Authorised fraud is rising fast across Australian banks

Authorised payment fraud (APF) is surging in Australia, with losses reaching $2.7 billion in 2023. Unlike traditional fraud, these scams trick people into sending money themselves—often through impersonation or emotional manipulation. Smaller banks aren’t exempt. In fact, their customers—especially older Australians—may be more vulnerable and less protected.

Australian banks are not required to reimburse APF losses, and smaller banks currently cover just 4% of scam-related losses. Regulators are pushing for change. With new scam prevention frameworks, all banks will soon face stricter obligations to prevent, detect, and respond to scams. For small banks, this means rethinking governance, upgrading systems, and building a stronger frontline response.

The challenge is significant—but so is the opportunity. By acting now, community banks can build trust, protect their customers, and stay ahead of fraudsters looking for weak links in the system.

A different kind of fraud—with bigger stakes

Authorised payment fraud doesn’t look like a hack. It looks like a text from a bank. A phone call from the police. A message from a loved one in distress. In these scams, the victim initiates the payment—because they were tricked into believing it was legitimate.

In 2023, Australians lost over $2.7 billion to scams like these. Social engineering lies at the core—fraudsters use fear, urgency, and familiarity to convince even cautious individuals to move money. Investment scams alone cost Australians more than $1.3 billion last year. This isn’t fringe crime. It’s mainstream, and it’s targeting everyday people across the country.

Community and regional banks are not immune

It’s a mistake to think APF is only a problem for the big four. All financial institutions are just as exposed—and in some cases, more so. Scammers use mass channels like SMS and social media, making every bank's customer base a potential target.

Older Australians, who often bank locally, are disproportionately affected. They’re more likely to fall for impersonation or investment scams and suffer larger financial losses. In some cases, scammers even impersonate staff from local branches—relying on the trust and familiarity that smaller banks are known for.

Meanwhile, community and regional banks may not have the same visibility in the media or resources to issue broad scam alerts. That creates an awareness gap that fraudsters are happy to exploit.

Reimbursement gaps leave customers exposed

Australia’s current rules don’t protect victims of APF. If someone authorises a payment—no matter how they were tricked—it’s not considered unauthorised. Under the voluntary ePayments Code, banks only need to reimburse customers for unauthorised transactions, such as account takeovers.

This leaves scam victims largely on their own. ASIC found that smaller banks reimbursed just 4% of scam-related losses in 2024. In most cases, victims shoulder 100% of the loss unless the bank offers compensation as a goodwill gesture. In contrast, the UK is moving toward mandatory reimbursement for nearly all authorised fraud losses.

Without stronger protections, trust erodes. Customers are left feeling unsupported, and smaller banks risk losing the very relationships that set them apart.

A regulatory reckoning is coming

The Australian regulatory environment is shifting fast. ASIC and the ACCC are leading a push for stronger scam prevention across the entire banking sector.

ASIC’s latest reviews found that many community and regional had ad hoc or immature fraud prevention programs. Inconsistent policies, limited scam response procedures, and poor recovery coordination were common. The expectations are changing. Governance, detection, and customer support need to be formalised—backed by executive oversight and standardised processes.

In parallel, the new Scam Prevention Framework Bill—backed by the federal government—lays the groundwork for mandatory scam codes across banking, telecoms, and digital platforms. This means compliance won’t be optional. The standards will be enforceable and monitored.

Meanwhile, the industry is rolling out new infrastructure like Confirmation of Payee—a system to match payee names with account details before a transfer is approved. Big banks are leading the rollout, but it’s coming for everyone.

Community and regional banks face unique hurdles

Scaling up scam prevention isn’t simple for community and regional banks. Many rely on basic, rule-based monitoring systems that miss more complex or social-engineered scams. Few have real-time payment delay capabilities across all channels.

Support structures are often underdeveloped. Without dedicated scam response teams or clear communication policies, some victims wait days—or even weeks—for updates. And when it comes to recovering funds, smaller banks are at a disadvantage. Delays in communication with receiving institutions can mean stolen funds vanish before they can be frozen.

Even one major scam incident can overwhelm a small team or damage a bank’s reputation. And with 600,000 scam reports logged nationally in 2023, the pressure is only building.

As big banks harden, scammers shift targets

Larger banks are investing heavily in fraud detection, biometric checks, and intelligent friction—adding delays and verifications to catch suspicious activity. They’re training specialist teams, joining real-time scam reporting platforms, and using AI to detect subtle signs of coercion.

As these defences improve, scammers are looking elsewhere. Smaller banks—especially those not yet participating in new industry systems—may become the new soft targets.

The threat isn’t hypothetical. Fraudsters are pragmatic. They follow the path of least resistance.

Proactive response builds trust

The upside for community banks? They have an opportunity to lead with care. By building a robust, human-centred approach to scam prevention, they can differentiate through trust—not just technology.

Simple changes go a long way. Adding warnings before payments. Calling customers to verify unusual transfers. Training frontline staff to spot red flags and respond with empathy. Joining platforms like the Fraud Reporting Exchange (FRX) to freeze funds faster.

These are not just technical moves—they’re signals. Signals that the bank is watching out for its customers, even when it’s inconvenient.

Fighting scams is a team sport

No bank can solve APF alone. Collaboration is key. That means adopting industry-wide standards like the Scam Safe Accord, participating in cross-bank fraud networks, and staying aligned with regulators’ expectations.

It also means educating customers—especially older ones—about how scams work and how to spot the signs. Community and regional banks are well-positioned to do this through direct relationships, local events, and trust-based communication. And when scams do happen, a fast, transparent, and caring response can turn a crisis into a moment of loyalty.

A turning point for banks

The rise of authorised payment fraud is more than a security issue. It’s a trust issue. A regulatory issue. A brand issue.

For community and regional banks, this is a moment to lead—to build defences that scale with their needs, without losing the human touch. The path won’t be easy, but the tools are there. And customers are watching.

At Enlace, we’re helping community and regional banks level up their fraud prevention. From Multi-Factor Authentication (MFA) to secure transaction flows and real-time risk signals through transaction monitoring, we connect the dots so you can protect your customers—and your reputation. Because in today’s world, safety isn’t optional. It’s expected.

The insights in this post are based on industry research, conversations with Australian banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.