Is a supplier who changed their bank details by email legitimate?
Bank detail change requests by email are a top vector for business payment fraud. Always verify any bank detail change by calling your supplier on a known number before making any payment.
Last reviewed: 1 June 2026
Explanation
Business email compromise (BEC) fraud exploiting bank detail changes is one of the most financially damaging scam categories for businesses. A fraudulent email appears to come from a genuine supplier, law firm, or business partner, explaining that their bank details have changed and asking you to update your records before the next payment. The email may use a near-identical domain, a compromised email account, or a forwarding rule that copies real communications. Companies have lost significant sums by paying invoices to fraudulent accounts. The solution is a strict process: any request to change bank details must be verbally confirmed using a contact number you already have on file — not one provided in the email requesting the change.
Common red flags
- Email requests a bank detail change ahead of an upcoming invoice
- Sender email domain is slightly different from the supplier's normal address
- Request asks you to update records urgently before a payment is due
- New bank details are in a different country from the supplier's usual account
What to do now
- Do not update any payment details based solely on an email
- Call your supplier on the number in your existing records — not in the email
- Verify the new details verbally before processing any payment
- If you already paid, contact your bank immediately to report the misdirected payment
Frequently asked questions
What security controls can businesses put in place?
A dual-authorisation rule for bank detail changes — requiring two staff members to independently verify any supplier detail change by phone — significantly reduces this risk.