Skip to content

Business email compromise (BEC) & fake invoice scams

Written & reviewed by Reuben Schultz, FounderLast updated 2 July 2026

Business email compromise — also called payment redirection or fake invoice scams — is when a scammer hacks or imitates a business's email and tells you its bank details have changed, so a genuine payment goes to the scammer instead of the real supplier. It's one of the costliest scams for Australian businesses, and it spikes at EOFY when invoice volumes are high.

This guide explains how the scam works, the warning signs to watch for, and what to do if you've been caught out. Got a specific message in front of you? Check it now and get an instant verdict.

How this scam works

A scammer gains access to a business's email account, or sends email from an address that looks almost identical to the real one. Posing as a supplier, contractor or even your own CEO, they email you to say the bank account for payment has changed, and ask you to pay the next invoice to the 'new' details. Because the message can come from the genuine, compromised address — or a near-perfect lookalike — and references a real order, it passes a glance. The money lands in the scammer's account, and it's often gone before anyone notices. Example — a scam email might read: "Hi, please note our accounts have moved banks. Update our details and remit the attached invoice to the new BSB and account number." A genuine change of payment details is worth a phone call before you pay.

What the scam looks like

These composed examples show how the scam typically reads, with the tells that give each one away. Compare them against anything you've received.

Example scam emailExample only. Not a real message.

Subject: Remittance update. Hi, please note our accounts department has moved banks and our previous account is now closed. Kindly update your records and process the attached invoice to the new BSB and account number before Friday to avoid supply disruption.

What gives it away:

  • A change of bank details announced only by email is the classic redirection play; confirm it by phoning the supplier on a number you already have
  • The deadline and supply-disruption threat exist to stop you checking
  • The sender can be a hacked real account or a lookalike one character off, so the address alone proves nothing
Example scam emailExample only. Not a real message.

Subject: Urgent, are you at your desk? I need you to process a confidential payment for an acquisition today. I'm in back-to-back meetings and can't take calls, so keep this between us and confirm once it's sent.

What gives it away:

  • Urgency plus secrecy plus 'can't take calls' is the CEO-fraud signature; it removes every route you'd use to verify
  • No legitimate payment skips your normal approval process, whoever appears to ask
  • Check the sender's domain character by character; lookalikes swap or add a single letter
Example scam emailExample only. Not a real message.

Subject: RE: Invoice 4471, final progress claim. Following up on the below, our banking details have changed since the last claim. Please pay this one to the account on the updated invoice attached.

What gives it away:

  • This reply arrives inside a genuine email thread from a compromised mailbox, which is why the sender and the history both look right
  • A mid-thread change of bank details is exactly how payment interception looks; only a phone call to a number you already hold catches it
  • Real suppliers expect you to verify; anyone discouraging a call is telling you something

Who gets targeted, and when

Businesses of every size, from sole traders to large firms, and the people who pay their invoices. Accounts-payable staff, bookkeepers and office managers are the prime marks because they action payment emails all day. Consumers are hit too, most often around property settlements, conveyancing and building work, where a single redirected deposit can be a life-changing amount.

BEC tracks invoice cycles: end of month, end of quarter and above all end of financial year, when businesses push through a high volume of payments and a 'changed bank details' email blends into the rush. Holiday periods are also risky, because approvals get delegated and a scammer posing as an absent boss or supplier faces less scrutiny.

How to spot it

  • An invoice or email saying a supplier's or contractor's bank details (BSB and account number) have changed, especially close to a due date
  • A sender address or domain that's slightly off — an extra letter, a swapped character, or a public domain instead of the company's own
  • A request to pay urgently, change a payment, or keep it confidential — pressure that discourages you from checking
  • A reply-to address that differs from the sender, or an email thread that suddenly moves to a new address
  • Any change to payment details confirmed only by email — the same channel a scammer controls or can intercept

What to do if you have been targeted

  1. Before paying, call the supplier or colleague on a phone number you already have — never the number or 'reply' in the email — to confirm any change to payment details
  2. If you've already paid, contact your bank immediately to try to stop or recall the transfer — the first hours matter most
  3. Put a multi-person approval step on payments and on any change of bank details, so one email can't move money on its own
  4. If a business email account may be compromised, get IT help to secure it (reset passwords, turn on multi-factor authentication, check mail-forwarding rules)
  5. Report it to Scamwatch and ReportCyber, and warn your staff and your suppliers so the same invoice doesn't catch others

Where to report it

  • ScamwatchReport the scam to the ACCC's national scam service.
  • ReportCyberReport cybercrime and financial loss to the police.
  • ACMAComplain about scam texts and spam SMS, email or calls.
  • Forward to 7226 (SCAM)Forward the scam SMS to short code 7226 so carriers can block the source.
  • IDCAREFree identity and cyber support if your details were taken.

How to protect yourself

  • Verify every change of bank details by phone, on a number you already have on file, before paying a cent
  • Require two people to approve payments and any change to supplier details, so one email can never move money alone
  • Turn on multi-factor authentication for business email, and periodically check accounts for mail-forwarding rules you didn't create
  • Read the sender's domain character by character on any payment email; one swapped letter is all a lookalike needs
  • Slow down on urgent, confidential or end-of-quarter payment requests; the pressure is the tell

BEC & fake invoice scams in 2026

Payment redirection remains among the costliest scams reported by Australian businesses, and current campaigns are patient: scammers sit inside a compromised mailbox, watch real invoice traffic, then step in at the moment a large payment falls due with 'updated' bank details that match the genuine thread. CEO-style requests for urgent, confidential transfers continue alongside, often timed for when the boss is known to be travelling or in meetings. What never changes is the choke point: money only moves when someone accepts new details without an out-of-band check. A standing rule that every change of bank details gets a phone call to a known number defeats the entire category.

Check a suspicious message now

Paste the text or email you're unsure about and get an instant verdict — business email compromise (bec) & fake invoice scams included, free.

See all free scam checker tools →

Frequently asked questions

The email came from my supplier's real address — how can it be a scam?

That's the trap. In business email compromise the scammer has often hacked the real account, or uses a near-identical lookalike address, so the message genuinely appears to come from your supplier. The sender alone proves nothing — confirm any change of bank details by phoning the supplier on a number you already have, not one from the email.

Why are these scams worse around EOFY?

At end of financial year businesses send and pay a high volume of invoices and are rushing to close the books, so a 'changed bank details' email blends into normal activity. Slow down on any payment-detail change during this period and verify it by phone.

We paid a fake invoice — what should we do right now?

Call your bank immediately to try to stop or recall the payment, then report it to Scamwatch and ReportCyber. Get IT advice to check whether an email account has been compromised, change passwords and turn on multi-factor authentication, and tell your suppliers and staff in case they've been targeted too.

How do I report business email compromise in Australia?

Report it to ReportCyber at cyber.gov.au, which handles cybercrime affecting Australian businesses, and to Scamwatch at scamwatch.gov.au so the National Anti-Scam Centre can track the campaign. Contact your bank straight away if any money has moved. It's also worth telling the impersonated supplier through a known phone number, because their mailbox may be the one that's compromised.

Can a business get the money back after paying a redirected invoice?

Sometimes, and speed is everything. Banks can attempt to stop or recall a transfer, and funds are occasionally frozen at the receiving end when the report arrives quickly, but recovery is never guaranteed once money moves on. Call your bank the moment the payment looks wrong, keep every email as evidence, and report to ReportCyber and Scamwatch in parallel.

Related scam types

Other scams hitting Australians right now — know the warning signs:

Sources

This guide is general information, not legal or financial advice — if you've lost money, contact your bank and the reporting channels above straight away.