Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Industry11 min read

Fake Bank Details Fraud: Spotting Payment Redirection Scams

How Australian finance teams detect AI-generated fake bank details before paying invoices, using Scamwatch red flags and AUSTRAC/AML-CTF compliance context.

CheckFile Team
CheckFile Teamยท
Illustration for Fake Bank Details Fraud: Spotting Payment Redirection Scams โ€” Industry

Summarize this article with

Fraudsters do not need to breach a bank's systems to steal a supplier payment. They only need one convincing document. In Australia this scam has an official name โ€” payment redirection scam, also called business email compromise (BEC) โ€” tracked closely by Scamwatch, the reporting service run by the National Anti-Scam Centre inside the ACCC. A criminal tricks a finance team into updating the bank details held for a genuine payee, so the next payment lands in an account they control. Generative AI has made the fake documents behind this scam markedly harder to spot: a fabricated letterhead, a cloned signature, and a plausible BSB now take minutes to produce, not days.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

What Payment Redirection Scams Are and Why They Target Accounts Payable

A payment redirection scam is a form of business email compromise in which a criminal persuades a business to change the bank account details held for a genuine payee โ€” a supplier, contractor, landlord, or employee โ€” so future payments divert to an account the criminal controls. Scamwatch describes the mechanics plainly: scammers compromise or spoof a business email account, then alter an invoice or payment request so the bank details point to their own account.

Australian businesses lost $152.6 million to payment redirection scams in 2024, according to the National Anti-Scam Centre's Targeting Scams Report 2024. That sits inside a wider pattern: combined losses reported to Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and ASIC totalled $2.03 billion for the year, a 25.9% fall from 2023. The same report names the industries most often impersonated: real estate agents, solicitors and conveyancers, construction firms, motor vehicle dealers, funeral providers, aged care and schools โ€” sectors where large one-off payments and unfamiliar counterparties are routine. Accounts payable is targeted because it processes legitimate change-of-details requests every week, giving a fraudulent one cover to hide in.

How Fraudsters Build a Convincing Fake Bank Details Document

Most payment redirection scams begin with reconnaissance, not forgery. A criminal identifies a real supplier relationship โ€” often from a hacked mailbox, a leaked invoice, or public tender information โ€” before producing a document engineered to pass a quick check.

Business email compromise as the delivery channel

The fraudulent bank details rarely arrive out of nowhere. They are usually attached to, or embedded in, an email that appears to come from a trusted contact, either because the criminal has compromised the supplier's real mailbox or registered a near-identical look-alike domain. The Australian Signals Directorate's Annual Cyber Threat Report 2024-25 found that one in three cybercrime incidents affecting Australian businesses begins with a compromised email account, with reported BEC losses for small and medium businesses averaging more than $97,000 per incident. One Scamwatch case study describes a business that lost $190,000 when its supplier's email account was hacked, with a fabricated remittance advice inserted into an otherwise genuine invoice chain.

AI-generated letters, remittance forms and cloned signatures

Generative tools let a fraudster take a genuine letterhead or invoice as a reference and reproduce it with substituted bank details in seconds, matching fonts, logos, and formatting almost exactly. Inpainting tools can also alter just the BSB and account number on a scanned original, leaving the rest untouched โ€” the hardest variant to catch by eye. Industry analysis estimates that by mid-2024 around 40% of BEC phishing emails carried AI-generated text (Eftsure). Voice cloning is an emerging companion technique, using short samples of an executive's public speech to fabricate a call authorising a bank detail change.

Red Flags That Reveal a Fake Bank Details Document

A fake bank details document rarely fails on a single obvious point. It fails several quieter checks at once, which is why a structured review catches what a glance misses.

Signal What to check Why it matters
Unsolicited change request Requested by the supplier, or only confirmed after you called first? Fraudsters initiate; genuine suppliers rarely chase a bank detail change
BSB / bank mismatch Does the BSB match the institution named on the letter? AI-generated documents often pair a real-looking account number with the wrong institution
Document metadata Does creation software match how this supplier normally sends documents? Generic editors or stripped metadata are inconsistent with routine correspondence
Contact channel Confirmed using contact details supplied in the same message? A closed loop controlled by the fraudster defeats callback checks
Urgency and pressure Deadline, penalty, or threat to disrupt future deliveries? Urgency is designed to bypass dual-authorisation workflows
Formatting drift Fonts, logo resolution, or layout differ from recent communications? AI-cloned templates are close but rarely pixel-identical over time

Scamwatch's guidance is consistent across every alert it publishes: verify a bank detail change through contact details sourced independently, never those supplied in the request itself (Scamwatch). No document-level check replaces that step; it narrows down which requests need it most urgently.

Does the BSB or account number actually belong to the named bank

A BSB and account number can be structurally valid and still belong to the wrong institution or account holder. From July 2025, Australia's major banks began progressively switching on Confirmation of Payee, an NPP service that checks a payment's BSB and account number against the name held by the receiving bank and returns a match, close-match, or no-match result before the payment is sent. Australian Payments Plus targeted near-universal coverage โ€” over 95% of personal accounts โ€” by the end of 2025, and reported over 100 million checks within months of launch (Australian Banking Association). It is a strong control for real-time transfers, but it does not validate a scanned bank detail letter sitting in an inbox before a batch payment run โ€” that gap is where document-level checks still matter. Our companion guide on validating bank account numbers and BSB details covers the underlying checks in more depth.

