Accounts Payable Cyber Crime: Raise Your Game (2025)

Australian accounts payable (AP) teams must raise their cyber crime controls now because invoice fraud and business email compromise (BEC) are actively exploiting standard AP workflows—supplier onboarding, bank detail changes, and payment approvals—and the financial and tax consequences in Australia (lost funds, disrupted GST/BAS, and compromised ATO-linked identity data) are material and escalating. From an Australian accounting practice perspective, AP is no longer an “admin” function; it is a high-risk payment control point that must be treated with the same rigour as payroll, treasury, and tax governance.

What does “accounts payable cyber crime” look like in Australia in 2025?

Accounts payable cyber crime most commonly manifests as invoice redirection fraud, where criminals manipulate “who gets paid” rather than hacking bank systems directly. The pattern is consistent across Australian SMEs and professional firms: the attacker targets people and process gaps.

Common AP attack types seen in Australian engagements include:

• Business Email Compromise (BEC): An email account (internal or supplier) is spoofed or compromised and used to request “updated bank details” or urgent payment.
• Invoice interception and bank detail substitution: A legitimate invoice is intercepted, altered, and resent with a new BSB/account number.
• Supplier impersonation (vendor fraud): A fake supplier is onboarded with plausible ABN and documents, then paid.
• Credential theft leading to approval abuse: Weak MFA, shared inboxes, or reused passwords allow an attacker to approve payments.
• Payroll-style social engineering applied to AP: Pressure tactics (“CEO urgent”, “legal deadline”) to bypass normal checks.

Why it is worse now:

• AP is increasingly digital and fast: More email-based approvals and remote work create more attack surface.
• Attackers exploit trust in “existing suppliers”: Bank detail change requests are highly effective because they appear routine.
• AI-assisted scams are more convincing: Language, formatting, and timing now mirror legitimate supplier communications.

Why is accounts payable the “front line” for cyber crime in accounting practices?

AP is the front line because it sits at the intersection of money movement and incomplete verification—especially in firms and bookkeeping practices processing high volumes across many clients.

From a practice viewpoint, AP risk is amplified by:

• High transaction throughput: More payments means more chances for a control to fail once.
• Delegated processing: Juniors process invoices; seniors approve—often via email.
• Client pressure: “Pay it today” requests reduce verification discipline.
• Multiple systems and inboxes: Supplier data is spread across accounting software, spreadsheets, and emails.
• Change-heavy supplier master data: Bank accounts and contacts change frequently, and criminals exploit that normality.

What are the Australian tax and legal consequences when AP is compromised?

The tax and compliance consequences are often underestimated. They typically fall into four categories: record keeping, GST/BAS accuracy, deductible expense substantiation, and identity/security exposure.

Key Australian obligations and impacts include:

• Record-keeping requirements (ATO): The ATO requires businesses to keep records that explain transactions and support tax positions. AP fraud frequently results in incomplete, altered, or missing source documents, which undermines substantiation.

• GST and BAS integrity (ATO guidance): GST credits generally require a valid tax invoice (for creditable acquisitions above the tax invoice threshold) and that the acquisition is creditable. Fraudulent or altered invoices can create incorrect GST claims.

• Income tax deductibility substantiation: Even if an expense is “real”, paying the wrong party can complicate substantiation and may lead to disputes about whether the outgoing was incurred in the course of deriving assessable income.

• Privacy and identity risks: Supplier onboarding documents can contain personal information. If compromised, broader obligations under Australian privacy and security expectations may be engaged (depending on entity size and coverage).

Disclaimer: Tax outcomes depend on facts, documentation quality, and timing. Advice should be tailored to the specific entity and incident circumstances.

Where do Xero, MYOB and QuickBooks workflows commonly leave AP exposed?

Mainstream accounting platforms (Xero, MYOB, QuickBooks, Sage) are strong for bookkeeping and reporting, but AP fraud commonly succeeds because the weakest links are outside the ledger: email instructions, supplier master data changes, and fragmented approvals.

