Invoice Redirection Scams via Wire Transfer
How attackers intercept or impersonate supplier invoices to redirect legitimate wire transfers to fraudulent accounts — and the verification step that stops it every time.
Part of: Invoice Redirection Fraud
Last reviewed: 1 June 2026
Invoice redirection fraud — sometimes called mandate scam — targets the routine payment process of businesses and individuals who regularly transfer money by wire to known counterparties. The attacker doesn't need to compromise a network or break any technical security; they simply need to intercept one email or create a convincing impersonation, change the bank details on a legitimate invoice, and wait for the scheduled payment.
Because the victim genuinely owes the money and believes they are paying a known contact, there is no obvious reason for suspicion. Wire transfers are the preferred payment rail because large payments between businesses and suppliers routinely use this method, and because wire transfers — unlike card payments — lack built-in chargeback rights. This guide covers the mechanics, the detection points, and the single most reliable countermeasure.
How this scam works on wire transfer
The attack begins either through compromising a supplier's email account (so genuine invoices can be intercepted and modified before reaching the buyer) or through creating a lookalike email address that closely mimics the supplier's domain. In both cases, the victim receives what appears to be a routine invoice from a known contact.
The invoice is identical to genuine ones in format, content, and amount — the only change is the bank account number and sort code (or routing and account number in the US). A covering note often explains the change: 'we've updated our banking arrangements,' 'we've changed our main account,' or 'please use these details for all future payments.'
For individuals, the most common variant involves conveyancing: a buyer receives what appears to be their solicitor's payment instructions for a property deposit, with account details changed by an attacker who has compromised either the solicitor's or the buyer's email. These losses can be catastrophic — entire property deposits sent to a fraudster's account.
Wire recalls depend on how quickly the victim reports to their bank. Domestic transfers may be recalled if the receiving bank has not yet processed a withdrawal. International wires are much harder.
Common red flags
- An invoice or payment instruction containing changed bank account details, even from a known contact
- An explanatory note justifying the account change that arrives by email — always verify account changes by phone
- Email address that looks correct at a glance but has a subtle difference (extra letter, different TLD, replaced character)
- Urgency attached to the payment instruction — 'please transfer today to avoid a late penalty'
- Payment instructions arriving via email for a high-value transfer where you have previously communicated by other means
How to protect yourself
- Call the supplier or solicitor on a number from your own records — never the number in the email — to verbally verify any account number change
- Establish a written policy: no bank account changes are acted upon without a voice confirmation call
- In the UK, use Confirmation of Payee before any large transfer — a name mismatch is a hard stop
- For conveyancing, agree with your solicitor at the start of the transaction how payment instructions will be communicated and verified
- Train anyone in your organisation who processes payments to treat any account-change email as requiring mandatory phone verification
How to report it
- Call your bank's fraud line immediately — the window for a wire recall is short, measured in hours for domestic transfers
- Report to Action Fraud at actionfraud.police.uk (UK) or the FBI IC3 at ic3.gov (US)
- Notify the genuine supplier whose identity was used — they may not know their email or domain is being impersonated
- Report the attacker's email domain to your national cybersecurity agency — NCSC (UK) at [email protected], or CISA (US)
Frequently asked questions
What is the one thing that stops invoice redirection fraud every time?
A phone call to the supplier using a number you already have — not the number in the email — to verbally confirm account details before transferring. This single step defeats the attack regardless of how convincing the email appears. It takes two minutes and is worth making a standard policy for any transfer above your organisation's set threshold.
Are individuals targeted by invoice redirection as well as businesses?
Yes. Property transactions are the most common individual target — attackers monitor email chains between buyers and solicitors and intercept deposit payment instructions. Any large payment where instructions arrive by email is at risk. Verbally verify payment details for all significant transfers.