Sharon Ng considers the impact of social engineering fraud in the context of third-party payments and sets out some reminders that can help protect your organisation.
Your organisation has likely invested heavily in cybersecurity. Firewalls, security breach detection systems, antivirus software, multifactor authentication, secure payment gateways, you name it. On the face of it, it might feel like your organisation is virtually untouchable by cyber criminals.
But here’s the reality: not all scams rely on hacking into your systems and breaking through your defences. Some of the most successful scams are designed to trick your people, not just your technology.
One of the most common and damaging examples of this is social engineering fraud targeting payments to third parties, and this is what we will be diving into in this article. It is not just an issue for your Finance and Information Security teams to manage. As inhouse counsel, it is important to keep an eye out and be prepared to support your organisation to reduce the risk of human error and prevent these scams from succeeding.
What is social engineering fraud and how does it target payments?
At its core, social engineering fraud is deception. It exploits human behaviour by manipulating trust and looking for weaknesses in internal processes. The fraudster’s goal is simple: convince someone in your organisation to voluntarily send payment to the wrong person. Once the funds are gone, recovery is often extremely difficult.
According to the National Anti-Scam Centre’s March 2025 scams report, Australians lost around $152.6 million to payment redirection scams.
Common tactics include:
- Impersonation and spoofing: Fraudsters pretend to be someone you know (often a senior executive, supplier or client) or disguise themselves using near-identical email addresses or lookalike names to trick your staff into transferring funds.
- Invoice fraud: Fraudsters alter legitimate invoices or send convincing fake ones that direct payment to their own bank account.
- Change of bank details: This involves a sudden change in bank account details for payment and often arises when fraudsters exploit public announcements about corporate changes (such as a merger or acquisition) by sending “updated” payments instructions.
- Overpayment refund scam: Fraudsters make a payment to your organisation (often from a stolen account) and request a refund to a different account.
You’ll notice that some these tactics don’t require hi-tech hacking tools. They generally rely on timing, research and an understanding of how people and processes work inside organisations.
Is my organisation a target?
The short answer: yes (unfortunately).
Social engineering fraudsters don’t discriminate by size or sector. Large organisations are obvious targets due to the scale of their transactions, but smaller organisations could be seen as easy prey often because they have fewer resources to protect themselves.
If your organisation pays suppliers and contractors or holds payment for others, it is a target. Fraudsters can study how people communicate with one another and mimic the tone and style of their messages, striking at routine or urgent moments (such as end-of-month payments or a project milestone payment).
A few real and recent examples show how easily things can go wrong:
- In 2020, an Australian hedge fund collapsed after a cyber attack triggered by a fake Zoom invitation using a combination of phishing and social engineering techniques led its trustee and administrator to mistakenly approve $8.7 million in fraudulent invoices without verifying the identity of the sender and the legitimacy of the payment requests.
- In 2021, an Australian medicinal cannabis company lost $3.6 million to a fraudster after paying who they thought was an overseas contractor for one of its projects.
- In 2024, a shire council in Queensland was hit by an AI-driven social engineering scam that had cost them $2.3 million ($1.9 million after managing to recover some funds).
What can my organisation do to not fall victim?
Preventing social engineering fraud is a shared responsibility across the organisation. Fraudsters don’t always go straight for the people handling payments – they often start by approaching staff in other areas, quietly gathering information or building trust before making their move.
As inhouse counsel, you can provide valuable support by helping to ensure that your organisation has the right governance, procedures and awareness in place to stop scams before they happen.
Alongside robust cybersecurity controls, here are some practical steps that every organisation can take:
- Verify: Always identify the sender and verify payment details independently. If someone sends new or changed bank details, pick up the phone and call them using a trusted phone number (not the one provided in the email or invoice).
- Use dual authorisation: Require at least two people to approve all payments or changes to supplier account details.
- Separate duties: Avoid having the same person being responsible for initiating, approving and processing payments.
- Keep audit trails: Record payment approvals, verification calls and supplier communication to support accountability and traceability.
- Set staff expectations: Policies should remind all staff to stay alert to suspicious communications involving payments and that everyone has a role to play in detecting and preventing scams.
- Review internal procedures: Make sure your organisation’s policies clearly set out verification and approval processes and are easily accessible to all staff.
- Regular training: Build and refresh staff awareness through regular cyber awareness training (at least annually) and make sure new starters get up to speed during induction.
- Prepare for incidents: Have a clear incident response plan in place for when things do go wrong. It should set out what to do if a payment is misdirected, who to contact and when to notify the bank or the police, if appropriate.
No cybersecurity system can fully protect against human error. But, when everyone works together and follows good processes, your organisation can significantly reduce the risks and make sure its money ends up exactly where it should.
Further information
If you need further guidance on protecting against social engineering fraud, please reach out to your KWM contact or Bryony Evans.
Check out other insights from the Office of General Counsel team here and subscribe to KWM Pulse using the button below to stay across upcoming articles in areas of interest.
