcos and digital platforms.

Does the Scams Prevention Framework apply to small businesses?

Most SMBs are not the first designated entities, but the framework raises expectations for documented scam prevention controls, especially around supplier and payment workflows.

How should Xero users prepare for scam prevention rules?

Xero users should review supplier bank detail changes, restrict permissions, use dual approval, verify payment changes out of band and keep evidence of approvals.

What are reasonable steps to prevent payment scams?

Reasonable steps include staff training, MFA, supplier verification, payment approval limits, monitoring for unusual changes and a clear response plan when fraud is suspected.

Scams Prevention Framework Australia: Business Guide

Australians lost $2.03 billion to scams in 2024, according to the National Anti-Scam Centre's Targeting Scams report. Losses fell from the prior year, but the number is still large enough to change how regulators, banks and boards think about scam prevention.

That is the context behind the Scams Prevention Framework Australia is rolling out. For CFOs, finance managers and bookkeepers, the important question is not only whether your business is directly regulated. It is whether your payment controls would stand up if a supplier bank account was changed, a fake invoice slipped through, or a staff member approved a scam payment under pressure.

In this article:

What is the Scams Prevention Framework in Australia
Why SMB finance teams should care
How scam payments happen in Xero-led workflows
Scams Prevention Framework Australia controls for finance teams
A practical Xero scam prevention checklist
Related Reading
Conclusion

What is the Scams Prevention Framework in Australia?

The Scams Prevention Framework is Australia's move toward mandatory scam prevention obligations for sectors that are central to scam activity and payment flows. Treasury describes the framework as a way to protect Australians from scams by setting expectations for prevention, detection, disruption, response and reporting.

The official Treasury paper, Scams Prevention Framework: Protecting Australians from scams, focuses on designated sectors such as banks, telecommunications providers and digital platform services. These sectors are not the whole economy, but they sit at the points where scams are often enabled, communicated or paid.

For a typical Xero-using SMB, that distinction matters. Your business may not be a designated entity in the first wave, but the framework changes the baseline expectation for scam prevention. Banks may ask more questions. Insurers may look for stronger controls. Boards, advisers and auditors may expect better evidence that payments were verified before money left the account.

Treasury's exposure draft consultation also shows the direction of travel. Scam prevention is becoming less about warning customers after the fact and more about proving that reasonable controls existed before a loss occurred.

Why SMB finance teams should care

The Scams Prevention Framework Australia is often discussed as a banking, telco and platform regulation. That is true at the policy level, but it is too narrow for finance teams.

Most scam losses do not feel like a regulatory event when they happen. They feel like a normal payment run.

A supplier emails new bank details. A senior manager asks for an urgent transfer. A regular invoice arrives with a slightly different account number. A payroll record is changed after an employee email account is compromised.

By the time the fraud is discovered, the payment may already be gone.

The National Anti-Scam Centre reported that total scam losses were still above $2 billion in 2024, even after a 26 per cent fall from 2023. ACCC commentary on the same report said continued action was still critical as annual scam losses remained above $2 billion in Australia.

For SMBs, the lesson is simple. Lower national losses do not mean your business is safe. It means banks, regulators and major platforms are investing in controls, and smaller businesses need to lift their internal payment processes as well.

This is especially important where the finance team is small. Many Australian businesses have one person receiving invoices, updating supplier records, preparing payments and reconciling bank feeds. That setup is efficient, but it also creates a single point of failure.

How scam payments happen in Xero-led workflows

Scam prevention is easier to understand when you map it to the systems your team uses every week. For many Australian SMBs, that means Xero, email, online banking and a shared approval process.

Supplier bank detail changes

A scammer compromises a supplier email account or impersonates a supplier contact. They send a convincing message asking your team to update bank details for future invoices.

The next invoice may look legitimate because the supplier, amount and description all match normal patterns. The only change is the account receiving the funds.

This is one reason detecting unauthorised supplier bank detail changes in Xero should be a core finance control, not an occasional admin task.

Fake invoice and payment redirection scams

Payment redirection scams work because they fit into normal finance routines. The scammer does not need to hack your bank account if they can trick your team into authorising the payment themselves.

The ACCC has warned that payment redirection remains a serious risk for businesses. Common patterns include changed invoice details, fake supplier emails and requests to redirect payment to a new account.

The hard part is that these scams often do not look dramatic. They look like business as usual, with one dangerous detail changed.

Payroll and employee detail changes

Supplier fraud gets most of the attention, but payroll changes also need scrutiny. A compromised employee email account can request a change to salary payment details. If the request is processed without independent verification, the next payroll run may send wages to a scammer.

