Invoice Redirection on Email
Criminals send emails impersonating a genuine supplier to announce a change of bank details, diverting legitimate invoice payments to an account they control.
Part of: Invoice Redirection Fraud
Last reviewed: 1 June 2026
Invoice redirection is one of the most damaging email frauds facing businesses. Rather than inventing a fake bill, the attacker targets a real, expected payment and simply changes where it lands by impersonating the supplier and announcing new banking details.
Email is the natural setting because supplier invoices and payment correspondence already flow through it. A message that references a real invoice, uses familiar branding, and arrives at the expected time can easily pass for routine, making the fraudulent account change hard to spot.
How this scam works on Email
The attacker gathers information about a supplier relationship, sometimes after compromising the supplier's own mailbox or by spoofing its domain. They send an email to the customer's accounts-payable team stating that the supplier has changed banks and providing new payment details.
The message is timed to coincide with a genuine invoice and mirrors the supplier's usual format and tone. It may include a plausible reason for the change, such as a banking upgrade or a new finance provider, and ask that records be updated for future payments too.
When the customer pays the next invoice to the new account, the money goes to the criminal. Because the underlying invoice was real and expected, the loss is typically discovered only when the genuine supplier reports that the payment never arrived.
Common red flags
- An email announcing a supplier's change of bank account details
- A sender address that differs subtly from the supplier's real domain
- A change request timed to coincide with an expected invoice
- A vague or urgent justification for the new banking details
- Slight differences in branding, layout, or wording from past invoices
- A request to update payment records for all future transactions
How to protect yourself
- Verify any change of bank details by calling a known supplier contact
- Use a pre-saved phone number, never one provided in the email
- Require dual authorisation before updating supplier banking records
- Flag external emails so spoofed supplier domains are easier to spot
- Confirm the first payment to any new account before processing more
- Maintain a controlled, audited process for supplier detail changes
How to report it
- Report the fraudulent email to your national cybercrime or fraud centre
- Notify your bank at once to attempt recall of any payment made
- Inform the genuine supplier and preserve the email and headers
Frequently asked questions
A supplier emailed to say their bank details have changed. How do I check it is genuine?
Do not reply to the email or use any contact number it provides. Call the supplier on a phone number you already have on file and confirm the change with a known person. Genuine suppliers expect this verification for any banking update.