- Business Email Compromise
- Invoice Fraud
- Small Business Security
Australian small businesses lost $13.1 million to fake invoice scams in 2024. Learn how man-in-the-middle email fraud works, recognise warning signs, and implement verification procedures to protect your business from payment redirection scams.
The Growing Threat of Fake Invoice Scams to Australian Businesses
Small businesses across Australia are facing an escalating threat from sophisticated fake invoice scams that have cost owners millions of dollars in misdirected payments. These fraudulent schemes involve criminals intercepting legitimate business communications and altering payment details to redirect funds into accounts they control. The Australian Competition and Consumer Commission reports that small businesses lodged 1,909 scam reports to Scamwatch in 2024, with 258 cases recording financial losses totalling $13.1 million. False billing emerged as the most commonly reported scam type, affecting businesses across all sectors and sizes.
The sophistication of these scams has increased dramatically, with criminals employing advanced techniques that make fraudulent invoices virtually indistinguishable from legitimate business correspondence. Melbourne business owner Mick Owar experienced this firsthand when establishing his sports recovery centre, Primal Recovery. After receiving what appeared to be a legitimate Xero invoice from the web development company he had engaged, Owar promptly paid the $12,000 amount to the account details provided. The invoice appeared entirely authentic in every respect, containing the correct branding, formatting, and invoice number that matched his expectations.
The deception only became apparent when the legitimate supplier contacted Owar to enquire about the outstanding payment. During that conversation, the supplier asked Owar to read back the account number he had used for the transfer. The supplier immediately identified that the account belonged to an entirely different financial institution than the one the company actually used. This revelation exposed Owar as a victim of a man-in-the-middle scam, where criminals had successfully intercepted the legitimate invoice communication and substituted fraudulent banking details before it reached him.
Understanding Man-in-the-Middle Invoice Fraud
Man-in-the-middle scams represent a particularly insidious form of business email compromise that exploits the trust inherent in established commercial relationships. ACCC deputy chair Catriona Lowe explains that these scams prove difficult to detect because criminals employ two primary methods to execute their fraud. In some cases, scammers successfully hack into the email systems of legitimate businesses, gaining access to actual correspondence and the ability to modify invoices before they reach intended recipients. Alternatively, criminals create impersonation email addresses that closely mimic authentic business addresses by changing a single letter, substituting similar-looking characters, or adding subtle variations that escape casual notice.
The effectiveness of these schemes relies on the operational realities facing small business owners who often manage multiple responsibilities simultaneously with limited administrative support. Time pressures encourage quick processing of what appear to be routine invoices from known suppliers, reducing the scrutiny applied to payment details that may have been altered. Criminals understand these operational constraints and deliberately target businesses during busy periods or when dealing with larger transactions that might normally warrant additional verification.
Following the fraudulent transfer, Owar immediately contacted his financial institution to request reversal of the transaction. However, the bank informed him that recovering the funds was not possible once the transfer had been completed and processed. This response reflects the challenges inherent in the Australian banking system, where real-time payment systems provide convenience but offer limited protection once funds have left the originating account. Owar was eventually advised that the $12,000 would not be recoverable through standard channels.
The financial and emotional impact of this loss affected Owar significantly during the vulnerable early stages of establishing his business. He subsequently lodged a formal complaint with his bank regarding their handling of the situation and the inadequate scam protection mechanisms in place for business customers. After several months of correspondence, the bank provided a goodwill payment covering the full $12,000 amount, though this outcome cannot be guaranteed for all victims and should not be relied upon as a safety net.
The Broader Impact of Theft on Small Business Operations
The challenges facing Owar extended beyond digital fraud to include physical theft that further compromised his business operations. Whilst working as a tradesperson to establish his sports recovery centre, Owar experienced two separate incidents where criminals stole thousands of dollars worth of tools and equipment. The first theft occurred when he and his apprentice failed to realise that their utility vehicle's rear gate required manual locking rather than engaging automatically. This oversight left their tools readily accessible to opportunistic thieves who took advantage of the unsecured vehicle.
During the initial theft, criminals removed Owar's entire set of cordless drills, hammer drills, and saws with an estimated value of $3,000 whilst the vehicle was parked in the driveway of his apprentice's residence overnight. After replacing these essential tools, Owar experienced the identical theft scenario when the same security oversight led to another break-in whilst the vehicle was parked at his own home. Without insurance coverage at the time, Owar absorbed these losses entirely and purchased secondhand replacement tools to continue operations.
