Australia's scam defences are getting stronger.
In recent weeks, Westpac revealed it prevented customers from losing $181 million to scams in just six months. Telcos like Optus have moved to support new protections against SMS impersonation. Regulators are also pushing for stronger customer protections across the banking sector, including recent action involving HSBC Australia.
Taken together, these developments point to something encouraging: banks, telcos and regulators are making it harder for criminals to succeed.
But fraud doesn't disappear when one layer gets stronger. It moves.
For finance teams, that matters because none of these measures can stop a fraudulent payment that has already passed through internal approval processes. The controls around Australian businesses are improving. The controls inside them still determine whether money leaves the bank account.
A stronger ecosystem on several fronts
Australia's scam prevention efforts have accelerated in recent years, with banks, telcos and regulators each playing a different role in reducing risk.
Banks
Banks continue to invest heavily in scam prevention technology and customer protection.
In a recent message to customers, Westpac CEO Anthony Miller said the bank's technology now analyses more than 30 million transactions each day to identify suspicious activity. Those efforts have helped stop customers from losing $181 million to scams in the past six months alone and more than $775 million over the past few years.
That is a significant achievement. Most customers never see the scam attempts that are intercepted behind the scenes, but those interventions prevent real losses and demonstrate how much banks are investing to stay ahead of increasingly sophisticated criminals.
Telcos
Telcos are also making it harder for scammers to impersonate trusted organisations.
From 1 July 2026, Australia's SMS Sender ID Register requires legitimate organisations to register branded sender IDs, helping consumers identify whether a text message genuinely comes from the organisation it claims to represent. Messages sent from unregistered sender IDs will be flagged as "Unverified."
Providers including Optus have been working with organisations ahead of the deadline to support implementation.
This matters because SMS impersonation remains one of the most common entry points for scams. Making it harder for criminals to masquerade as banks, government agencies and major brands removes a valuable tool from their playbook.
Regulators
Regulators are increasingly focused on scam prevention and customer protection.
In June, ASIC and HSBC Australia jointly proposed a $35 million Federal Court penalty to resolve a matter regarding scam-related customer reports. HSBC has since compensated affected customers, recovered millions in stolen funds, and strengthened the controls it uses to protect them, reflecting the kind of proactive investment regulators are now encouraging across the sector.
The case reflects a broader shift across the sector. Scam prevention is no longer viewed solely as a customer responsibility. Financial institutions are increasingly expected to detect risks, respond quickly and continuously strengthen their controls. That expectation is helping drive further investment across the industry.
Taken together, these developments represent meaningful progress. Australia's scam ecosystem is becoming more resilient, and criminals are finding it harder to rely on the tactics that once worked.
Risk resides in the gaps
The problem isn't that these controls don't work, it's that they don't work on the same problem.
Westpac's fraud systems help identify suspicious transactions. The SMS Sender ID Register helps reduce impersonation scams. Regulators help drive accountability and investment across the sector.
Each control addresses a different point in the fraud lifecycle, but none of them verifies whether a supplier's bank account details are legitimate before a payment is processed. That distinction matters because fraud often succeeds in the spaces between controls. And we've long maintained that businesses aren't included in enough conversations about cross-sector scam prevention.
A bank can only act on the information it can see. If your team authorises a payment to a supplier whose email account has been compromised, the transaction may appear entirely legitimate from the bank's perspective. A sender verification framework can help prevent SMS impersonation, but it does nothing to stop a genuine supplier email account from being used to request a bank account change. Regulatory action can improve standards across the market, but it typically occurs after the damage is already done.
Risk professionals often describe this as the Swiss cheese model. Every control has gaps, but protection comes from layering controls so those gaps rarely align. Fraud succeeds when the holes line up. Strong risk management makes sure they don't.
Australia's banks, telcos and regulators have added important layers. The layer that remains missing for many organisations sits inside your accounts payable function.
Is the payment gap exposing your business?
This is where we get to the layer that businesses control directly. While external protections continue to improve, finance teams can reduce their exposure to payment fraud by strengthening controls before funds leave the organisation.
That starts with independently verifying supplier bank account changes using trusted contact information already on file. It means treating every banking detail amendment as a high-risk event, regardless of how routine the request appears. It means ensuring no single person, inbox or approval can move money without appropriate scrutiny. (And, of course, it means finding ways to accomplish these approaches at scale, without impeding overall productivity and efficiency!)
These controls address a risk that external protections cannot fully solve: knowing that the account being paid genuinely belongs to the supplier you intend to pay.
Finance leaders don't need to wait for the next regulatory reform, banking initiative or telecommunications safeguard: the most effective fraud controls sit closest to the payment itself.
This is where Eftsure fits into the broader fraud prevention ecosystem. While banks, telcos and regulators help reduce risk around the edges, Eftsure helps finance teams independently verify who they're paying before funds leave the business.
Australia's scam defences are getting stronger, and that's good news for everyone. The remaining question is: are your own payment controls keeping pace?
