eSafety 101
Published on
Start hereDigital safety basics · Part 11

How to Safely Pay Someone Online

Quick read

For everyone

Main point

Main point: always verify payment details through a separate trusted channel before sending money for a first payment, changed bank details, or a large amount.

A payment request can look real and still send your money to a criminal. This can happen with invoices, deposits, marketplace purchases, investment platforms, school fees, rent, contractor payments, business payments, and property purchases.

Be especially careful when:

  • You are paying someone for the first time.
  • The bank details are new or have changed.
  • The amount is large.
  • The payment is urgent.
  • The details only came from one email, attachment, text message, website, or chat.

Before paying, confirm the details using a contact method you already trust. For example, call a known phone number, use an official app, log in through a saved website, or confirm through a trusted portal.

A safer habit: do not rely on the bank details, phone number, or links in the same message. Use a separate trusted contact method to verify first, then pay.

A little deeper

For curious readers

Context

So far in this series, we have focused on slowing down, recognising pressure, checking messages and websites, and verifying important requests separately.

Now we are looking at one of the moments where those habits matter most: sending money.

Online payments are part of everyday life. We pay invoices, buy items, book holidays, send deposits, pay tradespeople, transfer money to family, and pay through websites and apps.

Most of the time this works well. The risk is that scammers know payments can be fast, emotional, and difficult to reverse.

The danger is not only fake payments. It is also real payments sent to the wrong place.

A scammer may not need to hack your bank. They may only need to convince you to send money to an account they control.

One of the most serious examples is a property purchase.

You may be expecting an email from a conveyancer, solicitor, real estate agent, or settlement service. The timing may be right. The amount may make sense. The email may look normal. But if the bank details have been changed, intercepted, or faked, a house deposit or settlement payment could be sent to a criminal.

This is why large payments and changed bank details should always be checked separately, even when the message was expected.

Common payment risks include:

  • A fake invoice that looks real.
  • Real invoice details changed by a criminal.
  • A fake seller asking for a deposit.
  • A fake buyer sending a false payment receipt.
  • A fake website asking for card or bank details.
  • A scammer asking for gift cards, cryptocurrency, or unusual payment methods.
  • A message saying bank details have changed.
  • A caller claiming your money must be moved to keep it safe.

Step 1: Slow the payment down

Scammers often want the payment to happen quickly.

They may say the offer will expire, the account will be closed, the property deposit is due today, the invoice is overdue, the item will be sold to someone else, or your money is at risk.

Pressure does not prove something is a scam, but it is a reason to pause.

Step 2: Check what you are paying for

Before paying, ask whether the request makes sense.

  • Were you expecting this invoice, fee, deposit, or payment request?
  • Is the amount correct?
  • Does the timing make sense?
  • Is the payment method normal for this situation?
  • Has anything changed from previous payments?
  • Is the person asking you to keep the payment secret?

If something feels unusual, check before paying.

Step 3: Verify bank details separately

Bank details should be treated as high-risk information.

This is especially important for:

  • First payments to a person or business.
  • New bank details.
  • Changed bank details.
  • Large payments.
  • Urgent payments.
  • Payments where the details only appear in one message or attachment.

Do not rely only on bank details in an email, attachment, text message, chat, or payment page.

Do not use the phone number or link in the same message to verify the payment details. If the message is fake or has been altered, the contact details may be fake too.

Use a separate trusted contact method. For example, call a number you already know is correct, use a saved contact, check through an official app, or confirm details through a trusted portal.

If you are paying a house deposit, business invoice, contractor, school fee, rent, or vehicle deposit, it is worth taking a few extra minutes to confirm the account details.

Step 4: Be careful with payment methods

Some payment methods offer more protection than others.

A card payment through a trusted website or platform may offer more options if something goes wrong. A direct bank transfer, gift card, cryptocurrency transfer, or payment outside a trusted platform may be much harder to recover.

Be cautious if someone insists on an unusual payment method or asks you to move away from the normal platform.

Step 5: Watch for fake proof of payment

Scams do not only target buyers. Sellers can be targeted too.

A scammer may send a fake receipt, fake bank transfer screenshot, fake PayPal email, fake overpayment, or fake courier message.

Do not release goods, send refunds, or forward money just because someone sent a screenshot. Check that the money has actually arrived in your own account through your own app or website.

A simple rule:

If the payment matters, verify the person, payment details, and payment method before you send money or release goods.

Technical notes

For confident users

Technical

Online payment scams often involve authorised push payment fraud, business email compromise, invoice redirection, payment redirection, marketplace fraud, fake payment portals, card phishing, investment scams, money mule recruitment, and account takeover.

The key issue is that many scams result in an authorised payment. The victim may personally approve the transfer, card payment, wallet transaction, or platform payment because they believe the request is legitimate.

