Skip to main content

Why Australian SMEs are losing money due to invoice fraud and how cyber insurance can help

Invoice fraud is one of those risks that many Australian small businesses only think about after money has already left the account.

It usually does not start with anything dramatic. A familiar supplier. A normal email. A payment request that looks right at first glance. By the time the mistake is spotted, the funds are often gone, and recovery can be difficult.

For Australian small and medium enterprises (SMEs), this type of cybercrime is now becoming a regular issue rather than a rare one.

What does invoice fraud look like in practice?

Invoice fraud often sits under the broader category of cybercrime and social engineering. The goal is simple. To trick someone into sending money to the wrong place.

Common scenarios seen across Australian businesses include:

  • A legitimate supplier invoice is intercepted and altered with new bank details
  • A business email account is compromised and used to redirect payments
  • A fake invoice closely matching a real supplier request is sent at the right time

These incidents appear across many different industries. Construction, manufacturing, professional services, healthcare, education and retail are all exposed because payments are often frequent and time-sensitive.

The Australian Signals Directorate notes that cybercriminals increasingly target small businesses as larger organisations strengthen their defences, making SMEs a more accessible entry point into financial systems.

Why is invoice fraud hard to spot?

Invoice fraud works because it blends into normal business activity. Invoices are paid every day, staff are busy, and payment details change occasionally. When a request looks familiar, it often does not raise alarms.

Technology also plays a significant role in enabling invoice fraud. Many SMEs rely on cloud accounting software, email-based approvals and online banking. These tools improve efficiency, but they can also create gaps if controls are limited or verification steps are skipped.

One-third of Australian small businesses report being ‘unaware or inactive’ in their approach to cybersecurity, according to 2025 research completed by Cyber Wardens1. This lack of preparedness makes it easier for invoice fraud to slip through unnoticed.

Source: ACCC, https://www.accc.gov.au/media-release/beware-of-fake-invoices-from-scammers-impersonating-businesses [Accessed 05/02/2026]

The financial impact on small businesses

The financial consequences of invoice fraud can be significant for SMEs, particularly when cash flow is a focus.

The Australian Signals Directorate reports that the average cost of a cyberattack is $56,600 for small businesses and $97,200 for medium businesses in Australia. These figures include direct financial loss, disruption to operations and recovery costs.

For many SMEs, a single fraudulent payment can disrupt supplier relationships, delay projects and place pressure on working capital.

Australia is home to more than two and a half million small businesses, according to the Australian Small Business and Family Enterprise Ombudsman. That scale means even low-value fraud, when repeated across the economy, becomes a serious issue.

How cyber insurance may respond to a cyber incident

Cyber insurance is not a replacement for good cyber controls, but it can form part of a broader risk management approach. Cyber insurance isn’t just for Fortune 500 or ASX50 companies. It can be flexibly designed and priced to fit small businesses, giving lean teams practical protection that complements their security efforts.

For invoice fraud incidents, cyber insurance may respond to certain cybercrime events, including social engineering and payment redirection scams, depending on the policy terms and conditions.

Cover can also extend to support services following a cyber incident, such as:

  • Access to incident response specialists
  • Forensic investigation to understand how the fraud occurred
  • Legal and notification support where required under the Privacy Act 1988 (Cth) and the Cyber Security Act 2024

It is important to note that not every loss is automatically covered. Policy wording, triggers and exclusions matter, which is why understanding how invoice fraud fits within cyber risk is essential.

Reducing the risk before an incident happens

Most invoice fraud incidents rely on small gaps rather than system failures.

Practical steps that many SMEs consider include:

  • Verifying changes to supplier bank details through a second channel
  • Limiting who can approve payment changes
  • Training staff to pause when payment requests feel unusual

These steps help reduce exposure, but they do not remove risk entirely. Cybercriminal tactics continue to evolve, particularly as artificial intelligence is increasingly used to mimic legitimate communication.

Invoice fraud deserves your attention

Invoice fraud is not limited to large transactions or complex systems. It affects everyday business activity.

As cybercrime continues to target SMEs, invoice fraud remains one of the more common and financially damaging outcomes. Understanding how it happens, why it works and how cyber insurance may assist helps businesses make informed decisions about their risk approach.

Do you have questions?

For businesses reviewing their cyber exposures, invoice fraud is often one of the clearer examples of how digital risk translates directly into financial loss. Marsh’s cyber insurance solution for SMEs, does include optional cover for social engineering fraud, to help mitigate and recover financial losses from impersonation scams and fraudulent invoices.

Request a call back

Frequently asked questions

Invoice fraud occurs when a business is tricked into paying money to a fraudulent account, often through altered or fake invoices.

Yes. Invoice fraud commonly falls under cybercrime and social engineering activity involving email or system compromise.

Yes. Australian government cyber reporting shows SMEs are frequently targeted due to fewer security resources. 2024 data from the latest Cyber Wardens Small Business Cyber Security Pulse Check Report, found that 4 in 5 (82%) of Australian small businesses have been exposed to or experienced a cyber incident2.

Any industry that uses email as part of its payment processes can be susceptible to invoice fraud. Industries with especially frequent supplier payments, such as construction, professional services and healthcare, are more commonly exposed.

Some cyber policies may respond to social engineering or invoice fraud events, subject to policy terms and conditions.

No. Cyber insurance supports recovery but does not replace strong internal controls.

Often, through compromised email accounts or intercepted communication with suppliers.

No. Many fraudulent invoices closely match legitimate payment requests.

Immediate action, including contacting the bank and seeking specialist support, is critical.

They can be if access controls and verification steps are limited.

Australian government data shows cyber incidents affecting SMEs are frequent and costly. In 2024, Australian small businesses reported losing $4 million dollars to ‘business email compromise’ scams the Scamwatch3.

Information is available on Marsh’s cyber insurance page for Australian businesses.

References

[1] Cyber Wardens, “an initaitive through the Council of Small Business Organisations of Australia”, https://cyberwardens.com.au/research-report/small-business-cyber-security-pulse-check-report, accessed 5 February 2026.

[2] National Anti-Scam Centre, “Targeting scams report 2024”, https://www.scamwatch.gov.au/system/files/targeting-scams-report-2024.pdf, accessed 5 February 2026.

[3] CyberWardens, “Small Business Cyber Security Pulse Check Report” https://cyberwardens.com.au/research-report/small-business-cyber-security-pulse-check-report, accessed 5 February 2026.

Marsh Advantage Insurance Pty Ltd (ABN 31 081 358 303, AFSL 238369) (“Marsh”) arranges the general insurance (i.e. not the Discretionary Trust Arrangement) and is not the insurer. This page contains general information and does not take into account your individual objectives, financial situation or needs. For full details of the terms, conditions and limitations of the covers, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh on request. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). Any advice or dealing in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226 827) (“JLT”). JGS and JLT are businesses of Marsh McLennan. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions.

LCPA 26/1783