New data from BizCover reveals that theft has become an escalating operational risk for small businesses across multiple sectors. The insurance provider reports hearing from food and beverage establishments, retail operations, beauty service providers, and trades professionals who have experienced significant losses from theft. Sharon Kenny from BizCover notes that theft impacts small businesses during periods when they can least afford such setbacks, with café owners discovering emptied cash registers and tradespersons waking to find equipment stolen. These incidents can eliminate a week's earnings for small operators already managing tight profit margins.
Analysis of theft claims submitted to BizCover between January 2022 and 2025 identifies cash as the primary target, accounting for one in five theft claims. Tools represent the second most commonly stolen items at eleven per cent of claims, reflecting the high resale value and portability of professional equipment used by tradespersons and contractors. These statistics underscore the dual nature of threats facing small businesses, who must simultaneously protect against both sophisticated digital fraud and traditional physical theft.
Implementing Verification Procedures to Prevent Invoice Fraud
The experiences shared by business owners like Owar provide valuable lessons for implementing robust verification procedures that can prevent costly fraud. The ACCC recommends that businesses receiving invoices via email should always take time to contact the supplier directly using telephone numbers obtained independently rather than those provided in the invoice itself. This simple verification step requires only a few minutes but can prevent the devastating financial losses associated with fake invoice scams.
When conducting verification calls, business owners should specifically confirm all payment details including the account name, BSB number, account number, and the financial institution holding the account. Any discrepancy between the details provided in the invoice and those confirmed by the legitimate supplier indicates potential fraud requiring immediate investigation. Businesses should also verify that any changes to established payment details are communicated through multiple channels rather than relying solely on email notifications, which may be compromised.
Establishing standardised payment approval processes provides an additional layer of protection, particularly for transactions above specified threshold amounts. Requiring multiple authorisations for significant payments creates opportunities for detection when fraudulent invoices enter the system. Maintaining detailed records of supplier contact information in secure, separate systems ensures that verification can occur using trusted data sources rather than potentially compromised email communications.
Owar emphasises that even extremely convincing fraudulent invoices can be identified through proper verification procedures. His experience demonstrates that scammers invest considerable effort in replicating legitimate correspondence, making visual inspection alone insufficient for detecting fraud. The only reliable method for confirming payment details involves direct communication with suppliers using independently obtained contact information. Whilst this approach requires additional time investment, the protection it provides justifies the minor inconvenience compared to the potential for substantial financial losses.
Protecting Your Business From Multiple Threat Vectors
Small business owners must maintain vigilance across multiple dimensions of security, recognising that criminals employ both digital and physical methods to target vulnerable operations. For digital security, businesses should implement robust email security protocols including spam filters, phishing detection systems, and employee training programmes that educate staff about recognising suspicious communications. Regular software updates and security patches reduce vulnerabilities that criminals might exploit to compromise email systems.
Establishing clear communication protocols with suppliers and clients helps create expectations about how legitimate business correspondence should appear and what verification procedures should be followed. Businesses might implement policies requiring that any changes to payment details be confirmed through telephone conversations or in-person meetings rather than accepting such changes via email alone. Some organisations adopt secondary communication channels such as messaging platforms or dedicated portals for confirming sensitive information like banking details.
Physical security measures remain equally important, particularly for businesses maintaining valuable equipment, inventory, or cash on premises or in vehicles. Owar's experience highlights the importance of understanding and properly utilising security features on vehicles and facilities. Business owners should conduct regular security audits to identify vulnerabilities such as inadequate locks, poor lighting, or insufficient surveillance systems that might invite opportunistic theft. Insurance coverage appropriate to the value of assets at risk provides financial protection when prevention measures prove insufficient.
The psychological impact of falling victim to scams should not be underestimated. Owar candidly shared his shock at being targeted, noting that he did not consider himself the type of person typically vulnerable to such schemes. This reaction reflects a common misconception that only careless or unsophisticated individuals fall victim to fraud. The reality is that modern scams target everyone regardless of intelligence or experience, exploiting momentary distractions, time pressures, and the inherent trust that enables efficient business operations.
His emotional response to the fraud, expressing a desire to abandon digital transactions entirely in favour of cash-only operations, demonstrates the erosion of confidence that scams create. However, reverting to cash-only operations would prove impractical for most modern businesses whilst introducing different security vulnerabilities. The appropriate response involves implementing stronger verification procedures and security measures rather than abandoning the efficiency benefits that digital commerce provides.
By learning from the experiences of business owners who have encountered these threats, Australian small businesses can implement protective measures that significantly reduce their vulnerability to both fake invoice scams and physical theft. The combination of proper verification procedures, robust security protocols, and appropriate insurance coverage provides comprehensive protection that enables businesses to operate confidently in an environment where criminals continue developing new methods to exploit vulnerabilities.