How to help build a culture of scam safety in your business

Scammers often target businesses through urgency and trust. Help build a culture where employees verify requests, feel safe to speak up and act early.

  • Scammers often target employees through urgency, impersonation and authority to trigger payments, account changes or the sharing of sensitive business information.
  • To help with cyber safety, employees should always confirm payment requests or bank detail changes using a trusted phone number, regardless of who appears to have sent them.
  • Destigmatising security mistakes and introducing gamified phishing simulations could help reduce an organisation's risk profile and help with cyber risk management. 

Australian businesses are facing increasing threats from scammers each year, and the financial impact can be significant. For medium-sized enterprises, the average cost of a targeted business scam has skyrocketed to nearly $100,000, with an incident reported nationwide roughly every six minutes.¹

Many businesses invest heavily in spam filters, two-factor authentication and firewalls, but the reality of modern scammers means it’s our own behavioural and psychological patterns that could leave us most exposed to threats. For many businesses, the biggest vulnerability is not just technology, but how staff respond to urgent messages that appear to come from someone in authority.

Data from the Australian Signals Directorate (ASD) reveals that business email compromise (BEC) that resulted in financial loss makes up 15 per cent of the top reported cyber attacks.

When it comes to helping better protect your business, here are some ways to start.

Always verify urgent payment 

Picture this: an employee receives an email late on a Friday afternoon from a senior member of the team urging them to swiftly authorise a pay cycle that hasn’t gone through. The employee, wanting to complete the request in a timely manner, lands exactly where the scammers want them – flustered, rushed and keen to close the task to fulfill a request from their boss.

Urgency is one of the most powerful tactics in a scammer's toolkit. According to ACCC’s Scamwatch, creating a sense of immediacy activates our natural 'fight or flight' response, meaning individuals are far less likely to think through the validity of a request in favour of getting it done quickly.

To assist in combating this type of scam, businesses can implement a strict, no-exceptions verbal verification process for all financial transactions. Rather than relying on any details provided in an email or text, establish a protocol that requires staff to verbally confirm financial instructions through a trusted, known phone number.

For businesses that want to make changes in this space, consider two baseline rules:

  • Independent callbacks: Never use the contact details or links provided within an unexpected invoice or incoming email. Always dial the supplier using a verified phone number stored internally.
  • Dual signoffs: Establish a clear process where any change to vendor banking details, or any payment above a certain amount, requires a secondary verbal confirmation by another team member.

Destigmatise the 'near miss' in business security

If urgency is a scammer’s favourite tool, blame is easily their second. A particular danger area for businesses is the reaction from co-workers or management when a staff member either falls for a scam or experiences a near miss. Blame, embarrassment and staying silent may increase the risk of a scam succeeding – and prolong the time required to remedy damage done.

When leaders make it clear to their teams that reporting an error is viewed as a massive win for the business's security, rather than something to be punished, this usually means team members are more likely to quickly report a misstep. This then allows IT and security teams to step in at the right moment and help manage the issue. 

Ultimately, a culture that rewards transparency encourages other team members to not only learn from their colleagues' experiences but actively manage their security habits as well.

Build scam awareness through regular practice

Another way to help normalise a culture of scam safety is through frequent scam awareness training. If approached thoughtfully, broad scams training can help prepare employees for a range of different threats. 

In line with the Australian Signals Directorate (ASD) guidelines, the focus should be on building critical thinking and practical experience rather than creating compliance traps. When simulations mimic everyday Australian business hurdles - like unexpected changes to vendor banking details, IT support alerts, or executive impersonation attempts - they can help boost capability without introducing a culture of resentment or fear.

These kinds of simulations are often most effective in organisations that already have strong security awareness programs in place. Also keep in mind that if these exercises are run in a deceptive way or used to catch employees out, they have the potential to have a negative impact on the transparency you're trying to build within the business.

Helping to build safe business practices starts with making scam prevention part of everyday behaviour, from pausing and verifying requests to speaking up about suspicious activity.  Find out more by watching the CommBank Cyber Security, Scams and Fraud Prevention webinar.

Related articles


Published: 14 July 2026

Things you should know

1Australian Signals Directorate (ASD). ‘Annual Cyber Threat Report 2024–25 fact sheet

This article provides general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as personal financial product advice. The views expressed by contributors are their own and don’t necessarily reflect the views of CBA. As the information has been provided without considering your objectives, financial situation or needs, you should, before acting on this information, consider what is appropriate for your circumstances, and where appropriate, consider the relevant Target Market Determination, Product Disclosure Statement and Terms and Conditions available on our website. You should also consider whether seeking independent professional legal, tax and financial advice is necessary. Every effort has been taken to ensure the information was correct as at the time of publishing but it may be subject to change. No part of the editorial contents may be reproduced or copied in any form without the prior permission and acknowledgement of CBA.