This is still a payment control problem. It needs the same discipline as supplier onboarding, including known-channel verification and a record of who approved the change.

Weak approval evidence

Many businesses technically have approval controls but cannot prove what happened later. An email that says "approved" may not show whether bank details were checked, who verified the supplier, or whether the approver saw the changed account number.

That evidence gap matters. If a fraud occurs, your bank, insurer or adviser may ask what steps were taken before the payment was made.

Scams Prevention Framework Australia controls for finance teams

The practical value of the Scams Prevention Framework Australia is that it gives finance teams a simple way to think about controls: prevent, detect, disrupt, respond and report.

You do not need an enterprise compliance team to apply those principles. You need clear payment rules that staff can follow under time pressure.

Prevent

Prevention means reducing the chance that a scam request can move straight into a payment run.

Start with MFA on Xero, email and online banking. Restrict Xero permissions so only the right people can change supplier details. Review connected apps so old integrations are removed when they are no longer needed.

For supplier and payroll bank detail changes, require verification using a phone number or contact method already on file. Do not rely on the phone number or email address included in the change request.

Detect

Detection means looking for changes that create payment risk.

Useful warning signs include first-time supplier payments, recently changed bank details, unusually round invoice amounts, duplicate invoice numbers, payments outside normal trading patterns and urgent same-day requests.

These are the kinds of patterns finance managers already know intuitively. The gap is that many teams only check them manually when they remember, or after something feels wrong.

Disrupt

Disruption means giving the team permission to pause a payment before money leaves the account.

A payment hold should not feel like an accusation. It should be a normal step when a payment is high risk, rushed, new, unusual or linked to changed bank details.

Good disruption controls include a second approver, a callback check, a documented verification note and a rule that urgent requests never bypass normal payment controls.

Respond

Response means knowing what to do in the first hour after suspected fraud.

Contact your bank immediately. Preserve emails, invoices, Xero audit history, approval notes and payment records. Notify relevant internal leaders. If cyber compromise is suspected, secure the affected email or Xero account before it is used again.

The goal is to slow further loss and preserve evidence while details are still fresh.

Report

Reporting helps regulators and banks see scam patterns earlier. It also shows your organisation treated the incident seriously.

Report scams through Scamwatch or the relevant official channel, contact your bank, notify your insurer if cover may apply and keep an internal incident record. That record should include what happened, what was recovered, what controls failed and what changed afterwards.

A practical Xero scam prevention checklist

For most Australian SMBs, the best response is not a long policy document. It is a short set of controls that staff actually follow.

Use this checklist to align your Xero payment workflow with Scams Prevention Framework principles.

Turn on MFA everywhere. Require MFA for Xero, email and online banking, especially for finance staff, approvers and external bookkeepers.
Restrict who can edit supplier details. Keep supplier contact and bank detail changes limited to people who need that access. Review permissions after staff changes.
Verify bank detail changes out of band. Call a known contact using details already on file. Do not verify using the contact details supplied in the change request.
Dual approve risky payments. Require two-person approval for first payments to new suppliers, payments after bank detail changes and unusually large or urgent payments.
Monitor changed supplier records. Review recent supplier edits before each payment run, not after reconciliation. This is one of the simplest ways to reduce payment redirect fraud.
Check connected apps. Remove old Xero integrations and review which apps can access accounting data. A forgotten integration can become a blind spot.
Keep approval evidence. Record who verified the change, when they checked it, which known contact method they used and who approved the payment.
Reconcile promptly. Fast reconciliation will not prevent the first loss, but it can help detect follow-on fraud sooner.
Train for pressure tactics. Teach staff that urgency, secrecy and authority pressure are scam signals. A rushed request from a senior person should get more scrutiny, not less.
Review your controls monthly. A short recurring review is better than an annual policy that nobody reads. Start with changed suppliers, duplicate bills and unusual payment patterns.

If you want a broader control list, our finance manager fraud detection checklist is a useful companion piece for monthly reviews.

Conclusion

The Scams Prevention Framework Australia is not just a legal development for banks and platforms. It is a signal that scam prevention is becoming an expected part of responsible payment governance.

For Australian SMB finance teams, the practical task is clear. Know who can change supplier details, verify risky payment changes before release, monitor unusual patterns and keep evidence that your team followed a sensible process.

OutflowGuard helps Xero-using finance teams apply those controls by monitoring supplier bank detail changes, flagging risky activity and creating an approval trail. The aim is not to add more admin. It is to make the safest payment process the easiest one to follow.