Is a business email asking me to update a supplier's bank details safe?
Not until verified independently. Fraudulent invoice redirection — also called BEC or APP fraud — is one of the most costly scams targeting businesses.
Last reviewed: 1 June 2026
Explanation
Business email compromise (BEC) invoice fraud works by intercepting or impersonating supplier email accounts and sending a convincing message to the accounts payable team asking them to update payment details. The new bank details belong to the fraudster. The next legitimate invoice payment goes to the wrong account. Losses can be significant. The email may come from a domain almost identical to the supplier's (a single character swapped) or from a genuine account that has been hacked. The only safe procedure is to phone the supplier using a number from your own records — not any number in the email — and verbally confirm the change.
Common red flags
- Email requesting a change to payment or bank details
- Sender domain has subtle differences from the known supplier domain
- Urgency — upcoming invoice must be paid to the new account today
- Email arrives with no prior conversation thread
What to do now
- Never update bank details based solely on an email
- Call the supplier directly using a number from your own records
- Confirm in writing after verbal verification
- Implement a dual-authorisation process for bank detail changes
Frequently asked questions
Can my company recover money sent to a fraudster's account?
Speed is critical — contact your bank immediately. Same-day recalls are sometimes possible. Cross-border transfers are much harder to recover. Report to Action Fraud (UK) or the FBI IC3 (US).