Invoice Redirection Fraud
Fraudsters change supplier bank details so legitimate payments are diverted to them.
Last reviewed: 1 June 2026
What this scam is
Invoice redirection fraud — also called mandate fraud or bank-detail fraud — is one of the most financially damaging scams targeting businesses of every size. The core mechanism is deceptively simple: a fraudster impersonates a legitimate supplier, contractor, or utility provider and contacts your accounts payable team with a request to update banking details. Once those new details are recorded in your system, the next scheduled payment — often a large, routine transfer — lands in an account controlled by the criminal rather than your genuine trading partner.
What makes this fraud so effective is that it exploits a genuinely routine business process. Suppliers do occasionally change their bank accounts, and finance teams receive hundreds of such notifications over the course of a year. The fraudster takes advantage of this normalcy. Their communication may arrive on letterhead that closely mirrors the real supplier's branding, use an email address that differs by a single letter or domain suffix, or even arrive by phone from someone who already knows the correct invoice amounts and reference numbers — details harvested from earlier email reconnaissance or a prior breach.
The loss is typically not discovered until the real supplier chases the unpaid invoice, by which point the funds have already been moved through one or more intermediate accounts and are extremely difficult to recover. Losses in individual incidents regularly run into tens of thousands of pounds or dollars, and organisations with automated payment runs can inadvertently redirect multiple payments before the fraud is detected.
How it works
The fraud typically begins with reconnaissance. Scammers may monitor email threads (following a business email compromise of either your account or your supplier's), comb through social media and LinkedIn to map supplier relationships, or simply cold-target businesses known to work with certain industries.
Once they have enough information, they contact your finance or accounts payable team, posing as the supplier's finance director, accounts manager, or billing department. The message usually follows a familiar pattern: 'We've recently changed our banking provider and our previous sort code and account number are no longer active. Please update your records and direct all future payments — including any outstanding invoices — to the following details.'
The request often arrives with a plausible reason (a bank merger, a move to a new corporate account, a currency change for international trades) and may include an invoice or confirmation letter as an attachment to add legitimacy. If the fraud follows a business email compromise, the message will appear to come from the supplier's actual email address, making it virtually indistinguishable from genuine correspondence.
Once the fraudulent details are recorded, payments proceed normally from the victim's perspective. The real supplier remains unaware until they notice the invoice is unpaid. By then the fraudster has often already moved the funds internationally, and payment recovery becomes a race against time.
Why this scam works
Invoice redirection exploits two deeply ingrained business habits: the assumption that a supplier contact is who they claim to be, and the pressure to keep payments flowing without disrupting trading relationships. Finance teams are measured on prompt, accurate payment, which creates an implicit bias toward action rather than delay.
The fraud also leverages authority by design. When a message appears to come from a supplier's senior finance contact — with correct invoice numbers, familiar sign-offs, and professional formatting — challenging it can feel awkward or disproportionate. Staff may worry about appearing obstructive or insulting a key supplier.
Additionally, bank-detail changes are handled as a routine administrative task. Unlike a request to wire money to an unknown third party (which most staff would flag), updating a sort code and account number feels procedural and low-risk. Fraudsters rely on this perception. The attack is also scalable: one successful change can divert every subsequent payment until the fraud is discovered.
A typical pattern
A company that regularly pays a construction contractor receives an email from what appears to be the contractor's accounts team. The message states that the contractor has moved to a new bank and provides updated sort code and account details, asking that all outstanding and future invoices be directed to the new account. The email references the correct current invoice number and amount. The accounts payable clerk updates the records and the next payment run processes normally. Several weeks later the contractor calls to chase three unpaid invoices, at which point the mismatch is discovered. The funds have already been moved.
Common red flags
- A supplier requesting a bank-detail change by email with no prior notice
- Urgency to update details before the next scheduled payment run
- Sender email domain that differs by one character from the real supplier
- Request to keep the change quiet or to bypass normal authorisation
- New bank details provided in the same message as an outstanding invoice
- Caller who provides a callback number to 'confirm' the change themselves
- Payment address moves to a personal account rather than a business account
- Request coincides with a large payment run or contract milestone
- Slight inconsistencies in formatting, letterhead, or email signature compared to genuine correspondence
- Supplier contact name you don't recognise requesting an urgent update
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Please note our bank details have changed. Update your records and pay invoice [invoice number] for [amount] to the new account: [sort code] / [account number].
Hi [name], our previous bank account is being closed. All payments including the outstanding [amount] on invoice [invoice number] should be redirected to our new account with immediate effect.
IMPORTANT: Due to a banking change, please do not use our previous account details. The new details for all payments are below. Please action before your next payment run.
We have recently switched banking providers. Please update [company] as a payee in your system and process invoice [invoice number] ([amount]) to the updated account at your earliest convenience.