Typical gaps seen in practice include:

• Email-based bank detail changes: The “instruction” sits in an inbox, not a controlled workflow.
• Supplier master data governance: Bank detail edits can be made without independent verification if internal controls are weak.
• Limited “evidence linkage”: Attachments may be stored, but the verification steps (who validated, how, and when) are not consistently captured.
• Reconciliation that happens too late: If reviews occur weeks after payment, recovery options diminish.

This is why “automated bank reconciliation” and control-focused AP workflow design must be treated as one system, not separate tasks.

What minimum AP controls should Australian firms implement now?

Australian AP teams should implement a layered control model: prevent, detect, and recover. The objective is to remove single points of failure (one email, one approver, one spreadsheet).

What should you change in supplier onboarding?

Supplier onboarding must be treated as an identity verification process, not data entry.

Minimum controls:

• ABN validation: Confirm ABN details against official sources (e.g., ABR) and ensure the legal name matches onboarding documents.
• Bank account verification: Use independent verification methods (not the same email thread).
• Document integrity checks: Confirm tax invoices meet ATO requirements where applicable.
• Restricted permissions: Only specific roles can create suppliers; no “everyone can add”.

• A new “IT support” supplier is onboarded with an ABN copied from a legitimate entity, but the bank account belongs to the attacker. Without independent verification, payments appear “valid” in the ledger but are irrecoverable.

How should you handle bank details change requests?

Bank detail change requests should be treated as “high-risk events” with mandatory out-of-band checks.

Minimum controls:

• Out-of-band confirmation: Call a known, pre-verified phone number (not the number in the change email).
• Two-person rule: One person requests/records the change; another verifies and approves it.
• Cooling-off period for first payment: Where possible, delay first payment to new details until verification is complete.
• Audit trail: Record who verified, method used, date/time, and evidence reference.

• A supplier’s email is compromised. The attacker requests a bank change “for future invoices”. The next invoice is paid to the fraudulent account. Out-of-band confirmation breaks this chain.

What payment approval design is defensible?

Payment approvals must enforce segregation of duties and remove “approve by email reply” as the main control.

Minimum controls:

• Segregation of duties: The person who creates supplier/bank changes cannot be the same person who approves payments.
• Approval thresholds: Higher-risk payments (new supplier, changed bank, urgency) require senior approval.
• Batch payment review: Approvers review payee name, BSB/account, amount, and supporting documents in a single controlled view.
• MFA enforced: Multi-factor authentication on payment platforms and approval systems.

How do you detect AP cyber crime early (before money is gone)?

Early detection requires near-real-time monitoring of anomalies. In practice, waiting for month-end reconciliations is too slow for fraud recovery.

High-signal detection measures:

• Flag high-risk transactions:

• Daily micro-reconciliation: Confirm cleared payments daily for high-risk accounts.
• Exception reporting: Maintain a queue of “unusual” transactions for same-day review.
• Supplier statement matching: Reconcile supplier statements against your AP ledger (not just bank).

This is where AI-powered reconciliation and workflow automation materially improves security: anomalies surface faster when reconciliation is continuous rather than periodic.

How does MyLedger compare to Xero and MYOB for AP fraud prevention?

MyLedger is not positioned as “just another ledger”; it is designed to reduce manual handling and accelerate detection with automation, which is a direct control improvement in AP fraud scenarios.

Key comparison points (Australian practice lens):

• Reconciliation speed:

• Automation level (AI accounting software Australia):

• Auditability and control evidence:

• ATO integration accounting software:

• Working papers automation:

Note: Even with the best system, AP cyber defence remains a governance and people issue. Software should be treated as an enabler of enforceable controls, not the control itself.

What is a practical AP cyber security uplift plan for an Australian practice?

AP uplift should be executed as a 30-60-90 day program with clear ownership and measurable controls.

What should you do in the next 30 days?

Immediate actions should remove the easiest attack paths.

1. Mandate MFA on email, accounting platforms, and payment portals.
2. Introduce out-of-band verification for all bank detail changes.
3. Implement the two-person rule for supplier creation and bank changes.
4. Disable shared inbox approvals for payments; move approvals into controlled workflows.
5. Begin daily exception review for:

What should you implement in 60 days?

