Payment fraud targeting supplier bank account details is one of the fastest-growing financial crimes affecting Australian organisations. The attack is simple and devastatingly effective: a fraudster intercepts or impersonates a supplier communication and provides altered bank account details. The organisation updates its records, and subsequent payments are redirected to the fraudster's account.
The Australian Competition and Consumer Commission (ACCC) has reported that business email compromise and payment redirection scams cost Australian businesses hundreds of millions of dollars annually. And the entry point for many of these attacks is the supplier onboarding process.
How Payment Fraud Exploits Onboarding Weaknesses
Traditional supplier onboarding processes are vulnerable to payment fraud at multiple points:
Initial registration. When a supplier submits bank account details via email or a PDF form, there is no automatic verification that the account belongs to the stated entity. A fraudster who intercepts the communication — or who submits a registration impersonating a legitimate supplier — can provide any bank account they control.
Bank detail changes. Existing suppliers occasionally need to update their bank account details. In a manual process, these change requests arrive by email, letter, or phone. Verifying the legitimacy of a change request is time-consuming and often relies on calling a phone number that may itself have been compromised.
Lack of validation. Even when bank details are received from a legitimate source, manual processes do not verify that the BSB is valid, that the account number is in the correct format, or that the account exists at the specified institution. Errors in bank details cause payment failures; fraudulent details cause payment losses.
The Limitations of Manual Verification
Most organisations recognise the risk and have implemented some form of manual bank account verification. Common approaches include:
Callback verification. A procurement officer calls the supplier on a known phone number to confirm their bank details. This is reasonably effective but time-consuming and not scalable. It also fails if the phone number on file has been compromised.
Micro-deposit verification. The organisation sends a small payment to the provided account and asks the supplier to confirm the amount. This verifies that the supplier has access to the account but takes one to three business days and adds complexity to the onboarding process.
Document-based verification. The supplier provides a bank statement or letter from their bank confirming the account details. These documents can be forged, and verifying their authenticity adds another manual step.
Each of these approaches has limitations. They are slow, labour-intensive, and provide varying degrees of assurance. None of them validate bank details in real time during the registration process.
Automated Bank Account Validation
Automated bank account validation uses electronic verification services to confirm supplier bank details at the point of entry. When a supplier enters their BSB and account number during registration, the system:
Validates the BSB against the official BSB directory maintained by the Australian Payments Network, confirming that the BSB exists and identifying the associated financial institution and branch.
Checks the account number format to ensure it is valid for the specified financial institution. Different banks have different account number lengths and formats.
Performs account verification where available, confirming that the account is active and accepting payments at the specified institution.
Cross-references entity details to check whether the account holder name matches the supplier entity name, flagging discrepancies for review.
This validation happens in seconds, while the supplier is still completing their registration. Invalid or suspicious bank details are flagged immediately, preventing them from entering your system.
Building a Defence-in-Depth Approach
Automated bank account validation is most effective as part of a layered approach to payment fraud prevention:
Layer 1: Validation at entry. Automated BSB and account verification during supplier registration catches errors and obvious fraud attempts at the earliest possible point.
Layer 2: Duplicate and cross-reference checks. If the same bank account appears across multiple supplier records, this may indicate fraud — a single entity registering multiple times to receive payments under different supplier identities.
Layer 3: Change management controls. Bank detail changes for existing suppliers should trigger a separate verification workflow, including notifications to the supplier via a known channel and additional approval requirements.
Layer 4: Segregation of duties. The person who receives bank details should not be the same person who approves them. Automated workflows enforce this separation consistently.
Layer 5: Audit trail. Every bank account validation, change, and approval should be logged with timestamps, user identities, and validation results. This trail is essential for fraud investigation and regulatory compliance.
How Sorbee Protects Your Payments
Sorbee incorporates automated bank account validation as a core feature of its digital supplier onboarding platform for Oracle Fusion Cloud. Bank details are validated in real time during the supplier registration process, and the same validation is applied when existing suppliers request changes to their bank information.
Sorbee's approach integrates bank account validation with its broader security features:
- Multi-factor authentication ensures that only authorised supplier representatives can submit or modify bank details.
- Duplicate detection identifies bank accounts that appear across multiple supplier records.
- Configurable approval workflows route bank detail submissions and changes through appropriate review and approval steps.
- Complete audit trails document every validation check, submission, and approval decision.
Because Sorbee integrates with Oracle Fusion via REST APIs, validated bank account details are written directly to the correct supplier bank account records in Oracle Fusion. There is no manual rekeying step where errors or fraud could be introduced.
The Regulatory Context
Australian organisations face increasing regulatory expectations around payment fraud prevention. The Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC), and industry-specific regulators all expect organisations to have robust controls over supplier payment processes.
Automated bank account validation provides documented, auditable evidence that your organisation verifies supplier bank details before making payments. This evidence is valuable during audits, regulatory reviews, and in the unfortunate event of a fraud investigation.
Taking Action
Payment fraud is not a theoretical risk. It is happening to Australian organisations of all sizes, across all industries. The organisations that avoid becoming victims are those that have automated their verification processes and removed the manual steps that fraudsters exploit.
Sharpe Project Consulting (SPC3) helps organisations implement automated bank account validation as part of a comprehensive supplier onboarding solution. Our services team understands both the technical implementation and the process design needed to create an effective fraud prevention framework.
Get in touch to discuss how Sorbee's automated bank account validation can protect your organisation from supplier payment fraud.