Skip to main content Skip to log on Skip to search Accessibility at CommBank

Smarter than your boss? Employees more likely than senior managers to spot a scam

New research shows workers are more effective in spotting scams targeting their company.

9 April 2026

Image of someone using a keyboard with warning signs.

Key points:

  • Three in four employees spotted a scam targeting their workplace, leading to the prevention of the scam, compared to around half of senior managers. 

  • In cases where scams were successfully perpetrated, 42 per cent of employees reported feeling suspicious during the incident – underscoring the importance of educating staff to recognise red flags and how to act quickly. 

  • The vast majority of workplace scams arrive via email, often targeting routine activities like processing invoices.

Australian employees are proving more scam‑savvy than their bosses, with new data showing employees are far more likely than managers to identify a scam attempt, even as business email compromise (BEC) continues to cost Australian businesses millions each year.

BEC scams, otherwise known as payment redirection, remain the most common way scammers infiltrate workplaces, with 73 per cent of scams targeting businesses arriving via email. These scams typically involve requests to add/change payment details or approve transfers, often appearing to come from a trusted senior leader or supplier.

The research, conducted by CommBank’s Behavioural Science Team across 1,126 employees, managers and owners of small, medium and large businesses, found that 76 per cent of employees spotted a scam targeting their workplace which led to the prevention of the scam, compared with just over half (53 per cent) of managers.

However, in instances where scams were successful, 42 per cent of employees and 20 per cent of managers felt suspicious but the scam was successful anyway, highlighting both a critical gap in scam awareness at all levels of organisations, and the importance of educating staff to recognise red flags and how to act quickly.

In most cases (61 per cent) where workplace scams were successful, it was because subtle abnormalities were not identified, highlighting the crucial role that independent checks and awareness among staff play in preventing funds being misdirected.

According to William Mailer, Chief Behavioural Scientist at CBA, scammers are exploiting normal workplace behaviours and pressures rather than technical gaps alone, often mimicking real suppliers, colleagues or executives and using authentic‑looking email addresses – a hallmark of business email compromise scams.

“Business email compromise scams are designed to feel routine and familiar; they mirror how we normally work and communicate often using familiar corporate language. By targeting everyday tasks we perform on auto-pilot, scammers exploit moments when we are less likely to stop, check and reject,” Mailer said.

“When people are busy, under pressure or responding to requests that appear to come from senior leaders or trusted suppliers, they’re more likely to rely on instinct rather than stopping to verify. That’s exactly the moment scammers are counting on.”

Stress a contributing factor

The research also shows workplace conditions can significantly influence outcomes. High workplace stress was present in 59 per cent of organisations where scams succeeded, compared with 38 per cent where scams were unsuccessful, reinforcing the link between pressure, speed and increased risk.

While responsibility for preventing scams is often seen as a technology issue, the findings suggest this mindset may leave businesses exposed. More than half of employees (55 per cent) and 44 per cent of managers believe IT and cyber security teams are most responsible for preventing workplace scams, despite employees being the first line of defence.

Those who successfully avoided scams pointed to human awareness as the decisive factor. Sixty‑eight per cent said spotting red flags saved them, while 47 percent credited scam training and education, highlighting the value of regular, practical training across all levels of a business.

“The strongest protection against scams isn’t just better systems – it’s encouraging work practices where people pause, question and double‑check, even when a request appears legitimate,” Mailer said.

“Empowering employees and leaders to slow down and verify unusual requests and even making this part of normal workplace routines and rituals, can make the difference between stopping a scam and suffering a significant financial loss.”

The findings serve as a timely reminder for Australian businesses to stay alert to business email compromise scams, ensure leaders are just as vigilant as their teams, and foster cultures where questioning unexpected or urgent payment requests is encouraged, regardless of who they appear to come from.

Indicators of a payment redirection scam

  • Unexpected or urgent payment requests;

  • Requests to update bank details or make payments to new accounts;

  • Tone of the email feels unusual or overly pushy such as claiming to be a senior executive or trusted supplier.

How to protect your workplace 

  • Train staff to always verify payment requests via an independent and trusted channel and not the contact details on the email or invoice.

  • Set up a payment approval process for your business, preferably requiring multiple approvers, with no exceptions.

  • Encourage a culture where staff are comfortable to question a payment instruction even if it’s from a senior executive.

  • Keep up to date on latest trends and have regular conversations with your teams about the danger of scams.

For more on how CommBank helps protect businesses from scams and fraud, and what businesses can do to protect themselves, visit CommBank Safe for Business

About the research: 

This research was conducted by CommBank’s Behavioural Science Centre of Excellence in January 2026 and is based on a national survey and behavioural experiment with 1,126 Australian employees, managers and business owners. 

Participants assessed a series of realistic workplace emails, including both genuine and scam scenarios, and indicated whether they believed each was legitimate or fraudulent. Participants were randomly assigned to different conditions, allowing the study to test how factors such as time pressure and behavioural prompts (for example, pausing, verifying information or seeking advice) influenced decision-making.

The study also examined how individual factors such as confidence, prior experience, personality traits and demographics related to scam detection. The research aimed to understand what happens in the moment when people encounter scams, including the psychological and situational drivers of detection accuracy and errors.

Related articles

Newsroom

For the latest news and announcements from Commonwealth Bank.

Explore

Things you should know

Media releases are prepared without considering an individual reader’s objectives, financial situation or needs. Readers should consider the appropriateness to their circumstances. Visit Important Information to access Product Disclosure Statements or Terms and Conditions which are currently available electronically for products of the Commonwealth Bank Group, along with the relevant Financial Services Guide. Target Market Determinations are available here. Some of the links within this media release will bring you to a third party website, owned and operated by an independent party over which CBA has no control ("3rd Party Website"). Any link you make to or from the 3rd Party Website will be at your own risk. Any use of the 3rd Party Website will be subject to and any information you provide will be governed by the terms of the 3rd Party Website, including those relating to confidentiality, data privacy and security