← Back to Blog

Why You Should Never Send Your Bank Details in a Text Message

By Dan Reeve 5 min read

By Dan Reeve — Working handyman and founder of SMASH Invoices. Dan has been a sole trader for over a decade and built SMASH after losing $1,200 in uninvoiced jobs in a single year. He still takes on handyman work and uses SMASH on every job. About Dan →

Sending BSB and account number via SMS exposes sole traders to invoice fraud — a scam where attackers intercept payment communications and substitute their own bank details. The Australian Competition and Consumer Commission (ACCC) reported $12.3 million lost to invoice fraud by Australian businesses in 2023. The average individual business loss was over $20,000. The safest invoicing method is a secure, branded portal link that displays your payment details within an authenticated environment — not in a plain text message.

The $12,000 that went to the wrong account

It's not a hypothetical. It happens every month in Australia.

The setup is simple: a scammer monitors email communications between a business and its clients. They intercept an invoice or payment request, swap out the bank details for their own, and resend it. The customer pays. The money goes to the fraudster. By the time anyone notices, the money is gone — often overseas.

In 2023, the ACCC recorded $12.3 million in losses specifically attributed to invoice fraud targeting Australian businesses. The average individual loss was over $20,000.

Most victims had done nothing wrong. They sent an invoice the way they always had — by email, by text, with their bank details in the body of the message. The scammer did the rest.

"Just text me your BSB" is one of the most dangerous sentences in small business banking.

"Never thought it would happen to me. Customer asked for my bank details by text. I sent them. Two weeks later the customer called to say they'd paid — to a different account. Someone had intercepted it. Police involved. Never recovered the money." — Jason A., Painter, Melbourne VIC [PLACEHOLDER]

Why plain text bank details are a security risk

Your BSB and account number are all a criminal needs to impersonate your payment request. Once they have those two numbers, they can create a convincing fake invoice with your business name, the correct job amount, and their own bank details substituted in.

The customer receives two payment requests — your real one and the fake one. They pay one. If they pay the fake one first, the money is gone before you know there's a problem.

Text messages are not encrypted. They pass through multiple carrier systems before delivery. They can be intercepted, cloned, or screenshotted by anyone with access to the recipient's device.

The risk isn't just fraud. Sending bank details by text also gives you no record of whether the customer received the correct details, no confirmation that the amount was agreed, and no professional paper trail if the payment doesn't arrive.

What secure invoicing looks like instead

Instead of texting bank details, send a portal link. The customer clicks the link. They see your invoice — your business name, your logo, your ABN, the job breakdown, and your payment details. Everything is authenticated within the portal environment.

When they pay, the payment is processed through a verified gateway (Stripe Connect in the case of SMASH Invoices). The money goes directly to your verified account. There is no interception point. There is no BSB floating through an SMS thread.

For the customer, it's more professional and more reassuring. For you, it's more secure and creates a clean payment record.

Frequently asked questions

Is it safe to send bank details by text to a customer in Australia? It is not recommended. Plain text messages are unencrypted and can be intercepted, screenshot, or forwarded. The safest method for requesting payment is a secure invoice portal where bank details or payment links are displayed within an authenticated environment, not communicated via SMS or unencrypted email.

What is invoice fraud and how does it work in Australia? Invoice fraud (also called business email compromise or payment redirection fraud) involves criminals intercepting payment communications and substituting genuine bank details with fraudulent ones. The ACCC reported $12.3 million lost to this fraud type in 2023. Targets are typically small businesses that send bank details via email or SMS.

How do I invoice a customer securely without emailing bank details? Use a secure payment portal. Apps like SMASH Invoices generate a portal link for each invoice — the customer opens the link and pays within the secured environment. Your bank details are never exposed in a plain text email or SMS, and all transactions are processed through verified payment infrastructure.

What should I do if I think my invoice has been intercepted by a scammer? Contact your customer immediately by phone (not email or SMS) to verify the bank details they received. Report the fraud to your bank and to the ACCC via ReportCyber.gov.au. Your bank may be able to freeze the receiving account if you act quickly — typically within 24–48 hours of the fraudulent payment.

What are the legal requirements for invoicing in Australia? Australian tax invoices must include: supplier name, ABN, invoice number, date, description of goods or services, total amount, and GST amount. There is no specific requirement about delivery method, but all required fields must be present and legible. A portal-based invoice containing all these fields is fully compliant.

Secure portal. No BSB in a text. No fraud risk. Start Free →

About Dan Reeve
Working handyman and founder of SMASH Invoices. Dan has been a sole trader for over a decade and built SMASH after losing $1,200 in uninvoiced jobs in a single year.