Payment Fraud Statistics 2025: The Numbers Australian Businesses Need to Know
Australian payment fraud is growing faster than businesses can adapt. Here are the latest statistics from official government and industry reports, and what they mean for your business.
The big picture: Australian scam losses in 2024
In 2024, Australians lost a combined $2.03 billion to scams, according to the National Anti-Scam Centre (NASC) Targeting Scams report. That figure includes every category of scam: investment, romance, phishing, and payment fraud. It represents a slight decrease from the $2.74 billion reported in 2023, but the composition of losses has shifted. Payment-related fraud is now growing while other categories decline.
For businesses, the picture is worse. Payment redirection fraud surged 66% year-on-year to $152.6 million. Business email compromise (BEC) cost organisations $84 million in the 2023-24 financial year. The Australian Signals Directorate (ASD) received 87,400 cybercrime reports from businesses in FY2023-24, averaging one report every six minutes.
The decline in overall scam losses masks a troubling trend: the scams targeting business payments are getting bigger, more sophisticated, and harder to detect. Investment scams dropped as banks cracked down on crypto transfers, but B2B payment fraud filled the gap.
Key statistics at a glance
The numbers that matter most for Australian finance leaders and business owners.
Total scam losses in 2024
NASC Targeting Scams Report
Payment redirection fraud losses
NASC, +66% YoY
BEC losses in FY2023-24
ASD Annual Cyber Threat Report
Average loss per BEC incident
ASD Annual Cyber Threat Report, FY2023-24
Of scam losses borne by customers
ASIC Report 761
Of scam payments detected by banks
ASIC Report 761
Of losses reimbursed by banks
ASIC Report 761
Business scam reports in FY2023-24
ASD Annual Cyber Threat Report
Payment redirection fraud: the fastest-growing threat
Payment redirection fraud, where scammers trick businesses into sending legitimate payments to fraudulent bank accounts, is the fastest-growing category of payment fraud in Australia. In 2024, losses reached $152.6 million, up 66% from the year before (NASC).
The mechanics are straightforward. A scammer impersonates a supplier, sends "updated bank details" by email, and your accounts payable team changes the payment destination. The invoice is real. The amount is correct. The only thing that changed is where the money goes. By the time the real supplier calls to chase their payment, the money has been withdrawn.
What makes payment redirection so dangerous is that it exploits trust. These are not cold-call scams or obvious phishing emails. They target payments your business was already planning to make, to suppliers you already work with. The scammer's job is to change one detail: the bank account number.
The 66% year-on-year increase suggests that businesses are not keeping pace with the threat. Manual verification processes, like calling a supplier to confirm bank details, are slow, inconsistent, and easily defeated by scammers who have compromised the supplier's email or phone.
For a full breakdown of how this scam works and how to prevent it, see our guide to payment redirection fraud.
Business email compromise: the #1 cyber threat
BEC is the top reported cybercrime type for Australian businesses. It cost organisations $84 million in FY2023-24, with losses concentrated among businesses that lack automated payment verification.
Average cybercrime cost per report
ASD Annual Cyber Threat Report, FY2023-24
Average cybercrime cost per report
ASD Annual Cyber Threat Report, FY2023-24
Average cybercrime cost per report
ASD Annual Cyber Threat Report, FY2023-24
BEC works because it exploits email trust. A scammer gains access to a real email account (through credential phishing, malware, or data breaches), then monitors email threads and waits for payment-related conversations. When the time is right, they inject themselves into the conversation with fraudulent bank details or a fake invoice.
The ASD reported over 1,400 BEC incidents with financial loss in FY2023-24. BEC losses for large businesses increased 138% year-on-year, signalling that even organisations with dedicated security teams are vulnerable. The scale of the problem is growing because AI tools now help scammers produce more convincing emails, faster.
Learn more about BEC tactics and defences in our business email compromise threat guide.
Most targeted industries
Payment fraud targets every sector, but some industries face disproportionate risk due to their payment patterns, supplier relationships, and transaction volumes.
Construction
High-value subcontractor payments and frequent invoicing make construction the most targeted sector. The AFP issued a specific warning about BEC scams in construction in 2024. Multi-layered supply chains mean more invoices, more bank detail changes, and more opportunities for interception.
Professional Services
Law firms, accounting practices, and consulting firms process large trust account payments. Scammers exploit established client-supplier relationships and the trust inherent in professional engagements.
Healthcare
Healthcare was the most breached sector in Australia in the second half of 2024, with 102 data breaches reported. Ransomware incidents targeting healthcare doubled in FY2024-25. Medical suppliers, pathology services, and equipment leasing create complex payment chains.
Education
Universities and TAFEs process payments to thousands of suppliers. The University of Queensland found $3.5 million in duplicate payments during an audit. Large vendor lists combined with decentralised purchasing create gaps that scammers exploit.
Retail & Transport
High-volume payment processing across multiple suppliers, warehouses, and logistics partners creates a large attack surface. Frequent supplier onboarding and offboarding adds risk when verification processes are manual.
Government
Public money, procurement rules, and large payment volumes make local and state government a high-value target. Freedom of Information requests can expose supplier lists and payment schedules, giving scammers the intelligence they need.
