Invoice Redirection on Microsoft Teams
Attackers use Microsoft Teams chats to impersonate a supplier contact and announce new bank details, diverting genuine invoice payments to a criminal account.
Part of: Invoice Redirection Fraud
Last reviewed: 1 June 2026
Where businesses collaborate with suppliers through Microsoft Teams, invoice redirection can arrive as a chat message rather than an email. A request to update banking details, delivered under a familiar supplier name in a shared channel or direct message, can feel like routine coordination.
The informality of Teams chat reduces the scrutiny a formal bank-change request would receive. A compromised supplier account or an external guest using a recognisable name can announce new payment details that staff act on without independent verification.
How this scam works on Microsoft Teams
The attacker, using a compromised supplier account or guest access, messages the customer's finance or project staff through Teams, stating that the supplier has changed banks. They reference a real invoice or order to appear legitimate.
They supply new account details and ask that the next payment use them, framing the change as routine admin. The chat context discourages a formal check, and the familiar identity removes the suspicion usually attached to new payment details.
When the customer pays to the new account, the funds reach the criminal. The diversion is typically uncovered only when the genuine supplier reports the payment never arrived.
Common red flags
- A supplier announcing a bank-detail change through a Teams chat
- An external-guest account using a known supplier name
- A change request referencing a real invoice to build trust
- New banking details provided only in chat
- Pressure to redirect an imminent payment
- Reluctance to confirm the change by phone
How to protect yourself
- Verify any bank-detail change by phone with a known supplier contact
- Do not action banking changes from a chat message alone
- Require dual authorisation for changes to supplier records
- Restrict and label external-guest access in Teams
- Confirm the first payment to a new account before continuing
- Keep banking-change processes in audited, official systems
How to report it
- Report the compromised or impersonating account to IT security
- Notify your bank and the genuine supplier without delay
- File a report with your national cybercrime or fraud centre
Frequently asked questions
Our supplier asked to change bank details in a Teams chat. Can we action it?
Not from the chat alone. A compromised supplier account or a guest can post such a request under a trusted name. Confirm the change by phone with a known supplier contact before updating any banking records.