Once a payment is authorised, recovery depends on the payment method, bank processes, platform rules, timing, jurisdiction, whether the recipient account can be frozen quickly, and whether the funds have already been moved through mule accounts or converted into another form.

Payment risk should be assessed across four questions:

  • Identity: who am I paying?
  • Destination: where is the money going?
  • Purpose: why am I paying?
  • Recoverability: what happens if I am wrong?

Bank transfers require special care.

In payment redirection and business email compromise scams, the attacker may compromise or impersonate a trusted party and provide altered bank details. This can happen during real transactions, including property purchases, supplier payments, construction work, school fees, rent, legal services, and business invoices.

The attacker does not always need to create a fake transaction. They may insert themselves into an existing transaction at the point where payment instructions are expected.

This is why an expected message can still be dangerous. The payment event may be real, but the destination account may be fraudulent.

High-risk payment scenarios include:

  • First payment to a new recipient.
  • New bank details for an existing recipient.
  • Changed bank details sent by email or attachment.
  • Large deposits, settlement payments, or milestone payments.
  • Urgent payment instructions.
  • Instructions to split payments across accounts.
  • Requests to ignore previous bank details.
  • Requests to move payment outside a normal platform.
  • Requests to keep the payment confidential.

These should trigger out-of-band verification using a trusted contact method that was established before the payment request. Replying to the same email thread is not enough if the email account, mailbox rules, contact record, or conversation thread has been compromised.

Contact details inside the payment request should not be treated as proof. A fraudulent or altered message may include a fake phone number, fake email address, fake payment link, or fake portal designed to confirm the attacker’s own instructions.

Verification should confirm both identity and destination.

It is not enough to confirm that an invoice exists. The important question is whether the payment destination is correct. A strong verification process confirms the recipient, the account name, the BSB and account number or payment identifier, the amount, and the reason for payment using a trusted channel.

For very large payments, consider reading the account details back slowly, confirming them through more than one trusted method, and recording who confirmed the details and when.

Payment method changes are also a warning sign.

Attackers often prefer methods that are fast, final, hard to trace, or difficult to reverse. Examples include direct bank transfers, cryptocurrency, gift cards, wire transfers, instant transfer services, and payments made outside the normal marketplace or booking platform.

Card payments can still be fraudulent, especially when entered into fake websites or payment pages. However, card networks and trusted payment platforms may provide dispute or chargeback processes that are not available for every transfer type.

Fake payment portals can look legitimate.

A fake website may imitate a checkout page, investment dashboard, rental deposit page, parcel fee page, subscription renewal page, government payment page, or invoice payment page. It may collect card details, redirect to a bank transfer, or simulate a successful payment.

A fake payment flow should be assessed the same way as any other website: source of visit, actual domain, requested action, payment destination, and independent verification.

Sellers should also verify incoming payments.

Fraudsters may use fake receipts, altered screenshots, fake payment emails, overpayment stories, chargeback abuse, stolen accounts, or courier collection scams. A screenshot is not proof of cleared funds.

A safer seller process is to confirm funds inside the account or platform directly, avoid refunding overpayments to a different method, and avoid releasing goods before payment is confirmed.

Technical and process controls can reduce payment fraud risk:

  • Use trusted platforms with buyer and seller protections where possible.
  • Keep payments inside the normal marketplace, booking, or invoicing platform.
  • Use saved payees or verified supplier records for repeat payments.
  • Confirm first payments, new bank details, changed bank details, and large payments out-of-band.
  • Use dual approval for large or business payments.
  • Set transfer limits and alerts.
  • Use account nicknames carefully and review payee details before confirming.
  • Store verified payment instructions in a controlled system, not only in email.
  • Monitor email accounts for forwarding rules, suspicious sessions, mailbox compromise, and unusual OAuth grants.
  • Train staff and family members to treat bank detail changes as high-risk.
  • Keep evidence such as invoices, messages, receipts, account details, confirmation records, and timestamps.

For businesses, invoice and supplier payment controls should assume that email can be compromised. The safer source of truth is a verified supplier record with controlled change processes, approval workflows, and independent confirmation for bank detail changes.

For individuals, the same principle applies in simpler form: do not rely on a single message when money is involved.

A useful model is to separate four things:

  • Request: the message, invoice, website, call, or listing asking for payment.
  • Recipient: the person, business, account, wallet, or platform receiving the money.
  • Method: the payment type and how recoverable it is.
  • Verification: the independent process used to confirm the payment is legitimate.

The safest payment is one where the recipient, destination, purpose, and method have all been checked before money is sent.

Disclaimer: All content on this website is general in nature and is not in any way advice. While we strive to ensure the accuracy and relevance of the content, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to this website or the information, products, services, or related graphics contained on the website for any purpose. Therefore, any reliance on such information is strictly at your own risk.

In no event will we be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website, you can link to other websites that are not controlled by this website. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.