SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Flux result b2cb9f47 896c 4cc0 a028 f4c75c729378
#
Phishing
#
Email Security
#
Breach Prevention

Employees outspot managers in CommBank scam research

Thu, 9th Apr 2026
Author image
By Sean Mitchell, Publisher

CommBank has released research showing employees are more likely than managers to identify scams targeting their workplace. The findings come as business email compromise remains a common route for fraud against Australian companies.

The study surveyed 1,126 employees, managers and owners of small, medium and large businesses. It found that 76 per cent of employees spotted a scam targeting their workplace and prevented it, compared with 53 per cent of managers.

It also found hesitation and uncertainty across organisations when scams did get through. Among successful scams, 42 per cent of employees and 20 per cent of managers said they had felt suspicious, but the fraud still succeeded.

Email threats

The research found that 73 per cent of scams targeting businesses arrive by email. Many are business email compromise scams, also known as payment redirection, in which criminals pose as a senior executive or supplier to persuade staff to change payment details or approve transfers.

This points to a persistent weakness in routine workplace communications, particularly when staff are asked to act quickly on invoices, bank detail changes or transfer requests. These scams rely on familiarity and urgency rather than technical sophistication, making them harder to spot in busy finance and operations teams.

The gap between employees and managers in identifying fraud attempts may reflect how each group handles requests. Front-line and administrative workers often deal directly with invoices, supplier details and payment instructions, while senior managers may see fewer of these messages but are more likely to be impersonated in them.

The figures also suggest that recognising a warning sign does not always stop the fraud. In cases where respondents said they had been suspicious, the scam still succeeded, indicating that internal escalation processes and decision-making can fail even when someone detects something unusual.

Workplace response

The results add to concerns about the financial damage caused by business email compromise, which remains a costly fraud type for Australian businesses. Payment redirection scams typically exploit trust between companies and suppliers, or between staff and senior executives, and often target standard business processes rather than software weaknesses.

For companies, that means anti-fraud efforts cannot rely on cyber security tools alone. Training, verification rules and approval controls can play a central role, especially for businesses that process large volumes of invoices or rely on email for payment instructions.

Smaller businesses may be particularly exposed because they often have leaner teams and fewer layers of approval. Larger organisations face their own risks, as complex structures and high transaction volumes can make unusual requests appear routine.

The findings also suggest that rank does not necessarily correlate with scam awareness. While managers may be assumed to have stronger oversight, the data indicates that employees closer to day-to-day transaction handling may be better placed to spot irregularities, provided they have clear authority to question requests and pause payments.

This creates a challenge for business leaders seeking to strengthen fraud controls without slowing operations. Staff may notice warning signs, but unless reporting lines are clear and payment changes are independently verified, suspicious activity can still turn into losses.

Businesses handling supplier payment changes are a frequent target because these requests can be made to look plausible and urgent. Fraudsters often mimic the language and format of legitimate business communications, making the difference between a normal instruction and a scam difficult to detect at first glance.

The data also underlines the importance of culture as well as process. Staff who feel able to challenge a request that appears to come from a senior figure may be more likely to stop a scam before money leaves the business. Where employees feel pressure to comply quickly, warning signs may be overlooked or dismissed.

Business email compromise remains the most common way scammers infiltrate workplaces, with 73 per cent of business-targeted scams arriving through email.

Related stories
Small alert, big defense: Inside a SOC's early-morning response
Haast raises $17.2 million to automate compliance checks
Remote acquires Bravas to add identity & device management
TechnologyOne launches InvoiceIQ to curb council fraud
MSPs face AI adoption hurdle over governance rules

Top stories

AI agents expose major API security gap, Salt warns
Certes launches v7 with quantum-safe edge protection
OPSWAT launches AI file screening engine for MetaDefender
From DSPM to data protection: Closing the last mile on sensitive data in the era of AI
Yokogawa lands cyber certification for plant control systems