For finance teams that pay suppliers

Verify payment changes outside the inbox.

Business Email Compromise redirects supplier payments by changing bank details over email. ProofRelay is a controlled verification and approval system that reduces that risk — every payment-detail change is verified through a pre-established contact and approved by a second person before money moves.

13 deterministic risk rules3-person separation of dutiesSHA-256 hash-chained audit trail
Illustration: a payment instruction travels from an email envelope through callback verification and separated approval to a verified shield

How it works

One controlled path from instruction to payment release

01

Log the instruction

A supplier asks to change their bank details. Your team records the request in ProofRelay instead of acting on the email.

02

See deterministic risk indicators

Thirteen transparent rules flag changed destinations, lookalike sender domains, reply-to mismatches, urgency and secrecy language — no black boxes.

03

Verify out-of-band

A different team member calls a trusted contact that existed before the instruction arrived. Numbers inside the email are never used.

04

Approve with separated duties

A third person reviews the verification and approves or rejects. Nobody can verify or approve their own request — the server enforces it.

05

Release with a reference

Approval issues a cryptographic payment-release reference bound to the exact amount and destination. Any material change revokes it instantly.

06

Keep a tamper-evident record

Every step lands in a hash-chained audit trail with a printable decision record for auditors and insurers.

Built different

Security your team can't accidentally bypass

Every policy check runs on the server in a single transaction. The UI is the easiest way to use ProofRelay — but it is never the enforcement layer.

Server-enforced policy

Every rule is checked on the server in a single atomic transaction. The UI cannot bypass an invariant — and neither can a crafted API call.

Separation of duties

The requester, verifier, and approver must be three different people. This is enforced per-request, not just per-role.

Pre-established contacts only

Verification callbacks use only contacts approved before the instruction arrived. There is no field to type a different number.

Who it's for

Anyone who pays suppliers is a target

BEC doesn't need to breach your network — it only needs one convincing email and one busy afternoon.

Finance & AP teams

You pay dozens of suppliers a month and a single redirected invoice run costs more than a year of controls. Put every bank-detail change through one verified path.

Accounting & bookkeeping firms

You handle payments for many clients, and every client mailbox is an attack surface. Run each client as its own organisation with its own policy and audit trail.

Owner-led businesses

No dedicated finance team, but real supplier payments. The workflow walks any staff member through a callback verification a fraud examiner would sign off on.

Pricing

A fraction of one redirected invoice

Every plan includes the full verification workflow — the tiers scale with your team, not with your security.

Free

$0forever

The full workflow, free. Because every business deserves this control.

  • 1 organisation
  • Up to 3 team members
  • Up to 5 suppliers
  • Full verification workflow
  • All 13 risk indicators
  • Hash-chained audit trail
Start free
Most popular

Business

$49/month

For finance teams that pay more suppliers and answer to auditors.

  • Unlimited team members
  • Unlimited suppliers
  • Custom policy & risk keywords
  • Dual approval above a threshold
  • Printable decision records
  • Public supplier verification links
  • Priority email support
Start with Business

Firm

$149/month

For accounting firms running controls across many clients.

  • Multiple client organisations
  • Per-client policies & audit trails
  • Everything in Business
  • Onboarding assistance
  • Audit & insurer support pack
Start with Firm

The Free plan is free forever. Paid plans are also free during early access — no payment details required.

FAQ

Common questions

Does ProofRelay move money or connect to my bank?

No. ProofRelay never touches funds and has no banking integration. It controls the decision — whether a changed payment detail is verified and approved — and issues a release reference your team checks before paying through your normal banking channel.

What stops someone on my team from skipping the checks?

Every rule runs on the server in a single atomic transaction: the requester can never verify or approve their own request, verification can only use pre-established contacts, and approval requires a third person. The UI is a convenience — it is not the enforcement layer, so there is nothing to click around.

What is a release reference?

On approval, ProofRelay issues a code cryptographically bound to the exact amount, currency and destination that were verified. Anyone on your team can validate it before paying. If any material detail changes afterwards, the reference is revoked automatically.

What happens when a supplier genuinely changes banks?

That is the exact case ProofRelay is built for. The change is logged, a colleague calls a contact your team established before the request existed, and a third person approves. A genuine change passes in one phone call; a fraudulent one fails the callback.

Is this based on official guidance?

The workflow implements the controls the Australian Cyber Security Centre publishes for preventing business email compromise (cyber.gov.au): an approval process for payment-detail changes and large transfers, verification by calling the sender on a known number — never one from the email — and treating urgency, secrecy, and requests to bypass procedure as red flags. The lookalike-domain detection covers the ACSC's published impersonation patterns, from swapped characters to added words. ProofRelay is not affiliated with or endorsed by the ACSC; it automates the controls they recommend.

Can my supplier check a reference without an account?

Yes. An administrator can generate a public verification link for any live release reference and send it to the supplier — or anyone else who needs assurance. The link shows only the status, organisation and supplier names, amount, and a masked destination. It can be rotated at any time, every check is recorded in the audit trail, and a material change revokes it automatically.

Are the risk indicators AI-based?

No — deliberately. Thirteen deterministic rules check things like changed destinations, lookalike sender domains (one character away from a domain you trust), reply-to mismatches, and urgency or secrecy language. Every indicator states exactly why it fired, so your team and your auditors can reason about it.

How long does setup take?

Under an hour for most teams: create your organisation, add suppliers with their known-good payment details from your accounting system, and establish trusted contacts. Your next payment-detail change then goes through the verified path.

Is the Free plan actually free?

Yes — free forever, with the complete verification workflow, all thirteen risk indicators, and the tamper-evident audit trail for up to five suppliers and three team members. It is the full product, not a trial. You outgrow it by adding suppliers, not by hitting a paywall on security features.

What ProofRelay is — and is not

ProofRelay is a controlled verification and approval system that reduces the risk of BEC-related payment fraud. It enforces your policy on the server: separation of duties, independent callback verification through pre-established contacts, and tamper-evident decision records.

It does not move money, connect to banking systems, verify legal ownership of bank accounts, or guarantee that an instruction is authentic. A legitimate supplier mailbox may itself be compromised — which is exactly why verification happens outside the inbox. ProofRelay complements, and never replaces, email security, phishing-resistant MFA, accounting controls and your bank's own checks.

Start verifying payment changes today

Set up your organisation, add your suppliers and trusted contacts, and your next payment-detail change goes through a verified path.

Create your organisation