PayTo is an NPP (New Payments Platform) service that allows businesses to initiate real-time payments from customer accounts using pre-authorised digital mandates. It replaces traditional direct debit with a faster, more transparent framework where customers approve payment agreements through their banking app.

How could PayTo be exploited by fraudsters?

Fraudsters could exploit PayTo by creating fake merchant identities to establish mandates, intercepting mandate authorisation flows through social engineering, or manipulating mandate details after initial setup. Because PayTo enables real-time payment initiation, funds move quickly once a fraudulent mandate is active.

Is PayTo more secure than direct debit?

PayTo has stronger authentication than traditional direct debit because customers must approve mandates through their banking app. However, the real-time nature of PayTo payments means that once a fraudulent mandate is active, money moves faster and is harder to recall than with direct debit.

How does ezyshield help secure PayTo mandates?

ezyshield verifies the identity and bank account ownership of every party in a PayTo mandate before it is established. This ensures the business initiating mandates is legitimate, the bank account belongs to who they claim, and any changes to mandate details trigger re-verification.

THREAT GUIDE

PayTo Fraud in Australia

PayTo is reshaping how Australian businesses initiate payments. Real-time mandates, instant settlement, and better customer experience. But every new payment channel creates a new attack surface. Here's what businesses should know.

Built on NPP infrastructure

Real-time payment initiation

Emerging threat landscape

Source: NPP Australia, AusPayNet

What is PayTo and why does it matter for fraud?

PayTo is a digital payment service built on Australia's New Payments Platform (NPP). It allows businesses to initiate real-time payments from customer bank accounts using pre-authorised digital mandates. Think of it as the modern replacement for direct debit, with stronger authentication and instant settlement.

Customers approve PayTo mandates through their banking app, giving them more visibility and control than traditional direct debit. For businesses, PayTo offers faster fund availability, lower failure rates, and real-time confirmation. It's a genuine improvement in payment infrastructure.

But new payment channels attract new fraud tactics. PayTo's real-time settlement means money moves faster, which reduces the window for detecting and stopping fraudulent transactions. And as adoption grows, so does the incentive for criminals to target the mandate authorisation process. The risks are emerging, not established, but businesses adopting PayTo should understand the threat landscape now.

This is particularly relevant alongside payment redirection fraud, where the same social engineering techniques used to change bank details could be adapted to manipulate PayTo mandate flows. Understanding confirmation of payee principles is also critical for PayTo security.

How PayTo fraud could work

While PayTo has built-in protections, several attack vectors are emerging as adoption grows. These are the scenarios businesses and security teams should be aware of.

Fake merchant identity

A fraudster registers as a business and applies for PayTo access using stolen or fabricated business credentials. If they successfully onboard, they can create mandates that appear to come from a legitimate company.

Social engineering the mandate approval

The customer receives a mandate request that looks legitimate. Through phishing, impersonation, or urgency tactics, the fraudster convinces them to approve the mandate in their banking app. The customer believes they're authorising a real payment agreement.

Exploiting the mandate

Once the mandate is active, the fraudster initiates payments from the customer's account. Real-time settlement means the funds arrive instantly. Multiple payments can be initiated before the customer notices and revokes the mandate.

Rapid extraction

Funds are quickly moved through intermediary accounts to make tracing and recovery difficult. The real-time nature of NPP payments gives the fraudster a significant head start over traditional direct debit, where dishonour processes can claw back funds.

Warning signs to watch for

Whether you're a business using PayTo to collect payments or a customer approving mandates, these are the signs that something may not be right.

Unexpected mandate requests

A PayTo mandate request from a company you don't recognise or haven't engaged with. Legitimate mandates follow a customer relationship.

Pressure to approve quickly

"Approve now to avoid a late fee" or "Your service will be disconnected." Urgency is designed to bypass careful review of the mandate details.

Mismatched business details

The business name on the mandate doesn't quite match the company you think you're dealing with, or the ABN doesn't correspond to the expected entity.

Mandates for unfamiliar amounts

The mandate amount or frequency doesn't match what you agreed to. Review the payment schedule carefully before approving.

Requests via non-official channels

Being asked to approve a mandate through a link in an email or SMS rather than directly through your banking app. Legitimate mandates appear in your bank's PayTo interface.

Multiple mandates from the same entity

Receiving several mandate requests in quick succession from the same or similar business names could indicate a testing or fraud pattern.

How ezyshield strengthens PayTo security

PayTo has built-in protections, but identity verification of mandate participants adds a critical extra layer. ezyshield ensures every party is who they claim to be.

Verify mandate participants

Every business and individual involved in a PayTo mandate is verified through identity, ABN/ASIC, and bank account ownership checks before the mandate is established.

Detect fake merchants

ABN/ASIC validation confirms the business is real and registered. Identity verification confirms a real person stands behind it. Fake merchant identities fail these checks.

Audit every mandate

Every verification is logged in a tamper-proof audit trail. If a mandate is ever disputed, you have exportable proof of due diligence.

See How ezyshield Works

Get ahead of PayTo fraud

New payment channels need new protections. ezyshield verifies every participant before mandates are established, so your business is protected as PayTo adoption grows.

Book a Demo View Statistics