Your Payroll System Is a Cyber Target: What ANZ Boards Need to Know

Australia lost $2.18 billion to scams in 2025. That figure, published by the Australian Competition and Consumer Commission (ACCC) in its Targeting Scams report, is striking on its own. But buried inside it is a more specific number that should concern every Australian and New Zealand business leader: $166.8 million lost to payment redirection scams alone.

Payment redirection fraud does not rely on sophisticated malware or complex technical exploits. It targets people and processes. It exploits the moments when a finance team member changes a supplier's bank account, approves a payroll update, or acts on an instruction that looks entirely routine. And when a new report from the Australian Institute of Company Directors (AICD) reveals that one in three Australian employers are not fully confident they are paying employees correctly, the scale of the opportunity for attackers becomes very clear.

These two issues, scam losses and payroll governance, are more connected than most boards and leadership teams realise. Understanding that connection is one of the most practical steps an organisation can take to reduce financial and reputational risk in 2026.

Payment redirection: the business-facing threat hiding in plain sight

The ACCC's Targeting Scams report draws on data from Scamwatch, ReportCyber, the Australian Financial Crimes Exchange (AFCX), IDCARE, and ASIC. Australians filed 481,523 scam reports in 2025, with 274,577 resulting in financial losses. The five scam types responsible for 60 per cent of all losses were investment scams ($837.7 million), payment redirection ($166.8 million), romance scams ($139.9 million), phishing ($97.6 million), and remote access scams ($69.9 million).

While investment scams dominate by dollar value, they largely target individuals. Payment redirection, phishing, and remote access scams are overwhelmingly business-facing threats. They target the accounts payable team processing a supplier invoice, the HR manager updating employee bank details, and the finance director approving an urgent payment request. For mid-market organisations with lean teams and limited security oversight, these are high-probability, high-impact exposures.

New Zealand organisations face comparable risks. The New Zealand Commerce Commission and CERT NZ both report sustained levels of business payment fraud, and the threat vectors are nearly identical. For trans-Tasman organisations operating across both markets, the risk profile is compounded by the need to manage two regulatory jurisdictions simultaneously.

The payroll governance gap is a cyber risk

The AICD's payroll governance article, citing Yellow Canary's 2026 State of Payroll Compliance report, identifies a persistent confidence gap in Australian organisations. One in three employers are not fully confident they are paying employees correctly. Board engagement in payroll oversight sits at just 30 per cent overall. Even interpreting modern awards and enterprise agreements is cited as the biggest compliance challenge by four in ten organisations.

This governance gap matters to cybersecurity for a straightforward reason: attackers do not need to breach a perimeter if an organisation's internal controls are already fragmented and poorly supervised. Payment redirection fraud and business email compromise thrive in environments where payroll change approvals are informal, supplier bank account updates lack verification steps, and finance teams are stretched across multiple responsibilities without structured oversight.

The AICD article is direct on the consequences: a single payroll error that goes undetected or is poorly governed can quickly escalate into legal, financial, and reputational consequences, with potential personal liability for directors. The Cyber Security Act 2024 introduces a parallel accountability framework for cyber incidents, placing similar obligations on directors to demonstrate reasonable cyber risk governance. When payroll fraud and cyber fraud converge in the same process gap, both sets of obligations are in play at the same time.

AI is making payroll fraud harder to detect

The ACCC's deputy chair, Catriona Lowe, specifically called out the increasing sophistication of scam activity driven by artificial intelligence and the industrialisation of criminal syndicates through scam compounds. This is not an abstract warning. AI-generated voice cloning and deepfake video are now being used in targeted business fraud, including to impersonate executives or finance managers over phone calls or video conferences to authorise payroll changes and payment redirections.

