Despite increased awareness, payment redirection scams continue to cost businesses millions. As well as requiring man-hours, manual controls alone are not sufficient to stop scams, every time, before they happen.

This means the risks around business payments is growing, however proactive payee verification strategies and software can significantly reduce your exposure to fraud and error.

We highlight the specific threats that put payment workflows at risk and how layered, automated verification with OK2Pay can help organisations detect issues early.

An escalating threat to business payments

According to the ACCC, Australian businesses lost more than $152.6 million to payment redirection scams in 2024⁽¹⁾ – a 67% increase from the previous year.

Many of these incidents do not involve sophisticated cyberattacks, but instead exploit weak internal processes, such as unchecked supplier email updates, unverified account changes, and vulnerabilities in editable ABA files (the format most organisations use to upload payments into their bank).  

Common points of failure include:

• Internal fraud – enabled by unrestricted access
• Business email compromise (BEC) – for example, fake invoice submissions
• Phishing attacks – emails from parties pretending to be somebody else
• Supplier conflict of interest
• Human error – such as incorrect data entry or duplicate payments

In many cases, funds are transferred before discrepancies are identified. At that point, recovering the money becomes extremely challenging, particularly where deliberate fraud is involved.

What’s driving concern?

To better understand where organisations are feeling the greatest risk, participants at a Satori webinar were surveyed, with:

• 63% citing BEC as their primary concern
• 53% identifying human error as a significant risk
• 34% most concerned about internal fraud

These results confirm what we regularly hear from finance and procurement leaders:

That even when basic checks are in place, there is often uncertainty around how robust or consistent those processes really are, particularly when account changes or time-sensitive payments are involved.

Recent payment redirection scams in Australia 

Several recent examples highlight how widespread and damaging these incidents are:

• A local council in Queensland was defrauded $2.3 million dollars when scammers imitated staff in the organisation to redirect payments.
• A timber supplier in Northern NSW recently uncovered a $450,000 internal fraud scheme after a supplier dispute revealed payments had been redirected to a staff member’s personal account. The employee, who had access to financial systems, was later found guilty and awaits sentencing.
• A Sydney hospital lost nearly $2 million in a BEC scam, allegedly orchestrated by a man impersonating suppliers.
• In Queensland, a woman was defrauded of $800,000 while attempting to purchase a new home, after cybercriminals manipulated real estate email communications.

These cases highlight how internal fraud and cyber-enabled scams are escalating across various sectors by exploiting trust and gaps in payment systems.

Manual controls are not scalable

While many organisations have implemented basic controls, such as requesting bank verification forms or calling suppliers to confirm details, “we’re finding is that the process is often not meticulous enough, not automated enough, and that there are plenty of gaps in that process,” said Mark Bookatz.

Mark highlights the risk presented by ABA files – plain-text files that are editable and untraceable. These files, while convenient for bulk payments, present a major vulnerability if not verified against known data.

Other common challenges include:

• Onboarding processes that verify payees once, but don’t revalidate changes
• Manual verification steps that are inconsistently applied across teams
• A lack of centralised audit trails, reducing visibility and accountability
• A disconnect between master data and the final payment file

This creates a fragmented process where payment approvals often rely on assumptions rather than verified data.

Introducing OK2Pay: Control, confidence, and clarity

OK2Pay is automated purpose-built verification software that closes the gaps by verifying suppliers at every stage, not just at onboarding.

OK2Pay works across three core layers:

1. Supplier Data Verification

Supplier banking information for both individuals and businesses is validated using a combination of:

• Confirmation of Payee data, provided directly to Satori by Australian banks
• The Australian Business Register (ABR) and other government sources
• OK2Pay’s crowdsourced and continuously updated customer verification database

This enables real-time validation of payee name and account number combinations that goes beyond the bank checks, and has a built in resolution process if a 'no match' is identified.

2. Enhanced Verification

If the initial verification is inconclusive or a no match is identified, OK2Pay has two escalation and resolution options for clients - either run internally by their own team following the steps below, or by outsourcing the verification management to OK2Pay.

The due diligence steps

Staff run through a number of documented steps which is logged and stored by the OK2Pay platform for auditing purposes. When verification management is outsourced to OK2Pay, the steps we follow include:

• Contacting suppliers via phone or email to confirm bank details. “One of the benefits of outsourcing to OK2Pay,” says Kaycee Cardente, “is that you preserve your supplier relationships. We handle the heavy lifting.”
• Requesting the payee submit two full bank statements to validate account ownership and detect document tampering. "We ask for full bank statements because OK2Pay has all the standard formats in Australia of bank account statements, so we know exactly what to look for, whether a document has been tampered with or doctored in any way,” says Cardente.
• For individuals or non-ABN vendors, mobile-based identity checks can be performed using SMS passcodes and partial ID data (for example, driver's licence or Medicare number).
• Conduct conflict of interest checks to identify inappropriate relationships or suspicious payment patterns.

This way, no payee is approved without a complete, auditable trail of verification.

3. ABA File Validation

Before payment is processed, the uploaded ABA file is cross-checked against the verified supplier master file to ensure accuracy. Any discrepancies trigger immediate alerts, allowing teams to review and resolve issues before funds are released.

Strengthening your payment integrity

If you are looking to reduce your long-term risk from payment redirection, there are four key actions for finance and operations teams:

1. Verify at every stage, not just onboarding. Most scams occur during change requests.
2. Automate wherever possible. Manual processes are prone to error and don’t keep up as transaction volumes grow.
3. Ensure data integrity. A verified master file is crucial for controlling who receives payment.
4. Audit everything. Without a documented trail, it is difficult to investigate or respond effectively to incidents.

OK2Pay will help you reduce costly errors and prevent payment fraud by verifying payees in real-time, and elevating your financial accuracy and control. Plus, the software comes with no lock-in contracts. Find out more.

⁽¹⁾ https://www.accc.gov.au/system/files/targeting-scams-report-2024.pdf