Sources: ASD Annual Cyber Threat Report FY2024-25, AFP Media Release 2024, OAIC Notifiable Data Breaches Report H2 2024
Bank recovery rates: why prevention is your only option
ASIC's review of the four major banks found that scam victims bear almost all the financial loss. Banks detect a fraction of fraudulent payments, and reimburse even less.
Of scam losses borne by the victim
Banks do not reimburse the vast majority of fraud losses. Whether you are a $5 million business or a $500 million enterprise, the money is your problem.
Source: ASIC Report 761, 2023
Of scam payments detected by banks
Banks catch roughly 1 in 8 fraudulent payments. The other 7 go through. By the time a payment is flagged, the money has often been moved offshore or withdrawn.
Source: ASIC Report 761, 2023
Of total losses reimbursed by banks
Individual major banks reimburse between 2% and 5% of scam losses. There is no mandatory reimbursement scheme in Australia, unlike the UK's Authorised Push Payment rules.
Source: ASIC Report 761, 2023
Of victims globally who recover their money
Once a fraudulent payment clears, recovery rates are near zero worldwide. Scammers move money through mule accounts within hours, making tracing and recovery impractical.
Source: GASA / Feedzai Global State of Scams, 2024
The message from these numbers is clear: relying on your bank to catch or reimburse payment fraud is not a strategy. The only reliable approach is to verify every payment before it leaves your account. For more detail on Australia's fraud landscape, see our comprehensive payment fraud statistics page.
Emerging trends: AI-powered fraud and declining recovery
Two forces are making payment fraud worse in 2025: AI tools are lowering the cost and skill required to run scams, and recovery rates continue to fall.
AI is supercharging scammers
Generative AI has removed the language and skill barriers that once limited fraud. Scammers now use AI to write grammatically perfect emails that match a company's tone and style. Deepfake voice technology can clone a CFO's voice from a few seconds of audio, enabling phone-based fraud that bypasses "call to confirm" procedures.
In 2024, a Hong Kong finance worker transferred $25 million after a video call with what appeared to be their CFO. The entire call was a deepfake. Mastercard reported that 20% of Australian businesses had received deepfake threats in the prior 12 months, and global deepfake incidents increased 257% year-on-year.
For more on how AI is changing the threat landscape, see our AI-powered fraud guide.
Recovery rates are declining
Despite increased awareness and government investment in anti-scam infrastructure, the actual recovery of lost funds is getting harder. Scammers have adapted by using sophisticated money mule networks that move funds through multiple accounts within minutes of receipt.
The Scams Prevention Framework (SPF), passed in late 2024, places new obligations on banks, telcos, and digital platforms. But the SPF focuses on prevention and detection, not reimbursement. Australia has not adopted the UK model of mandatory reimbursement for authorised push payment fraud.
The practical implication: if your business sends a payment to a fraudulent account, you should assume you will not get it back. Prevention before the payment is made is the only strategy that works at scale.
What these statistics mean for your business
The data points to three conclusions that Australian finance leaders need to act on.
1. Manual verification is not enough
If your current process for verifying supplier bank details involves phone calls, emails, or PDFs, you are exposed. Scammers who have compromised a supplier's email can intercept your verification call or respond to your confirmation email. The 66% increase in payment redirection fraud confirms that manual processes are failing.
2. Your bank will not save you
With 96% of losses borne by victims and reimbursement rates between 2% and 5%, banking on your bank to catch or recover fraudulent payments is not a viable strategy. The ASIC data is unambiguous: the financial risk sits with your business.
3. Prevention is the only reliable strategy
Every statistic on this page reinforces the same conclusion: you need to verify before you pay. That means confirming the identity of the person requesting payment, validating their business against ABN and ASIC records, and verifying bank account ownership in real time, before money leaves your account. Learn how ezyshield does this in a single automated flow on our how it works page.
Sources and methodology
All statistics on this page are sourced from official Australian government reports and industry research. We do not estimate, extrapolate, or combine figures across incompatible datasets.
- NASC Targeting Scams Report 2024 (National Anti-Scam Centre, ACCC). Total scam losses, payment redirection fraud figures, category breakdowns.
- ASD Annual Cyber Threat Report FY2024-25 (Australian Signals Directorate). BEC losses, cybercrime reports, cost by business size, industry targeting.
- ASIC Report 761 (Australian Securities and Investments Commission, 2023). Bank scam detection rates, reimbursement rates, customer loss burden.
- GASA / Feedzai Global State of Scams 2024. Global recovery rate data.
- AFP Media Releases 2024 (Australian Federal Police). Industry-specific fraud warnings, BEC construction sector alert.
Page last updated: 3 March 2026. Statistics reflect the most recent available data at time of publication.
Frequently asked questions
How much did Australians lose to payment fraud in 2024?
What is the most common type of payment fraud targeting Australian businesses?
Do Australian banks reimburse businesses for fraud losses?
Which industries are most targeted by payment fraud in Australia?
How can Australian businesses protect themselves from payment fraud?
Stop payment fraud before money moves
Every statistic on this page points to the same conclusion. Prevention is the only strategy that works. ezyshield verifies every payee before you pay.