Forty-two per cent of employees who lost money to a workplace scam felt suspicious during the incident. They sensed something was off. The payment went out anyway.
That detection-to-action gap is the most useful finding in new behavioural research from CommBank, and it explains why even well-trained teams keep losing money to business email compromise (BEC).
The detection gap most teams miss
CommBank's Behavioural Science Centre of Excellence surveyed 1,126 Australian employees, managers, and business owners in January 2026, testing how people respond to realistic workplace emails under different conditions. The headline finding is being widely reported: 76% of employees spotted scams targeting their workplace, compared with 53% of those in management roles.
The more useful number is the 42% who felt the twinge of suspicion in real time and acted anyway. Suspicion isn't prevention. It's a signal that needs somewhere to go, and most organisations haven't designed a clear place to put it.
Eftsure's own 2026 AU payment security survey of 1,015 Australians puts a sharper number on this. Only 25% say they'd feel comfortable questioning a suspicious payment request from a senior executive.
The instinct to pause exists. The (perceived) permission to act on it often doesn't, which means the 42% gap isn't really a training problem, it's a question of ensuring employees feel confident to interrupt a workflow.
BEC scams thrive on routine
Seventy-three per cent of scams targeting businesses arrive via email, and most take the familiar shape of payment redirection: a request to change vendor bank details, approve an unexpected transfer, or release a payment urgently.
William Mailer, Chief Behavioural Scientist at CBA, puts it plainly: "Business email compromise scams are designed to feel routine and familiar; they mirror how we normally work and communicate, often using familiar corporate language. By targeting everyday tasks we perform on auto-pilot, scammers exploit moments when we are less likely to stop, check and reject."
The attack surface for payment fraud isn't the inbox itself, it's the moment between receiving an instruction and acting on it. When that moment is compressed by busy periods, by a request appearing to come from a senior colleague, or by a familiar-looking vendor email, instinct might be overridden.
Workplace stress is a fraud risk factor
The research reveals something else that's not always part of scam awareness conversations: workplace pressure measurably increases exposure. High stress was present in 59% of organisations where scams succeeded, compared with 38% of those where scams were unsuccessful.
That's a 21-point gap sitting inside a single behavioural variable. Period-end, audit cycles, leadership transitions, growth phases, and end-of-quarter pushes are all moments when the chance of a missed verification step goes up. Note: this is a big reason why EOFY is a favourite time for scammers to act.
Eftsure's research surfaces the underlying mechanism. Thirty-two per cent of Australian employees say they feel pressured to process payments quickly. When speed becomes the implicit performance metric, verification gets quietly recategorised as friction, and the step gets skipped.
Detection isn't the same as prevention
In 61% of successful workplace scams, the failure point was a subtle abnormality nobody caught: a slightly altered email domain, an unexpected change to payment details, or an unusual escalation in tone. The data also shows that 55% of employees and 44%of managers believe IT and cybersecurity teams are most responsible for preventing workplace scam.
We talk about this misconception a lot, because it’s one of the primary drivers of the exact vulnerabilities that fraudsters are happy to exploit. IT controls help, but payment fraud almost always lands inside finance workflows. The decision to release funds sits with the people processing the invoice, not with the people running the email filter, which puts financially-motivated cybercrime squarely in the CFO’s jurisdiction.
There's a leadership dimension here too. Eftsure's research found that 91% of Australians don't believe senior business leaders adequately understand how modern payment fraud occurs. That's less an accusation than a description of a knowledge transfer gap: when leaders haven't kept pace with how the threat has evolved, they're not equipped to design the controls environment that compensates for it.
For more on why CFOs are best-positioned to lead anti-cybercrime strategies (and how to do it), see our Anti-Cybercrime Strategy Guide.
What good looks like in practice
The research points to two protective factors that consistently separated organisations that caught scams from those that didn't: human awareness of red flags, cited by 68% of those who avoided scams, and practical scam training, cited by almost half (47%). Both help, but neither closes the gap on its own.
What does close the gap is making verification a routine step rather than an exception.
This is also where the "training is enough" assumption keeps falling short. Eftsure's survey found that 55% of Australian employees were never introduced to any fraud prevention tools at work, and only 22% said tools had been introduced clearly with practical examples. Awareness without operational infrastructure leaves verification optional, which is exactly how the 42% detection-to-action gap survives the training program.
A few practices that consistently reduce exposure to payment redirection scams:
- Verify vendor bank detail changes through an independently sourced phone number, not the contact details on the email or invoice.
- Require multi-person approval on payments above a defined threshold, and on every bank detail change, with no exceptions during busy periods.
- Build a pause-and-check ritual into the payment workflow so the act of stopping isn't treated as friction, it's treated as part of the job.
- Implement tools and workflows that standardise processes and payment verificatation, enforcing multi-layered controls even when human employees don’t pick up on red flags. Remember: fraudsters specialise in circumventing your internal processes, so never depend on a single layer of verification.
- Arm employees with the power to scrutinise urgent requests, especially from senior executives. Start with templated responses that help them know how to word a polite, clear push-back.
Mailer's observation that people are "less likely to stop, check and reject" when a request feels routine is the heart of the findings. The same routine can be redesigned to include a verification step that doesn't rely on individual vigilance alone.
