Beyond the ABN: Why a Valid ABN Is Not Enough

The ABN Is a Starting Point, Not a Finish Line

The Australian Business Number was introduced in 2000 to simplify business dealings with government. In the years since, it has also become the de facto first check in supplier onboarding: look up the ABN, confirm it is active, move on. For many organisations, this is where supplier verification ends.

The problem is that an active, legitimate ABN tells you almost nothing about whether the entity presenting it is the entity you think you are dealing with. It confirms that someone registered a business at some point. It does not confirm that the invoice you received came from that business, that the banking details on the invoice are controlled by that business, or that the business has any meaningful operational presence at all.

What an ABN Actually Tells You

When you look up an ABN through the Australian Business Register, you get the following information:

• Whether the ABN is currently active or cancelled
• The entity name registered to the ABN
• The entity type (company, sole trader, partnership, trust, etc.)
• The state and postcode of the principal business address
• Whether the entity is registered for GST
• The date the ABN became active

That is a useful set of data. But notice what is not on that list: any information about the entity's web presence, email infrastructure, domain registration, reputation, or operational legitimacy. The ABR is a registration database, not a fraud-detection system.

The Five Things an ABN Check Cannot Tell You

1. Whether the Entity Operates a Legitimate Website

A supplier that has traded for ten years should have an established web presence. A domain registered last month — or no domain at all — is a red flag that a basic ABN lookup will never surface. Domain age is one of the most reliable early indicators of potential fraud: most fraudulent supplier setups involve domains registered days or weeks before the fraudulent invoices arrive.

2. Whether the Email Domain Is Legitimately Controlled

The email address on a fraudulent invoice frequently comes from a domain that looks similar to — but is not — the legitimate supplier's domain. "smithplumbing-invoices.com" instead of "smithplumbing.com.au". Or a legitimate-looking domain with no Sender Policy Framework (SPF) record, no DMARC policy, and no verifiable connection to the entity. An ABN check tells you nothing about any of this.

3. Whether the Entity's Domain Has a Clean Reputation

Threat intelligence databases — Spamhaus, SURBL, URIBL, OpenPhish — maintain real-time lists of domains associated with spam, phishing, and malware. These lists are updated continuously and are among the fastest signals that a domain is being misused. Checking an ABN on the ABR will never surface a Spamhaus listing.

4. Whether the ASIC Record Matches

For companies (as opposed to sole traders or trusts), ASIC maintains a separate register of company registrations. A company can be deregistered by ASIC — for failure to lodge returns, for winding up, or for application by the company itself — while the ABN remains active in the ABR for a period. Paying an invoice from a deregistered company is both a legal risk and a strong indicator of fraud.

5. Whether the State and Postcode Are Consistent

This sounds trivial, but it is a surprisingly effective signal. An ABN registered in a Queensland postcode range with a Victorian state code is an indication of either a data error or an attempt to fabricate legitimacy using a real ABN number. The ABR data is sufficient to detect this, but most manual ABN lookups do not check it.

The Risk of False Confidence

There is a particular risk that comes from doing an ABN check: it creates a sense of having done due diligence when in fact very little has been done. An invoice from a fraudulent entity with a legitimately-looking ABN will pass a basic ABN check. The accounts payable officer who performs that check and then approves the payment is not negligent — they followed their process. But the process was insufficient.

This matters for more than just fraud prevention. In the event of an audit or insurance claim following a fraud event, "we checked the ABN" is not a compelling demonstration of reasonable due diligence. "We checked the ABN, verified the entity's web presence, confirmed the domain age, checked the email infrastructure, and ran the domain against threat intelligence databases — and here is the timestamped report" is.

What a Complete Check Looks Like

A comprehensive supplier verification covers at minimum:

• ABN status and age — Is it active? How long has it been registered?
• GST registration — Is it consistent with the entity type and claimed turnover?
• ASIC company status — Is the entity deregistered? Does the ASIC record match the ABR record?
• Web presence — Does a live website exist? Is it HTTPS? Does it look like an operating business?
• Domain age — When was the domain registered? A domain under six months old warrants heightened scrutiny.
• Email infrastructure — Are MX records, SPF, and DMARC present? Is the domain spam-listed?
• Reputation — Has the domain appeared in phishing or spam databases?
• Address consistency — Does the postcode match the stated state?

Gumshoe runs all eight of these checks simultaneously in under 60 seconds and produces a weighted assurance score with a timestamped, auditable report. For a team that currently stops at the ABN, this is not more work — it is the same work, done properly, in a fraction of the time.