ANZ Warns Consumers of Business Email Compromise and Payment Redirection Scams

The Australia and New Zealand Banking Group Limited (ANZ) has issued a customer alert, warning about business email compromise (BEC) scams and fake invoice fraud, commonly known as payment redirection scams. Cybercriminals are exploiting vulnerabilities in email systems and financial processes to defraud businesses and individuals.

Small and medium-sized businesses are particularly at risk, as their technology infrastructure is often easier to infiltrate than that of larger corporations. Once fraudsters gain access to a business's internal systems, they can alter invoice payment details, instructing unsuspecting victims to make payments to fraudulent accounts.

According to the Australian Federal Government’s Annual Cyber Threat Report, self-reported losses from BEC scams totaled nearly $84 million in the 2023–2024 financial year across Australia, with small businesses accounting for most cybercrime reports.

Ruth Talalla, ANZ Scams Portfolio Lead, said: “Scams remain an ongoing challenge for Australians, with cybercriminals increasingly adopting sophisticated practices such as BEC and fake invoice scams to exploit consumers.

ANZ is urging businesses and individuals to remain vigilant and carefully verify all payment details before transferring funds. Red flags to watch for include unexpected payment requests, updated details on an invoice, or payments to a new account. Customers should confirm details directly with the legitimate company or individual before proceeding.

ANZ’s tips to spot these scams:

• Unexpected contact method or requests: Be cautious if someone you don't usually communicate with via email or social media asks for personal information or payment (e.g., on WhatsApp).
• Modified payment details on an invoice: Verify payment details against previous invoices and confirm any changes directly with the company or person you're paying.
• Dodgy domains: Cybercriminals may use email domains that look similar to the real sender's. Compare the email domain to the company's official domain online.
• Poorly written text or inconsistent message formats: Look for grammar or spelling mistakes and unusual tone. Even well-written messages can be fake.
• Missing or faked email signature: Typically, cybercriminals will lack the legitimate company’s or individual’s email signature. Check for any inconsistencies with the real company's or individual's signature.