Think your business is too savvy to be scammed? You — or someone on your team — may have already come dangerously close.
In 2025, small businesses are being targeted by increasingly sophisticated fraud tactics.
“This is now one of the most common and damaging scams affecting small to medium enterprises” says James Roberts, general manager of fraud and scams strategy and governance at CommBank. “It usually starts with a compromised email account — through phishing or malware — and ends with money being sent to a criminal.”
The consequences can be financial, operational, and reputational — and are, as Roberts puts it, “often devastating”.
Unfortunately, most businesses don’t realise they’ve been hit until it’s too late.
Why are SMEs a prime target?
“Most small businesses are understandably focused on growth, customers and cashflow — however, often not on cyber risk,” Roberts explains.
“And unlike large organisations, they often don’t have internal audit teams, risk officers or IT departments to help advise them on how best to defend against these types of attacks.”
Criminals are aware of this. They know where the vulnerabilities are, and they take full advantage.
Red flags to watch out for
According to Roberts, the two riskiest scenarios are when a new supplier invoices your business for the first time, and where an existing supplier asks you to update their banking details.
These are both critical moments, where you need to act with great caution.
“If a supplier invoices you for the first time — or asks to update their bank details — call them on a trusted number to verify the BSB and account information,” Roberts says.
He adds that scammers often insert their own contact information into manipulated invoices — so even if you call to verify, you could be speaking directly to the scammer.
“I have seen really sad cases where the small business did the right thing and phoned to validate, but they were actually speaking to the criminal, who confirmed that the new fraudulent account details were legitimate.”
How it plays out in real life
While CommBank doesn’t share individual case studies, Roberts outlines a common pattern.
It goes like this: a supplier’s email account is hacked. The scammer gains access to a real invoice, then alters the banking details. The SME pays the invoice, thinking nothing of it. Then, weeks later, when the payment is due the actual supplier follows up asking why payment hasn’t been received.
By then, often the money is gone, and the trail is cold.
Simple steps to protect your business
Roberts says most scams can be prevented with the right checks in place, especially at payment time.
Here are three critical habits every small business should adopt:
Always verify banking details over the phone using a trusted number from your records, not from the invoice.
Train staff to spot scam warning signs, especially those working in finance, accounts and admin roles.
Be wary of urgent or unexpected payment requests, even if they appear to come from a known contact.
When making payments, a brief pause and a closer look could save your business from major financial and reputational damage.
Prevention starts with your people
According to a study by Mimecast, 95% of cyber breaches in 2024 were linked to human error — from phishing clicks to password mistakes. That makes creating a culture of cybersecurity one of your most effective lines of defence.
CommBank, in partnership with the Council of Small Business Organisations Australia, has created the Cyber Wardens free online training program designed for SMEs. It helps staff understand scams, build better cyber habits and reduce day-to-day risks.
“I would strongly recommend visiting cyberwardens.com.au to learn more and access the courses,” Roberts says. “It’s high-quality training, it’s tailored to small business — and it’s free.”
What to do if you’ve been scammed
If you suspect your business has been caught in a scam, “Contact your bank, contact your bank, contact your bank,” Roberts says. “That is the only entity that can help immediately preserve and recover any available funds.”
He adds that a timely response is critical.
“The faster a customer contacts their bank after they become aware of a scam, the more likely that there will be funds to recover,” he says.
Banks like CommBank have specialist teams who may be able to help freeze stolen funds — but the window is tight. So don’t hesitate, and never wait to “see how things play out”.
To support its small business customers, CommBank has rolled out a feature called NameCheck on the CommBank app, NetBank and CommBiz. It checks if the payee’s name aligns with the BSB and account number provided.
“If NameCheck shows a mismatch, take it seriously,” says Roberts. “It’s a strong signal to pause and help confirm who you’re actually paying.”
Staying scam-proof in FY26
Cybercriminals are evolving fast, but so can your defences. With strong habits, scam-savvy staff and the right support, you can enter the new financial year with confidence.
Plus, if you’re a CommBank business customer, you can access Biz Benefits Kit, which includes a complimentary SmartCompany subscription to help you stay informed on key business trends, digital tools and security best practices.
Solid foundations, smarter systems and a well-informed team — that’s how you build resilience in FY26.
If you’re a CommBank business customer, you can access their ‘Biz Benefits Kit’ and get access to an annual SmartCompany subscription. To find out how visit CommBank.com.au/smallbusiness
The information and advice contained in this article is of general application and is not tailored to your individual circumstances. CommBank cannot guarantee that by implementing the advice in this guide you will never be a victim of fraud.
For a limited time only, get access to an annual SmartCompany subscription. Eligible to new subscribers who sign up between July 1, 2025 – August 31, 2025. SmartCompany terms and conditions and privacy policy apply.
