By Arjun Adhia, CFO, Eftsure
Every May, I read the Federal Budget the same way — not for the fiscal headline, but for what it signals about where the risk environment is heading over the next 12 months.
This year, Treasurer Jim Chalmers framed the 2026-27 budget around "Resilience and Reform." In his speech to parliament, cybersecurity and scams were not mentioned once — and that silence matters. Australians lost $2.18 billion to scams in 2025 — up 7.8% on the previous year, even as the number of reports fell. Payment redirection scams — the fraud type that targets businesses rather than consumers — accounted for nearly $167 million of those losses. While consumer scam losses are declining year-on-year, payment redirection fraud targeting accounts payable teams continues to rise.
Here is what the budget signals, and where it stops.
ATO compliance: the controls argument finance leaders aren't making
The most significant measures for finance leaders in this budget sit in the ATO compliance section, not the cyber section. The government has committed $86.3 million over four years for expanded ATO compliance activity and Phase 2 of the Counter Fraud Strategy, aimed at modernising fraud detection across Australia's tax and superannuation systems.
The ATO is continuing to strengthen data matching and fraud detection capabilities across tax and superannuation systems. The compliance bar on payment documentation and traceability rises as a direct consequence — and the controls that reduce payment fraud exposure are the same controls that produce the audit trail an ATO query requires. They are not separate investments.
Payday Super starts 1 July 2026 regardless of this budget. More frequent payment cycles mean more payment events, tighter reconciliation requirements and less margin for error in payroll-to-payment workflows.
Most finance teams have stronger intuitions about their controls than they have evidence of them. The ATO's investment this year sharpens that expectation.
Anti-scam investment: what changed and what didn't
The National Anti-Scam Centre (NASC) received $12.7 million in this budget to continue operations for one more year. The NASC was established in 2023 with $58 million over three years — this allocation is a one-year extension, not a renewed multi-year commitment. The Scams Prevention Framework is legislated. The infrastructure now exists. In the absence of further commitment in the speech or the papers, the government's position reads as: the policy architecture is built, and it is now for industry and individual organisations to use it.
That is where the opportunity sits for finance leaders. The Scams Prevention Framework creates obligations for banks, telcos and digital platforms — it does not reach inside the payment verification controls of an individual business. With payment redirection fraud losses hitting $166.8 million last year, this number points further than a scam channel problem. It indicates a verification failure that happens at the moment a fraudulent payment instruction clears an AP queue and is processed as legitimate. That moment is inside your organisation, and no government framework reaches it.
Cybersecurity received $89.3 million to sustain existing Home Affairs initiatives — continuation funding building on the 2023-30 Australian Cyber Security Strategy rather than new investment.
The fraud environment the budget doesn't address
There is no standalone AI or fraud environment measure in this budget. AI appeared once in the Treasurer's speech, framed as a productivity and commercialisation opportunity — which reflects genuine potential. The risk side of that same technology received no equivalent attention. Eftsure's own research across 1,000 Australians surveyed this year found that 90% believe AI-generated scams are harder to detect than traditional ones. Criminal adoption of AI does not follow a budget cycle.
AI does not just make phishing emails more convincing — it makes "does this look legitimate?" less reliable as a control. When a fraudulent invoice or payment instruction is indistinguishable from a genuine one, manual review under time pressure is now highlighted as a point of exploitation. The same Eftsure research found that 32% of Australian finance employees feel pressure to process payments quickly. Now combine this with more sophisticated threats and faster payment environments, and the effectiveness of manual controls erodes even further.
As I put it earlier this year: "Cybercriminals understand workplace dynamics incredibly well. They know if payment requests come through from your manager or a senior executive, employees are far more likely to feel the pressure to act quickly without asking any questions." That dynamic does not change because the government passes a framework.
The gap the budget can't close
The ATO Taskforce has secured $25.1 billion in additional revenue since 2016. The NASC has taken down more than 10,000 scam websites since 2023. The Scams Prevention Framework imposes enforceable obligations on banks, telcos and platforms. These are real achievements and the investment behind them is justified.
And yet Australian payment fraud keeps occurring inside organisations that had access to the same frameworks, threat intelligence and regulatory guidance as those that avoided being hit. The difference is not information — it is controls.
Our research found that 91% of Australians surveyed do not believe senior business leaders adequately understand how modern payment fraud occurs. Only 25% of employees feel comfortable questioning a suspicious payment request from a senior executive. And 55% were never introduced to any fraud prevention tools at work. Looking beyond just a technology gap, the numbers show a structural gap in how organisations talk about fraud risk, embed controls in daily workflows and back their people with systems that do not depend on individual judgment under pressure.
The budget sets the national direction. The controls gap inside your organisation is yours to close.
If you want to talk about where to start, book a demo to see how Eftsure's payment verification works in practice.
