What is Direct Debit fraud?

Direct Debit fraud occurs when a debit is taken from your account without the proper authority from you set out in a valid Direct Debit request.

Sometimes this has happened when BSB and account numbers published online or in a public document have been used via Direct Debit to debit accounts.

There are some steps you can follow to reduce the risk of this happening to your business.

Check your accounts regularly

We recommend you check your accounts regularly (preferably daily) for any suspicious or unauthorised transactions. Online banking is the quickest and easiest way to check your accounts, rather than waiting for account statements to arrive.

Block suspicious Direct Debits

If needed, you can ask us to block future Direct Debits from specific third parties. If you need to remove a block, please contact us.

Please note we can’t block all Direct Debits to your account. We can only block debits with the relevant Direct Debit User ID to identify the specific third party.

Avoid making account details public

One way to reduce the risk of fraud is to ensure you don’t make your account details publicly available. If your account details are publicly available (e.g. on websites or provided to third parties), we recommend you talk to your banker about setting up the following inward account structure.

Set up an inward account

Establish a separate business or corporate account to receive inward payments. This account can be made public, but here are some ‘rules’ around how you should use it:

  • Don’t make outward payments from this account.
  • Request all fees including any return items be posted to an operating account (refer below).
  • Periodically transfer funds from this account to your operating account, using NAB Connect or Internet Banking.

You might also want to consider establishing an automatic balance transfer. You can ask your banker about a suitable product.

Set up an operating account

This account should be for normal business activity and is used as follows:

  • Keep account details confidential.
  • Make all outward payments from this account.
  • Nominate this account as your fee account.

If you must make account details available in the public domain, only make the inward account details available. 

This is a suggestion only and does not eliminate the risk of fraud. For further advice please speak to your banker.

Don’t recognise a Direct Debit on your account?

When checking your accounts if there is a Direct Debit you don’t recognise, notify us immediately.

This is how you can contact us: 

Dispute process for unrecognised Direct Debits

You can submit a transaction dispute using our online form.

Once you’ve lodged your dispute, we’ll work with the bank where the transaction was initiated to request evidence that they have the proper authority to debit your account.

They have five business days to provide us with an appropriate response, we’ll then advise you of the outcome. 

Our transaction dispute page explains the process in more detail and provides information on what to do if you’re unhappy with the outcome of the dispute.

Rules and regulations governing Direct Debit

Direct debits are regulated by the Bulk Electronic Clearing System (BECS), opens in new window Procedures and Regulations. These rules place primary liability on the bank where the transaction was initiated (Initiating Bank) to demonstrate proper authority to debit your account.

Under the BECS guidelines direct debits made without proper authority from you are usually covered by the Initiating Bank. For further advice please speak to your banker.

Helpful resources

Australian Payments Network

The Australian Payments Network, opens in new window administers the Bulk Electronic Clearing System (BECS) for electronic debit and credit payment instructions. This includes information on the BECS regulations, procedures, and guidelines.

The Australian Cyber Security Centre (ACSC), opens in new window brings cyber security capabilities from across the Australian Government together into a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats.

ReportCyber, opens in new window is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime.

Scamwatch, opens in new window provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources.

The Office of the eSafety Commissioner, opens in new window provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content.

Related articles

Important information