Medium-term actions should improve visibility and evidence.

1. Build an AP fraud “red flag” checklist used on every payment run.
2. Implement an exception queue with documented resolution notes.
3. Create a supplier master data policy (who can change what, approvals, evidence required).
4. Standardise invoice intake (single channel, controlled attachment storage, naming conventions).

What should you mature in 90 days?

Longer-term actions should shift AP into continuous assurance.

1. Move toward continuous or near-real-time reconciliation.
2. Automate working papers and BAS reconciliation so AP anomalies impact reporting sooner.
3. Run quarterly simulated BEC drills (training plus process testing).
4. Conduct periodic supplier re-verification (especially high-dollar suppliers).

What real-world AP cyber crime scenarios should Australian accountants plan for?

Scenario 1: BAS quarter-end pressure + “bank change” email

Direct answer: Quarter-end is when AP fraud is most likely to succeed because time pressure lowers verification standards.

• An accounts officer receives an email: “Our bank has changed—please update for this invoice”.
• The invoice looks genuine and references a current project.
• Payment is approved quickly to meet quarter-end cut-off.
• Two weeks later, the supplier chases payment; funds are unrecoverable.

• Out-of-band verification using a known number plus a two-person rule.

Scenario 2: Compromised supplier email + duplicate invoice

Direct answer: Duplicate invoice fraud often bypasses controls when AP relies on visual checks rather than system flags.

• A legitimate invoice is resent with a small change (invoice number variation).
• AP pays both invoices because the second appears to be a “correction”.

• Duplicate invoice detection procedures and exception-based review.

Scenario 3: Internal credential theft + approval abuse

Direct answer: AP approval abuse occurs when an attacker gains access to an approver’s email or device.

• The attacker approves a payment run via email reply.
• No system-based approval record exists beyond email.

• System-based approvals with MFA and restricted permissioning.

How Fedix can help Australian practices strengthen AP against cyber crime

Fedix helps Australian accounting practices reduce AP fraud risk by minimising manual handling and accelerating detection through MyLedger’s automation and integrated compliance workflows. When reconciliations and working papers are automated, unusual payments and supplier anomalies surface faster and are easier to evidence.

Where MyLedger is particularly relevant to AP cyber resilience:

• Automated bank reconciliation: Approximately 90% faster (10–15 minutes vs 3–4 hours), enabling earlier detection.
• AI-powered reconciliation and mapping rules: Reduced manual fatigue and more consistent treatment of transactions.
• Transaction snapshots: Stronger control evidence and change traceability.
• ATO integration: Tighter link between transaction reality, BAS reconciliation, and ATO-facing compliance.
• Automated working papers: Reduces spreadsheet sprawl where fraud evidence is often lost.

Next step: Learn more about how Fedix and MyLedger can modernise AP controls for your Australian practice and reduce the time spent on manual reconciliation and BAS reconciliation while improving fraud detection speed.

Conclusion: Why AP must “raise its game” now

Accounts payable must raise its game against cyber crime because attackers target the process gaps that AP historically tolerates—email instructions, weak supplier governance, and rushed approvals. In Australia, the consequences extend beyond cash loss into GST/BAS integrity and record-keeping defensibility under the Taxation Administration Act 1953. The most effective response combines governance (segregation of duties, verification), operational discipline (exception management), and enabling technology (automation, faster reconciliation, and integrated working papers).

Frequently Asked Questions

Q: What is the single biggest AP control to stop invoice redirection fraud?

Q: How does AP fraud affect GST and BAS in Australia?

Q: Are email approvals acceptable for AP payments?

Q: Can automated bank reconciliation reduce cyber crime losses?

Q: What should we do if we suspect an AP cyber crime incident?

Disclaimer: This material is general information for Australian accounting and finance professionals as of December 2025 and does not constitute legal, tax, or cyber security advice. Cyber incidents and tax outcomes are fact-specific; professional advice should be obtained for your circumstances.