Home Articles The Hidden Cost of Supplier Fraud in Australia
20 May 2026 · Gumshoe Team

The Hidden Cost of Supplier Fraud in Australia

Australian businesses lose an estimated $3.1 billion annually to payment fraud. Most of it starts with a supplier that was never properly verified. Here is what the numbers actually look like — and where the exposure sits.

The Scale of the Problem

The Australian Competition and Consumer Commission's most recent Scamwatch data puts business losses from payment redirection and invoice fraud at over $3.1 billion annually. That figure has grown every year for the past decade. What makes it particularly alarming is that most of these losses are not the result of sophisticated cyberattacks. They are the result of someone paying an invoice they should not have paid — to an entity they should have checked but did not.

Supplier fraud sits at the intersection of two well-understood problems: identity fraud and process failure. The fraud itself is usually simple. What enables it is the absence of a systematic check at the point of onboarding a new supplier or when banking details change.

Where the Losses Actually Occur

A common misconception is that supplier fraud is mostly a large-enterprise problem. In fact, the ACCC's data consistently shows that small and medium businesses — those with 2 to 50 employees — account for the majority of reported losses. This is not because they are more frequently targeted. It is because large organisations typically have purchase-order systems, multi-approver payment workflows, and dedicated fraud teams. Small businesses rely on trust, familiarity, and the judgement of one or two people in accounts.

The three most common supplier fraud vectors in Australia are:

  • Business email compromise (BEC): A fraudster either compromises a supplier's email account or creates a convincing lookalike domain and requests updated banking details. The invoice that follows looks legitimate because it references real purchase orders and uses the supplier's branding.
  • Fictitious supplier creation: A new supplier is created in the vendor master — sometimes with insider assistance — and invoices are submitted for services or goods never delivered. The ABN is real but the business is a shell.
  • Existing supplier impersonation: A fraudster registers a domain extremely similar to a legitimate supplier's domain (e.g., smithplumbing-au.com instead of smithplumbing.com.au) and begins submitting invoices or requesting payment-detail changes.

The Cost That Does Not Appear in Loss Statistics

The direct financial loss is only part of the story. Supplier fraud generates significant indirect costs that rarely appear in reported figures:

  • Investigation time: A typical fraud incident requires 40 to 80 hours of internal investigation before it is resolved or written off. At professional services billing rates, this alone can exceed the original fraud amount.
  • Remediation and legal costs: Banks in Australia are under no obligation to recover payments made to fraudulent accounts where the payer authorised the transaction. Legal recovery is expensive and rarely successful.
  • Audit and compliance costs: Following a fraud event, most businesses are required by their insurers or directors to commission an external audit of their AP processes. This typically costs $15,000 to $50,000.
  • Reputational damage: If the fraud involves a compromise of the business's own systems — meaning the fraudster accessed your email or accounting software — suppliers and customers may need to be notified under the Notifiable Data Breaches scheme.
  • Insurance premium increases: A successful fraud claim will typically trigger a 20–40% increase in cyber and crime insurance premiums at renewal.

Why Existing Controls Fail

Most small businesses do some form of supplier checking. They look up the ABN on the ABR website. They check that the ABN is active. They may even call the supplier to confirm banking details. These controls are not useless — but they are incomplete, and increasingly insufficient against modern fraud techniques.

An ABN lookup tells you that a number is registered and active. It does not tell you that the entity behind the number has an operating web presence, that the email domain the invoices arrive from is legitimately controlled by that entity, that the domain has not been registered in the past six months, or that the banking details you are about to pay have been confirmed by an authorised person.

The gap between what a basic ABN check tells you and what you need to know to safely pay an invoice is exactly where supplier fraud lives.

A Different Way to Think About Verification

The most effective supplier verification programmes treat every new vendor relationship — and every change to an existing vendor's banking details — as a risk event requiring a structured response. This means checking not just whether the ABN is valid, but whether the entity's web presence, email infrastructure, domain age, and reputation signals are consistent with a legitimate, operating business.

For a compliance officer or senior accountant, this used to mean opening four or five different browser tabs and spending 40 minutes manually checking each signal. Gumshoe runs all of those checks automatically in under 60 seconds, stores a timestamped verification record, and produces a report your auditors can actually use.

The cost of verifying a supplier properly is measured in seconds. The cost of getting it wrong is measured in tens of thousands of dollars — and sometimes more.

What Good Practice Looks Like

The Australian Payments Network, ASIC, and the ACCC have all published guidance on supplier verification best practice. Common recommendations include:

  • Verify all new suppliers before creating a vendor record in your accounting system
  • Re-verify any supplier requesting a change to banking or payment details, by calling a number you already hold — not one provided in the request
  • Maintain a timestamped audit trail of verification checks for each supplier
  • Apply enhanced due diligence to suppliers you have not previously dealt with or that have been referred through an unusual channel
  • Review and re-verify suppliers that have been inactive for more than 12 months

None of these requirements are onerous. What has historically made them difficult is the time they take when done manually. Automated verification removes that barrier — making best practice the path of least resistance rather than an additional burden on an already stretched team.

The Bottom Line

Supplier fraud is not a technology problem. It is a process problem with a technology solution. The businesses that get defrauded are not naive or careless — they are busy, under-resourced, and operating with processes designed for a world where fraud was less sophisticated than it is today.

The answer is not more vigilance. It is better tooling. A systematic verification check that takes 60 seconds and produces an audit-ready report is something any business can build into their AP process — and that most fraudsters cannot overcome.

Related Articles

16 June 2026
Make Your Next Audit Boring
9 June 2026
Active ABN Is the Floor, Not the Ceiling
2 June 2026
The Three-Second Check That Prevents a Five-Figure Mistake
VERIFY A SUPPLIER
Run a free check in seconds

Search by business name, ABN, or ACN. Get a real-time PASS/WARN/FAIL report across 8 verification checks.

Start verifying →

Contains data sourced from the Australian Business Register and ASIC, © Commonwealth of Australia, licensed under CC BY 3.0 AU.