What Is Payment Redirect Fraud? A Guide for Australian Businesses

Payment redirect fraud is one of the fastest-growing financial crimes targeting Australian businesses. Also known as business email compromise (BEC), invoice fraud, or mandate fraud, it involves criminals tricking organisations into sending payments to bank accounts they control.

The Australian Competition and Consumer Commission (ACCC) reported that Australian businesses lost over $224 million to payment redirection scams in a single year. The average loss per incident sits around $120,000 — enough to seriously damage or destroy a small business.

If your business uses accounting software like Xero and pays suppliers electronically, you need to understand this threat.

How Payment Redirect Fraud Works

The attack follows a predictable pattern:

1. Reconnaissance — Criminals research your business relationships. They identify your suppliers, learn your payment cycles, and study how your finance team communicates. Much of this information is publicly available or obtained through earlier phishing attacks.

2. Compromise — The attacker gains access to an email account, either yours or your supplier's. Sometimes they create a lookalike email domain (e.g., supp1ier.com instead of supplier.com) that passes a quick visual check.

3. The Request — Using the compromised or spoofed email, the attacker sends a professional-looking message asking you to update your supplier's bank details. The reasons sound legitimate: "We've changed banks," "Our account is under audit," or "We've restructured our treasury function."

4. Payment — Your accounts payable team updates the bank details in your system and processes the next payment. The money goes straight to the criminal's account.

5. Discovery — Days or weeks later, your real supplier calls asking where their payment is. By then, the money has usually been moved offshore and is unrecoverable.

Why Australian SMBs Are Prime Targets

Small and medium businesses (50 to 5,000 employees) are disproportionately targeted for several reasons:

Limited verification processes. Large enterprises often have multi-layer approval workflows and dedicated fraud teams. SMBs typically rely on a single finance manager or bookkeeper who handles everything.

High trust environments. In smaller organisations, people trust each other and their suppliers. A bank detail change request from a known contact doesn't raise immediate suspicion.

Xero's popularity. Over 4 million subscribers use Xero globally, with Australia being its largest market. Criminals know that Xero makes it easy to update supplier details — and that most businesses don't have controls around those changes.

Speed of electronic payments. Australia's New Payments Platform (NPP) processes payments in near real-time. Once money is sent, there's almost no window to recall it.

The Real Cost Goes Beyond the Money

When a payment redirect attack succeeds, the direct financial loss is just the beginning:

• Operational disruption as your team scrambles to investigate and report the incident
• Relationship damage with the supplier who didn't receive their legitimate payment
• Legal liability if the fraud exposes customer data or triggers regulatory obligations
• Insurance complications as cyber insurance policies may not cover social engineering losses
• Reputational harm that undermines client and partner confidence in your business

For many SMBs, a $120,000 loss represents months of profit. Some never recover.

Warning Signs to Watch For

Train your finance team to recognise these red flags:

• Unexpected bank detail changes, especially close to a payment due date
• Urgency or pressure in the request ("Please update before tomorrow's payment run")
• Slight email address differences — check character by character, not at a glance
• Changes to communication patterns, such as a supplier who normally calls now only emailing
• Requests to keep the change confidential or bypass normal approval processes
• New bank accounts at different institutions than previously used

How to Protect Your Business

Effective protection combines process controls with technology:

Process Controls

Implement a verification callback. Before changing any supplier bank details, call the supplier on a phone number you already have on file — never a number provided in the change request email.

Require dual authorisation. No single person should be able to both change bank details and approve payments. Separation of duties is your strongest defence.

Establish a waiting period. Introduce a mandatory 24-48 hour delay between bank detail changes and payment processing. This creates a buffer for verification.

Technology Controls

Monitor for changes automatically. Manual processes fail because people are busy, distracted, or on leave. Automated monitoring catches every change, every time.

Alert the right people instantly. When a supplier's bank details change in your accounting software, the people responsible for approving payments need to know immediately — not the next time they happen to check.

Create an audit trail. Every bank detail change should be logged with who made it, when, and whether it was verified. This protects your business both legally and operationally.

How OutflowGuard Helps

OutflowGuard was built specifically to address payment redirect fraud for businesses using Xero. Here's what it does:

• Monitors your Xero organisation for any changes to supplier bank account details using read-only access
• Pauses suspicious payments automatically when unverified bank changes are detected
• Sends instant alerts via Slack and email to your finance team so nothing slips through
• Enforces a verification workflow requiring explicit approval before payments proceed
• Maintains a complete audit trail of every change, alert, and approval decision

The system connects to Xero in under five minutes and requires zero changes to your existing payment processes. It sits quietly in the background until it detects something that needs human attention.

The Bottom Line

Payment redirect fraud succeeds because it exploits trust and routine — not technical vulnerabilities. The criminals don't need to hack your systems. They just need one person to update a bank account without verifying the change.

The businesses that avoid becoming statistics are the ones that build verification into their payment process before an attack happens. Whether you use technology like OutflowGuard or implement manual callbacks, the key is having a system that catches bank detail changes and forces verification before money moves.

Don't wait for a $120,000 lesson. Protect your payments today.