Document fraud in Australia: scale, mechanics, and the limits of current defences.

Business Activity Statement Fraud

Business Activity Statements (BAS) are tax reporting documents lodged with the Australian Taxation Office. They record a business's GST obligations, PAYG withholding, and other tax liabilities, and are therefore a primary source of financial information for commercial lenders assessing business income and financial position.

Australian Tier 1 banks report that the majority of commercial lending fraud involves tampered Business Activity Statements. The fraud methodology is straightforward: a genuine BAS document is downloaded from the ATO's online portal as a PDF, modified using document editing software to show inflated revenue figures, and submitted to a lender as evidence of financial position. The lender has no mechanism to verify that the document is genuine – the ATO does not operate a public verification service for BAS documents.

AI-powered document generation tools have increased the sophistication of this fraud category. Entirely fabricated BAS documents – not tampered from genuine originals – are increasingly difficult to distinguish from genuine documents by visual inspection, metadata analysis, or document forensics tools.

Invoice Fraud

Invoice fraud involves the interception and modification of a legitimate invoice between issuance and receipt. The most common variant involves substitution of bank account details: the original invoice's payment destination is replaced with a fraudulent account number before the invoice reaches the payer.

The payer, seeing an invoice that accurately describes the goods or services received and matches the issuing company's branding, makes payment to the fraudulent account. By the time the fraud is detected – when the legitimate supplier follows up on non-payment – the funds have typically been moved and are unrecoverable.

Invoice fraud is also conducted via fabricated invoices: fraudulent invoices created for goods or services not supplied, submitted to businesses with weak internal controls or by employees in collusion with external parties. The Australian Competition and Consumer Commission reported that invoice fraud was one of the most significant fraud categories affecting Australian businesses in 2024, with losses across the economy running into hundreds of millions of dollars annually.

Identity Document Fraud

Identity document fraud encompasses the fabrication, alteration, and misrepresentation of identity documents – passports, driver's licences, proof of age cards – and identity-adjacent documents such as payslips, bank statements, and proof of address records.

Know Your Customer (KYC) and Know Your Business (KYB) obligations require banks and regulated entities to verify the identity of customers and counterparties. AI-generated identity documents – including photorealistic fake passports and driver's licences – present an increasing challenge to document-based identity verification systems.

While automated identity verification systems (liveness testing, government database checks) provide stronger verification than document inspection, document-based verification remains common in contexts where automated systems are not integrated, including professional services firms, legal practices, and smaller financial institutions.

Trust and Company Document Fraud

Trust deeds, shareholder agreements, company constitutions, and other complex entity documents are regularly required by financial institutions for regulatory and risk management purposes. These documents are not registered in a publicly accessible database – they are private documents held by the parties to the transaction.

Financial institutions currently rely on certified copies of these documents. A certified copy is a photocopy attested to by a qualified professional (typically a lawyer or JP) who has sighted the original. The certifier cannot verify that the original document is genuine – they are only confirming that the copy matches the document they have seen. The certification itself can be forged.

Public Company Document Fraud

ASX-listed companies are subject to market-sensitive document fraud: fabricated internal documents – board presentations, financial projections, strategic plans – that are circulated to media and market participants as genuine leaked material. These documents, if believed, can materially affect a company's share price before they are identified as fraudulent.

The challenge for companies is that denials are only assertions. A company claiming a document is fake has no mechanism to prove the claim unless the document contains forensic markers that can be independently verified – and in the age of AI-generated content, even forensic analysis is an unreliable defence.

The Limits of Current Defences

Current defences against document fraud fall into two categories: detection (attempting to identify fraudulent documents) and verification by proxy (certified copies, reference checks, attestations by third parties).

Detection-based approaches are engaged in a structural arms race. The quality of AI-generated documents improves continuously. Document forensics tools are reactive – they identify known forgery techniques. Novel approaches, or AI-generated documents produced by systems specifically trained to evade detection, will defeat detection tools until new detection methods are developed.

Verification by proxy – particularly certified copies – provides accountability for the person making the attestation, but no mechanism to verify that the underlying document is genuine. A lawyer certifying a copy of a trust deed is certifying that the copy matches the document they saw, not that the document is genuine. Neither approach provides a non-repudiable, cryptographically verifiable record that a specific document was authenticated by a specific verified individual at a specific time.