Mandate Fraud
Convincing an organisation to change a supplier's or employee's bank account details so that future payments are redirected to the fraudster's account.
Also known as: payment diversion fraud, account change fraud, supplier mandate fraud
Last reviewed: 1 June 2026
Mandate fraud targets businesses, charities, and public sector organisations by impersonating a known supplier, contractor, or employee and requesting a change to bank account details on file. The fraudster may send a convincing email from a spoofed or compromised address, or occasionally call posing as the payee. Once the account details are updated in the victim organisation's system, all subsequent legitimate payments go to the fraudster's account.
The fraud can go undetected for months if payments are regular and neither party actively reconciles invoices with bank statements. By the time the genuine supplier flags non-payment, the fraudster has withdrawn the funds and the accounts are typically empty.
Mandate fraud is closely related to business email compromise (BEC) and is sometimes called 'payment diversion fraud'. Prevention requires strict change-management procedures: any request to update account details should be verified by calling the payee on a known, independently looked-up telephone number — never the number given in the change request — and confirmed in writing through a secondary channel.
Examples
- A fraudster impersonates a regular supplier by email and requests that their bank details be updated; the next three monthly payments totalling tens of thousands are transferred to the fraudster.