Australian companies with a clean compliance history are being targeted by black market operators and stolen to aid in fraud, according to a leading Perth accounting firm.
Australian companies with a clean compliance history are being targeted by black market operators and stolen to aid in fraud, according to a leading Perth accounting firm.
Speaking to Business News, BDO forensic services partner Stan Gallo said investigators were seeing fraud cases in which the entity involved is not fictitious, but a legitimately registered Australian company with a clean ASIC history and active ABN.
According to Mr Gallo, instead of creating fake business names, groups were acquiring dormant or shelf companies, or compromising control of existing entities, and using them to submit high-value invoices, enter procurement systems, apply for funding and lodge GST refund claims.
And because the companies are genuinely registered and clean, they are often passing standard onboarding and verification checks, Mr Gallo said.
"What we're seeing is a shift away from obviously false entities to the misuse of real, established companies that appear legitimate on paper," he said.
"The problem is that most verification processes are designed to confirm that a company exists and is appropriately registered and recorded, not that it is controlled by who you think it is," he said.
"Age and registration status are being weaponised as a proxy for trust."
Mr Gallo said the commoditisation of corporate identities on encrypted forums and messaging platforms had lowered the barrier to entry or organised fraud groups seeking credibility.
"An aged Australian company with no compliance issues now has resale value in criminal markets. That's a structural vulnerability," he said.
"We're seeing real financial loss where governance frameworks were technically followed but still failed.
"Corporate identity integrity is becoming a distinct risk category, and businesses need to adapt their controls accordingly."
The tactic is not new, but it has become far more prevalent.
In July of last year, a Sydney man was charged with allegedly dealing with $3.5 million in proceeds of crime after a corporate email was fraudulently used to deceive the Northern Territory government.
On 7 November, 2024, the agency received an email from an individual who they believed to be a contractor from a construction company they were engaged with.
The sender allegedly provided a completed vendor identification form with updated bank details and appeared to carbon-copy email addresses of other individuals from the construction company.
The agency then paid $3.5 million to the fraudulent bank account believing it was linked to the legitimate construction company.
Further inquiries into the phone number linked to the vendor identification form allegedly led police to the man.
AFP Detective Superintendent Marie Andersson said cybercriminals targeted businesses and individuals that made significant or regular payments.
"In the 2023-2024 financial year, business email compromise and fraud were among the most common self-reported cybercrimes for small, medium and large businesses and individuals in Australia," she said.
“It is crucial to double check emails, particularly if there is a request for a change in banking details. Call the party you are engaged with to confirm the request is legitimate – and use a phone number that you’ve previously used or independently verified – don't call a number in the suspicious email.
“If you have fallen victim, report it immediately to your bank and the police to give us the best chance of recovering your money."
