Invoice Redirection
A fraud where criminals intercept or impersonate a supplier's communications to substitute fraudulent bank details on invoices, diverting payment to a criminal account.
Also known as: payment diversion fraud, supplier fraud, bank detail fraud
Last reviewed: 1 June 2026
Invoice redirection fraud (also called payment diversion fraud or mandate fraud) occurs when a criminal convinces a business or individual to change the bank account details they hold for a regular supplier or service provider, so that future payments are sent to a fraudster-controlled account instead. The victim continues making payments believing they are settling legitimate invoices, while the genuine supplier remains unpaid and unaware.
The attack is typically enabled by one of two methods: either the criminal compromises the supplier's own email account (EAC) and sends the payment detail change directly from a trusted inbox, or they spoof the supplier's email address convincingly enough to fool the accounts payable team. In both cases, the request to update banking details looks routine — changes do legitimately happen — which reduces suspicion.
Large sums can be diverted before the fraud is discovered, often only when the genuine supplier chases an overdue invoice. By that point, the criminal account has been emptied. Prevention relies on robust verification procedures: any request to change payment details should be confirmed by calling the supplier on a number already on record (not one in the email), and changes should require dual authorisation in the accounts payable process.
Examples
- A criminal spoofs an email from a company's regular cleaning contractor asking them to update the bank details; the company updates their records and their next three monthly payments go to the fraudster before the contractor queries non-payment.