The end of financial year (EOFY) is one of the busiest periods on the finance calendar.
Invoices need to be paid before 30 June. Tax and super obligations are due, auditors are requesting documents, reconciliations need to be completed. Teams are working against tight deadlines while trying to keep day-to-day operations moving.
For finance teams, it's business as usual. For scammers, it's an opportunity.
According to Shameela Gonzalez, Executive Director Global Financial Services and Insurance Lead at CyberCX, periods of intense business activity create the conditions criminals look for: high transaction volumes, tight deadlines, and people under pressure.
"Any time where there's a really significant period where you're expecting a high volume for your business, just be on high alert that a criminal is going to know that and they're going to be planning ahead for that as well. Think about your defences probably needing to be even heightened to protect you around that time."
Shameela Gonzalez, Executive Director Global Financial Services and Insurance Lead at CyberCX
Gonzalez was speaking on Eftsure's On the Defense podcast about peak business periods more broadly, including Black Friday, Christmas, and Easter. But the principle applies just as easily to EOFY.
When transaction volumes rise and attention is stretched, criminals know mistakes become more likely.
As Gonzalez put it:
"Around the clock business for criminals. They are always operating. They don't take holidays."
Shameela Gonzalez, CyberCX
Why EOFY creates the perfect conditions for scams
The scams themselves are rarely new.
What changes during EOFY is the context.
A request that might seem unusual in February can appear perfectly reasonable in late June. An urgent supplier payment, a request to update banking details, a document request from an auditor, or an approval from a senior executive can all blend into the noise of legitimate year-end activity.
Criminals understand this.
"This is a great time for you to be incredibly busy, potentially incredibly distracted. And, again, back to that human behaviour element, your guard's probably going to be low."
Shameela Gonzalez, CyberCX
That's why EOFY should not be viewed as a temporary spike in risk. It's better understood as a period where existing fraud tactics become harder to spot.
The scam patterns finance teams are most likely to see
The core threats facing accounts payable teams remain largely unchanged, attacks like business email compromise or executive impersonation.
What changes is the story wrapped around them.
An invoice redirection attempt suddenly becomes urgent because payment needs to be processed before EOFY. A phishing email appears to come from the ATO, payroll team, or external auditor requesting confirmation of records. A deepfake voice message arrives as part of a last-minute approval request from a senior executive.
The tactics are familiar, but the timing makes them more convincing.
In a previous Eftsure interview about holiday-season scams, Gonzalez highlighted business email compromise, phishing, and executive impersonation as persistent threats for finance teams. EOFY simply gives those tactics a new pretext.
These tactics often begin weeks or months before any payment request arrives. A supplier's email account is compromised, but communication continues as normal. Then, when the right invoice arrives, bank details are changed and the payment is redirected.
The fraud succeeds because the request appears to come from a trusted source.
Gonzalez shared a real-world example on the podcast involving a property settlement in which criminals intercepted email communications between a conveyancer and their clients. The attackers copied the tone, formatting, and previous instructions, changing only the account details for the final transfer. The victims lost close to half a million dollars.
The same tactic can be applied to any high-value supplier payment.
The real target is human behaviour
Technology plays a role in most scams, but technology is rarely the primary target. People are.
"The reason why scams are such a difficult and such a strenuous attack type is because it's so intrinsically about manipulating you. And ultimately, the perpetrator is convincing you to take that action. You're the one making the transaction. You're the one sending that information."
Shameela Gonzalez, CyberCX
EOFY amplifies the exact conditions scammers rely on: factors like urgency and high volumes of transactions.
When teams are moving quickly, they're more likely to trust familiar names, email threads, and requests. That's why strong controls matter most when pressure is highest.
What finance teams should watch for before 30 June
Many of the warning signs remain the same throughout the year. Pay particular attention to:
- Unusual payment requests that emphasise urgency or deadlines
- Small changes in sender addresses, signatures, or communication style
- Requests that appear to come from trusted contacts but feel slightly out of character
- New payment instructions received solely via email
For EOFY specifically, finance teams should also be alert to:
- Auditor or ATO impersonation requesting documents, account confirmations, or uploads
- Last-minute supplier onboarding requests tied to year-end payment deadlines
- Changes to supplier banking details received in the final weeks of June
- Approval requests from senior executives outside normal working hours or during planned leave
EOFY is the right time to pressure-test your controls
One of Gonzalez's most consistent messages is that scam attempts aren't seasonal.
"Businesses should operate under the assumption that scam attempts are constant. When AP teams maintain this mindset, they can detect and mitigate threats more effectively."
Shameela Gonzalez, CyberCX
She also cautioned against assuming any organisation is too small, too sophisticated, or too prepared to become a target.
"Never assume your business won't be targeted. Fraudsters don't take holidays. The key is building processes that reduce reliance on human judgement alone."
Shameela Gonzalez, CyberCX
That means reviewing the controls already in place:
- Multi-factor authentication
- Role-based system access
- Supplier verification processes
- Payment verification protocols
- Dual approvals for high-value transactions
- Ongoing employee education
- Transaction monitoring and anomaly detection
- Regular reviews of supplier records
EOFY is an ideal time to test whether those controls will hold up under pressure. When urgency, volume, and fatigue peak at the same time, even experienced finance teams can miss the warning signs.
The organisations that navigate EOFY most effectively are usually the ones that assume those conditions will exist and plan for them accordingly.
Hear more from Shameela at On the Defense Summit
Shameela Gonzalez will be speaking at On the Defense, Eftsure's flagship summit in Sydney on 19 November.
The event brings together finance, risk, and security leaders to explore how organisations are strengthening trust, resilience, and confidence across the payment lifecycle.
Tickets are limited. Secure your space today.