Could you confirm receipt of this notice and let me know when the new details have been recorded? The old account will close at end of week.
Please treat this as confidential — our previous provider is involved in a regulatory matter and we'd prefer not to broadcast the change. Please just update your records quietly.
Common variations
- Supplier impersonation by email (most common)
- Phone-based requests followed by a confirming email
- Letter or post-based notices mimicking official supplier letterhead
- Change request embedded mid-thread following a real business email compromise
- Utility or landlord payment redirection targeting property-paying organisations
- Payroll redirection targeting HR teams to change employee account details
How to verify before you act
The single most important control is the independent callback: whenever a request is received to change bank details — regardless of how authentic it appears — call the supplier's finance contact using a telephone number drawn from your own records (not from the email or letter making the request).
Do not rely on a number provided in the change-request communication, as this will be controlled by the fraudster. Use the number from your supplier's invoice header, your contract file, or their official website. Confirm that the request was genuinely sent and obtain the new account details verbally before recording them.
Beyond the callback: - Apply dual authorisation: require two authorised staff members to approve any change to supplier banking details before it is recorded in your payments system. - Implement a change-freeze period: once new banking details are submitted, hold them pending a cooling-off check of 24–48 hours before the details become active. - Use a centralised supplier portal where changes must be logged and approved through a controlled workflow rather than actioned directly from email. - Periodically reconcile your supplier banking records against original contracts or earlier payments to detect any unexplained changes.
Payment methods used
- Bank transfer
Who is usually targeted
- Accounts payable teams
- SMEs
- Any organisation paying suppliers
What to do immediately
- Do not process the payment or update banking records until the change is independently verified
- Call the supplier using a phone number from your own records — not from the email or letter
- Confirm with two members of your own finance team that the request has been validated
- If a payment has already been sent, call your bank's fraud line immediately to request a recall
- Preserve the original email with headers and all associated correspondence
- Report the incident to your national fraud authority and your bank's dedicated fraud team
- Notify the real supplier so they can warn other customers who may have received the same message
How to prevent it
- Mandate an out-of-band phone callback to a verified number for every bank-detail change request
- Require dual authorisation from two named staff members before any supplier banking record is updated
- Institute a 48-hour hold on newly recorded bank details before they enter a live payment run
- Train accounts payable staff to treat urgency and secrecy requests around bank-detail changes as major red flags
- Use a supplier portal or controlled workflow for all banking-detail amendments, removing email as an action channel
- Reconcile supplier bank details against previous payment records quarterly
- Enable email authentication (SPF, DKIM, DMARC) to reduce spoofing of your own domain
Evidence to preserve
- The original email and full email headers (show full headers before forwarding)
- Any attached documents, including PDFs or letterhead files
- All invoice records and payment confirmation details
- Your supplier's known contact details and previous correspondence for comparison
- Bank transaction records showing the misdirected payment
- Screenshots of your payments system showing when and by whom the details were changed
- Any phone records or voicemails related to the change request
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do we prevent invoice redirection?
Verify every bank-detail change by phone to a known contact using your own records, require dual authorisation for changes and large payments, and train staff to treat 'updated details' emails with suspicion.
Can we recover money after an invoice redirection payment?
Recovery is possible but time-sensitive. Contact your bank's fraud team immediately to request a Faster Payments recall or equivalent. Banks can sometimes freeze destination accounts if notified quickly. Success rates fall sharply after 24 hours as funds are moved onward.
Our supplier says they never sent the change request. What now?
Your supplier's email account may have been compromised, or their domain spoofed. Ask them to check their sent items and account login history. Report the fraud to your bank and relevant authorities, and preserve all original emails with headers.
Should we use email alone to confirm bank-detail changes?
No. Fraudsters can intercept email, spoof domains, and even compromise real accounts. A verbal callback to a independently sourced phone number is the minimum required verification step.
Are small organisations more at risk?
SMEs are frequently targeted because they may have fewer formal controls. However, large organisations are targeted for larger individual payments. Any organisation making regular supplier payments is a potential target.
What internal policy change would most reduce our risk?
A mandatory callback policy — requiring a phone call to a pre-existing trusted number before any supplier banking detail is changed — is the single most effective control and is recommended by most national fraud prevention bodies.
Is this fraud covered by our business insurance?
Some cyber or financial crime insurance policies cover invoice redirection losses, but coverage varies. Review your policy with your broker, and be aware that some insurers require evidence of reasonable controls (such as a callback policy) to pay claims.
How does the fraudster know our supplier's invoice amounts?
Fraudsters use various methods: monitoring compromised email accounts, scraping LinkedIn for supplier relationships, or making initial contact to probe your processes. Some target specific industries where typical invoice values are publicly known.