The five words most commonly found in phishing emails, according to KnowBe4's 2025 Phishing Threat Trends Report, are: urgent, sign, review, invoice, and payment. These are, not coincidentally, also the five words most likely to appear in a legitimate payroll or accounts payable workflow. When the language of fraud is indistinguishable from the language of normal business operations, human verification alone is not sufficient. Process controls, approval workflows, and technical detection need to work together.

What the Essential Eight has to say about this

The Australian Signals Directorate's Essential Eight is the most widely recognised cyber risk reduction framework for Australian organisations. Two of its eight controls are directly relevant to preventing payroll fraud and payment redirection attacks.

Restricting administrative privileges limits who can make changes to payroll systems, approve payment runs, or update supplier banking details. Implementing multi-factor authentication (MFA) on payroll platforms, banking portals, and finance systems means that even a successful phishing attack or compromised credential cannot immediately translate into a fraudulent payment. For organisations that have not yet achieved maturity in these two controls, the ACCC's $166.8 million payment redirection figure represents a concrete, quantifiable exposure.

In New Zealand, the New Zealand Information Security Manual (NZISM) and guidance from the National Cyber Security Centre (NCSC NZ) set out comparable control expectations. The underlying logic is the same: reducing the attack surface around privileged financial processes is one of the highest-return investments an organisation can make.

Questions boards should be asking right now

The AICD notes that boards require consistent, independent, and defensible visibility into payroll outcomes, supported by management teams delivering reliable, high-quality data. The same standard applies to cyber risk. Boards that receive only high-level updates on IT security, without visibility into the specific process controls protecting financial systems, are operating with a blind spot that regulators and courts are unlikely to accept as a defence.

Practically, boards and senior leadership teams should be asking management the following questions. Who has the authority to change a supplier's bank account details, and what verification steps are required? What controls exist to prevent an employee bank account from being updated via a single email or phone call? Is multi-factor authentication enforced on all finance and payroll platforms, without exceptions? Has the organisation completed a current-state assessment against the Essential Eight controls relevant to financial process security? When was the last time a phishing simulation was run targeting finance and payroll staff specifically?

If management cannot answer these questions with confidence and evidence, the payroll governance gap identified by the AICD is also a cyber risk gap, and both need to be addressed together.

A practical starting point for mid-market organisations

For Australian and New Zealand organisations in the 50 to 250 employee range, the challenge is not usually a lack of awareness that these risks exist. It is knowing where to start, and how to prioritise action given competing demands on limited resources and leadership bandwidth.

A structured cyber gap assessment, mapped against the Essential Eight and relevant regulatory obligations including APRA CPS 234 for financial services organisations, provides a clear baseline. It identifies which controls are in place, which are partially implemented, and where the highest-risk gaps sit relative to threats like payment redirection and payroll fraud. From that baseline, a prioritised remediation plan can be built, one that addresses both the technical controls and the governance and process changes needed to reduce exposure.

At Insicon Cyber, co-founders Matt Miller and Greg Bunt bring direct fractional CISO experience to exactly this kind of engagement. The goal is not to replace existing teams or impose complexity, but to provide the independent oversight and structured advisory that turns a gap assessment into a credible, defensible governance posture.

The ACCC's $2.18 billion figure is a national number. The $166.8 million in payment redirection losses is a business number. The question for every organisation is whether their current controls are sufficient to make sure they are not contributing to either.

Learn more about Insicon Cyber's gap analysis service, or get in touch with our team to discuss your current cyber risk posture.

Sources and references

• ACCC Targeting Scams report: ACCC
• AICD, Payroll confidence: A critical governance priority for boards in 2026: aicd.com.au
• Yellow Canary, 2026 State of Payroll Compliance report: yellowcanary.com.au
• ASD Essential Eight: cyber.gov.au
• Cyber Security Act 2024: legislation.gov.au
• KnowBe4 Phishing Threat Trends Report: knowbe4.com
• NCSC NZ: ncsc.govt.nz
• CERT NZ: cert.govt.nz
• APRA CPS 234: apra.gov.au