Australians lost $2.18 billion to scams in 2025 and AI is making every attack harder to detect.
The scam email that lands in your inbox today does not look like the ones from five years ago.
There are no obvious spelling mistakes. The sender name looks familiar. The invoice matches your supplier’s format almost perfectly. The urgent payment request sounds exactly like something your contact would write. That is because it was not written by a person cutting corners. It was built by AI.
AI tools allow fraudsters to generate highly convincing emails, invoices and messages that closely resemble legitimate business communications, according to BizCover analysis. Scam-related losses in Australia increased by 28 per cent in just the first four months of 2025, with AI arming fraudsters with powerful new capabilities.
According to BioCatch 2026 Future of Digital Trust report, eighty-one per cent of banking leaders say fraud attempts at their organisation are increasing year on year, up from 71 per cent in the previous year’s survey. More significantly, the share reporting increasing fraud losses jumped from 59 per cent to 76 per cent over the same period.
These are not abstract institutional concerns. They reflect a fraud environment that is growing faster, more automated, and harder to detect than at any previous point. “AI is starting to reshape how customers interact with financial institutions and will change how criminals execute fraud and other financial crimes,” said Gadi Mazor, CEO of BioCatch. “As digital interactions continue to grow faster, more automated, and increasingly driven by agents, we must move beyond static identity checks and toward a deeper and immediate understanding of behavior, intent, and trust.”
The report describes the current moment as a critical inflection point. Fraud, scams, and financial crime now operate as interconnected systems that legacy defences were simply not built to handle. And the pace of change is outrunning the ability of institutions, governments, and regulators to respond.
For small business owners, that pace matters. The fraud of today is too convincing, too individually tailored, and too prevalent to rely on instinct alone to identify and avoid.
How AI is changing the attack
The BioCatch survey found 88 per cent of banking leaders believe AI has already increased the sophistication of fraud and scam schemes. That sophistication is showing up in several ways that directly affect how businesses operate day to day.
Generative AI is currently being used primarily to enhance social engineering and reconnaissance, making phishing emails, fake invoices, and impersonation attempts far more convincing than their predecessors. The grammar mistakes and generic greetings that once made fraudulent messages easy to spot are gone. What replaces them are communications that mirror your supplier’s tone, match their invoice format, and arrive from addresses that look almost identical to the real thing.
Beyond that, the emergence of autonomous AI agents capable of executing full-scale attacks signals what the report describes as a potential turning point. Eighty-four per cent of banking leaders surveyed identify AI agents as the industry’s largest exploitable vulnerability in the next year. Eighty per cent say their institution has already encountered attacks utilising agentic AI.
The speed of fraud is also accelerating. Seventy-six per cent of banking leaders are very concerned about the increase in the speed of fraudulent activities in their region. Attacks that once required significant manual effort can now be automated, scaled, and deployed rapidly.
The report also flags a growing problem around detection. Sixty per cent of banking leaders expect the widespread use of AI-mediated banking to reduce the effectiveness of traditional fraud detection signals. And 72 per cent say it will be very challenging to distinguish legitimate AI-assisted actions from malicious or manipulated AI activity in a future where AI agents commonly initiate transactions.
For small businesses using accounting software, automated payment platforms, or AI-assisted tools, that challenge is not theoretical. It is arriving now.
Why small businesses are exposed
Large financial institutions have fraud teams, detection systems, and real-time monitoring. Most small businesses have none of those things.
What small businesses typically have instead is speed, trust, and informality, all of which fraudsters know how to exploit.
Decisions move fast in small businesses. Payments are often authorised by one person. Supplier relationships are built on familiarity rather than formal process. An email that appears to come from a known contact asking for an urgent payment lands differently in a ten-person business than in a corporation with sign-off procedures and approval chains.
Invoice fraud sits at the intersection of all of these vulnerabilities. A fraudster intercepts or spoofs communication from a supplier, alters the bank account details, and waits for payment to arrive in the wrong account. The error is often not discovered until the real supplier chases the unpaid invoice, by which point recovery is difficult.
The BioCatch report notes that fraud spares no age, geography, gender, or socioeconomic standing. It does not matter one’s technological awareness or financial literacy. The attacks are individually tailored, highly convincing, and designed specifically to bypass the caution that most people believe would protect them.
The three levers most commonly used are urgency, authority, and familiarity. An email from your CEO asking for an immediate transfer. A supplier who sounds exactly right asking you to update their payment details. A voice message from someone you recognise asking you to act before end of business.
Each of these scenarios is designed to make you move before you think. Process is the only reliable counter.
What to do right now
The defences that work are not expensive, technical, or complicated. They are procedural, consistent, and applied without exception.
Verify any change to supplier bank details by phone before processing a payment. Call the supplier directly using a number already saved in your records, not one provided in the email or message requesting the change. This one step stops the majority of invoice fraud attempts before they succeed.
Establish a two-person authorisation rule for payments above a set threshold. When no single person can approve a large payment alone, the window for fraud narrows significantly. The threshold does not need to be high to be effective.
Treat urgent payment requests with extra scrutiny regardless of how familiar the sender appears. Urgency is a deliberate tactic designed to compress your decision-making. The more pressure there is to act fast, the more reason there is to slow down and verify through a separate channel.
Train anyone in your business who handles invoices or payments to look for the signs of business email compromise. A domain name with one character changed, a slightly different email format, or a request that arrives outside normal business hours are all signals worth investigating rather than assuming away.
The BioCatch report calls for financial institutions to build more adaptive defences, stronger verification standards, and coordinated collaboration. For small businesses, the equivalent is simpler: build a culture where verification is normal, where urgency never overrides process, and where any request involving money is checked through a channel the requester did not provide.
The fraud environment of 2026 is not the one from two years ago. The attacks are more convincing, the tools more accessible, and the losses when they occur are larger. The response is not alarm. It is process, applied every time, before the invoice or the call or the email that looks just real enough arrives.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
