Common patterns
- Fake invoices that look like a real supplier's
- Business Email Compromise (BEC) — attacker takes over a mailbox and changes payment details
- Payroll diversion — fake email from an 'employee' asking to update bank details
- Ransomware demanding payment to decrypt files
- Fake supplier change-of-bank notices
- Director / executive impersonation requesting urgent transfers
Immediate actions
- Pause all outgoing payments to affected suppliers.
- Call the bank and ask them to recall and freeze the transfer.
- Reset passwords across email and finance systems; enable MFA.
- Preserve all evidence (emails, headers, payment records).
- Notify internally — owner, finance, IT.
- Assess whether customer or staff personal data may have been exposed.
Where to report (business)
| Situation | Report to |
|---|---|
| Cyber incident | ReportCyber (cyber.gov.au/report) |
| Financial misconduct | ASIC |
| General scam | Scamwatch (ACCC) |
| Fraud, blackmail, theft | Police |
| Personal data breach | OAIC — Notifiable Data Breaches scheme |
Notifiable Data Breaches (NDB) — the basics
If personal information is exposed and is likely to cause serious harm, you must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC). You have 30 days from awareness to assess and must notify promptly after that. The scheme applies to Australian Government agencies, businesses with turnover above $3M, and certain health, credit and TFN handlers.
Report and resources
Prevention checklist (top 5)
- Train staff to recognise phishing and BEC patterns.
- Enable MFA on all email, banking and finance systems.
- Verify any change to invoice or supplier bank details by phone using a number you already have.
- Run an annual cyber security review covering backups and access.
- Tighten internal approval steps for any unusual payment.