Australia's scam problem is getting more expensive for organisations. The National Anti-Scam Centre's latest annual Targeting Scams report reveals that Australians lost a combined $2.18 billion to scams last year, up 7.8% from 2024. While some high-profile scam categories declined, one stood out as a growing threat to organisations of every size: payment redirection fraud, also known as business email compromise (BEC).
Payment redirection scams cost Australians $166.8 million in 2025, a 9.3% increase from $152.6 million the year prior. It's one of the only categories in the top five to record a year-on-year increase, a trajectory that’s concerning for any business leader responsible for safeguarding their organisation’s financial assets.
How payment redirection scams work
Payment redirection scams typically involve a criminal intercepting or impersonating legitimate business communications, most often email, to redirect invoice payments or supplier transfers to fraudulent accounts. They're sometimes called business email compromise scams because they frequently exploit compromised or convincingly spoofed email accounts to deceive finance teams into updating payment details.
The report confirms that for small businesses, false billing scams (the Scamwatch category that captures BEC-style attacks) were the most frequently reported scam type both with and without financial loss. Scamwatch recorded $2.0 million in false billing losses from small businesses alone, though the true figure is almost certainly higher given that small businesses have access to multiple reporting channels and may not be capturing all incidents through a single platform.
Phishing is feeding the pipeline
Phishing losses grew 15.5% to $97.6 million in 2025, which matters for businesses because phishing is the most common entry point for BEC attacks. A fraudulent email that harvests login credentials or tricks a staff member into updating payment details is often the first step in a payment redirection incident.
The report recorded 65,361 phishing reports to Scamwatch alone, making it the single most reported scam category, even if the financial loss per incident appears low. Unfortunately, the downstream cost — once credentials are used to execute a payment redirect — is anything but minor.
Online shifts are changing the risk profile
One of the most significant structural shifts in the 2025 data is the migration of scam activity from phone-based contact to online channels.
Losses via online contact methods reached $158.5 million, up 21.8% from the prior year, while phone call losses dropped 32%. Put another way, the threat is now firmly embedded in the everyday digital tools that staff use: email, social media, messaging platforms, and supplier portals. Phone-based fraud controls may still be necessary but are unlikely to be sufficient.
Regulatory pressure is building
The passing of the Scams Prevention Framework Act in February 2025 marks a significant shift in how Australia will regulate scam prevention. The banking, telecommunications, and digital platform sectors are expected to be formally designated under the framework shortly, bringing binding obligations around prevention, detection, reporting, and dispute resolution. The ACCC, ACMA, and ASIC will each play enforcement roles, and the ACMA has already shown it's willing to act, issuing more than $4 million in penalties to telcos during 2025 for anti-scam rule breaches.
For businesses in designated sectors, preparation is no longer optional. For those outside designated sectors, the framework sets a clear signal about the direction of regulatory expectations across the broader economy.
What finance and risk teams should do now
The banking sector's rollout of Confirmation of Payee offers a useful layer of protection for individuals making personal transfers, though as a fraud control mechanism for businesses it's worth understanding both its strengths and its limitations. We’ve taken a look at how the mechanism has (and hasn’t) impacted scam losses in the UK.
Beyond that, the 2025 data sends a clear message: payment fraud isn't dwindling or plateauing, it's evolving. It's moving online, it's growing in value, and the regulatory environment is hardening around it. Businesses that treat scam risk as a consumer protection issue rather than an organisational one are underestimating the threat sitting in their own inboxes.
