Invoice and payment-redirection fraud is one of the most costly scams facing businesses today, precisely because it doesn't look like fraud at all. A trusted supplier sends an invoice you were already expecting, on familiar-looking letterhead, for goods or services you actually ordered. The only thing that's changed is the bank account number. By the time anyone notices, the money is gone and the real supplier is still waiting to be paid.

How the scam typically works

Criminals usually gain access to email accounts belonging to a supplier, a customer, or sometimes your own finance team, often through phishing emails or weak passwords. Once inside, they don't send obvious spam. Instead, they quietly watch ongoing conversations, learn the tone, the invoice format, and the payment cycle, then step in at the right moment.

Common tactics include:

  • Sending an email that appears to come from a genuine supplier contact, announcing a "change of bank details due to an account review or audit."
  • Creating a look-alike domain name that's almost identical to the real one, swapping a single letter or using a different extension.
  • Intercepting an existing email thread and replying from a hacked account, so the message appears in the correct conversation history.
  • Calling to "confirm" a change of details, using information gathered from earlier stolen emails to sound convincing.
  • Timing the request around a real invoice, a big project deadline, or a period when key staff are away, so the payment gets pushed through quickly.

Red flags to watch for

  • A request to change bank details arriving only by email, especially urgent or marked confidential.
  • Bank details that don't match the country or currency normally used by that supplier.
  • Slight changes in email tone, grammar, signature, or formatting compared to previous correspondence.
  • Pressure to act quickly, skip normal checks, or keep the change quiet from colleagues.
  • A sender email address that looks right at a glance but differs by one character or domain extension.
  • Requests to also change the invoice's contact phone number along with the bank details.

Prevention steps every business should follow

Verify any change of bank details independently

Never rely solely on the phone number or email address supplied in the change request itself. Call the supplier using a number you already have on file, from a previous contract or their official website, and ask to speak to a known contact. Confirm any change in writing through that verified channel before updating your records.

Separate the people who approve invoices from those who change bank details

Require that any update to supplier payment details be approved by a second person, ideally someone in finance who isn't involved in the original request. This simple separation of duties stops many scams before money moves.

Build a waiting period into large payments

For high-value transfers or any payment involving newly changed details, add a short delay before the funds are released. This gives time to double-check details and catch mistakes or fraud before it's too late.

Secure your own email accounts

Use strong, unique passwords and enable two-factor authentication on all business email and accounting systems. Train staff to recognize phishing attempts, since a compromised internal account is often the starting point for this kind of fraud.

Check the supplier independently

If you're dealing with a new supplier, or a change in an existing one feels unusual, look them up in the official company or business registry for their country, and check independent reviews or a company-verification service like this one. Confirm the registered address, ownership, and contact details match what you've been given.

Train staff on the pattern, not just the warning signs

Make sure everyone who handles payments understands how this fraud typically unfolds: a legitimate-looking request, arriving at a plausible moment, asking for a seemingly small administrative change. Familiarity with the pattern helps staff pause even when a message looks convincing.

What to do if you suspect fraud

Contact your bank immediately if you've made a payment you believe was redirected; banks can sometimes recall or freeze a transfer if it's caught quickly. Report the incident to your local fraud reporting authority or police, and notify the real supplier so they can warn other customers and secure their own systems. Keep all emails and records, since they may be needed for investigation or insurance claims.

Building lasting protection

Invoice and payment-redirection fraud succeeds by exploiting trust and routine. The best defense isn't suspicion of every supplier, but a consistent process: verify changes through a separate channel, split responsibility for approvals, and take a moment before any large or unusual payment goes out. These habits cost little to put in place and can prevent a loss that's often very difficult to reverse.