Is the document metadata consistent with the claimed sender

Genuine business documents carry metadata trails โ€” the software used to create them, timestamps, and revision history โ€” that are difficult to fake convincingly at scale. A "change of bank details" letter claiming to come from a supplier's finance department but generated in a generic editor, with metadata stripped entirely, is a stronger signal than the visual quality of the letter itself.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Request a free pilot

Why Standard Accounts Payable Controls Miss This Fraud

Segregation of duties, three-way matching, and approval thresholds catch quantity and pricing errors, not a plausible change to payee bank details buried in a routine email. Manual fraud detection catches roughly 37% of cases, with an average detection delay of 87 days, according to the ACFE 2024 Report to the Nations. By the time a delayed review surfaces a redirected payment, the funds are usually gone, and recovery after the fact is the exception rather than the rule.

A Verification Protocol Before You Change Any Bank Detail

A short, enforced sequence closes most of the gap that AI-generated documents exploit.

Step 1 โ€“ Freeze the change. Do not update the supplier master file or process any payment against new bank details until the request has passed independent verification, regardless of the stated urgency.

Step 2 โ€“ Call back on a known number. Contact the supplier on a phone number already held on file โ€” never a number provided in the change request itself. Scamwatch repeats this control in nearly every business alert it publishes, because it defeats a fraudster who does not control the callback channel.

Step 3 โ€“ Validate the bank details independently. Run the account through Confirmation of Payee where the receiving bank supports it, and cross-check the BSB against the AusPayNet directory rather than relying on the name printed on the document.

Step 4 โ€“ Require dual sign-off and log the decision. A second, independent approver should confirm the change before it goes live, with the verification steps recorded. This creates the audit trail regulators expect if the fraud is disputed, and supports any Suspicious Matter Report your organisation may need to lodge with AUSTRAC under the AML/CTF Act 2006.

Will Your Bank Refund a Fraudulent Payment

Reimbursement for payment redirection scams in Australia is not automatic in the way many businesses assume. The Scams Prevention Framework (SPF), which received Royal Assent in February 2025, imposes mandatory obligations on banks, telcos, and digital platforms to prevent, detect, and disrupt scams, with ASIC enforcing the banking sector code. Treasury's 2026 draft rules propose an automatic reimbursement threshold of $3,000 for verified losses where a regulated entity failed to meet its obligations, alongside civil penalties of up to $50 million per contravention. That threshold is modest next to the average business email compromise loss of roughly $97,000 reported by the ACSC, so a mid-sized business still cannot assume a statutory refund and should treat recovery through its bank, insurer, or AFCA as a separate, uncertain process. From March 2026, AFCA expanded its jurisdiction to consider scam complaints involving the receiving bank as well as the sending bank.

Businesses that are AUSTRAC reporting entities carry separate obligations: a suspicion that a designated service is connected to fraud or money laundering must be reported to AUSTRAC as a Suspicious Matter Report, generally within three business days.

How CheckFile Complements Manual and Procedural Controls

Callback verification and dual sign-off remain essential, but both depend on staff catching a well-made forgery in the first place. Our approach applies multi-layer analysis โ€” structural checks, metadata forensics, and cross-document consistency validation โ€” to the bank detail documents finance teams receive, alongside AI-generated content detection deployed as a complementary layer to existing structural controls. This does not replace callback verification or Confirmation of Payee; it gives the reviewer a structured signal before either step happens. The CheckFile banking KYC solution applies this pipeline to onboarding and payment documents, and the CheckFile security infrastructure provides the audit logging regulators expect. Teams evaluating deployment can review the pricing page or the platform directly.

For a broader view of how document verification obligations vary across sectors, see our industry verification guide, and finance teams focused specifically on invoice-borne fraud may find our guide to detecting AI-generated fake invoices useful alongside this article. To place fake bank details detection within a dedicated approach, see AI-generated and forged document detection, where CheckFile analyses your files and surfaces signs of AI-generated content as a complement to your existing controls.

Frequently Asked Questions

What is the difference between a payment redirection scam and invoice fraud?

A payment redirection scam specifically targets the bank details held for a recurring payee, tricking a business into updating a supplier record so future payments divert to a criminal's account. Invoice fraud is broader, covering any fabricated or altered invoice, whether or not bank details change. In practice the two overlap: a fraudulent "change of bank details" letter is often disguised as an invoice.

Can AI-generated bank detail documents be detected by eye?

Reliable detection by visual inspection alone is increasingly difficult, because current tools reproduce fonts, logos, and layout with high fidelity. Document metadata, BSB cross-checks, Confirmation of Payee results, and callback verification through a known contact number remain more reliable than appearance-based review.

Who should we notify if we suspect a payment redirection scam?

Report the incident to Scamwatch and to ReportCyber if a compromised email account is involved, since both feed the National Anti-Scam Centre's intelligence-sharing with banks. Contact your bank immediately on a verified number to request a payment recall, notify the genuine supplier separately, and lodge a Suspicious Matter Report with AUSTRAC if your business is a reporting entity under the AML/CTF Act 2006.

How quickly should a bank detail change request be verified?

Verification should happen before any payment is processed against the new details, regardless of the stated deadline. A callback to a known number, a Confirmation of Payee check, and an independent BSB lookup typically take under fifteen minutes โ€” far less time than resolving a redirected payment after the funds have left the account.

Stay informed

Get our compliance insights and practical guides delivered to your inbox.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.