In the fast-paced world of business, efficiency is king. We rely on emails for quick communication, and we trust our long-standing suppliers and partners. But what happens when that trust is exploited? An urgent email arrives from a familiar supplier. The message is polite but firm: their bank details have changed, and the next invoice must be paid to the new account. The pressure is on, the invoice is due, and a quick update in the system seems like the most efficient solution. Unfortunately, this seemingly simple action could cost your company tens of thousands, or even millions, of dollars. This is the insidious nature of Bank Details Change Fraud, a sophisticated form of Business Email Compromise (BEC) that preys on routine processes and human trust.
This type of fraud is not a random, opportunistic attack. It is a calculated crime where fraudsters conduct extensive reconnaissance. They study your company’s relationships, learn your payment cycles, and identify key personnel in your accounts payable department. They then use this information to craft highly convincing impersonation emails, often from a compromised or spoofed account that looks nearly identical to the real one. The success of their scam hinges on one thing: your company’s failure to have a simple, mandatory, and consistently enforced verification workflow. Without one, your finance team is left vulnerable to social engineering tactics designed to bypass their diligence. This article will provide a practical, step-by-step procedure for confirming new supplier bank accounts, emphasizing the crucial separation of verification and payment, and the importance of documenting every check, especially when faced with urgent requests.
Spis treści:
- Understanding the Anatomy of Bank Details Change Fraud
- Common Red Flags and Social Engineering Tactics
- The Core of Prevention: A Robust Three-Step Verification Workflow
- Implementing the Workflow and Strengthening Your Defenses
- What to Do if You Fall Victim to Fraud
Understanding the Anatomy of Bank Details Change Fraud
Bank Details Change Fraud, also known as payment diversion fraud, is a devastatingly effective scam because it exploits the most mundane of business processes: updating supplier information. It does not rely on complex malware or hacking into secure banking systems. Instead, it relies on manipulating people. The fraudster’s goal is to trick an employee into changing a legitimate supplier’s bank account details in your company’s payment system to an account they control. When the next genuine invoice is paid, the money is irrevocably sent to the criminal.
The process typically begins with reconnaissance. Scammers may scour your company website, social media profiles like LinkedIn, and press releases to understand your corporate structure. They identify who works in the finance department and who your key suppliers are. In more sophisticated attacks, they may gain access to an employee’s email account through a phishing attack, allowing them to monitor communications for months. This gives them deep insight into invoicing schedules, communication styles, and ongoing projects, enabling them to time their fraudulent request perfectly and make it appear incredibly authentic.
Common Red Flags and Social Engineering Tactics
While scammers are becoming more sophisticated, their methods often leave subtle clues. Training your employees to recognize these red flags is the first line of defense. A culture of healthy skepticism can save your organization from catastrophic financial loss. Here are some of the most common warning signs to look out for:
- A Sense of Urgency or Pressure: Fraudsters often insist that the change must be made immediately to avoid a delay in a critical shipment or to resolve an alleged issue with their old bank. They use phrases like “urgent action required” or “to ensure payment is processed on time” to create a sense of panic and rush an employee into making a mistake.
- Unusual Communication Channel or Style: The request may come from a personal email address or a slightly altered corporate domain (e.g., info@supplier-group.com instead of info@supplier.com). Pay close attention to subtle changes in grammar, spelling, or tone that deviate from the supplier’s usual communication style.
- Request for Confidentiality: Scammers may ask the employee to keep the bank detail change confidential, perhaps claiming it is due to an internal audit or a sensitive banking transition. This is a tactic designed to prevent the employee from following standard verification procedures or discussing the request with a colleague who might spot the fraud.
- Changes to Contact Information: The fraudulent email may include a new phone number in the signature. This is a deliberate attempt to control the verification process, ensuring that if you do call for confirmation, you are speaking to the scammer, not the legitimate supplier.
- Generic Salutations: An email from a long-term contact that starts with “Dear Sir/Madam” or “Hello Finance Department” instead of a personal greeting should be treated with extreme suspicion.
Recognizing these red flags is crucial, but the most effective defense is a non-negotiable process that is followed every single time a change request is received, regardless of how legitimate it appears.
The Core of Prevention: A Robust Three-Step Verification Workflow
A reactive approach is not enough. Your company must establish a proactive, clear, and simple workflow for handling any request to change payment details. This process should be understood by every member of the finance and procurement teams and should never be bypassed, even for the most trusted suppliers or the most urgent requests.
Step 1: Acknowledge and Isolate the Request
When an employee in the accounts payable department receives an email requesting a change in bank details, their first action should be to do nothing. That is, they must not act on the request immediately. The initial email should be treated as a notification, not an instruction. The employee should not reply to the email, click any links, or open any attachments. Replying can confirm to the scammer that the email address is active and may lead to more targeted social engineering.
Instead, the request should be flagged and isolated. This means logging it in an internal system or spreadsheet designated for such changes. This creates a record that a request has been received and is pending verification. This simple pause breaks the scammer’s manufactured sense of urgency and initiates a controlled, internal process rather than a panicked reaction.
Step 2: Mandatory Out-of-Band Verification
This is the most critical step in the entire workflow and the one that stops fraud in its tracks. “Out-of-band” verification means using a different communication channel to confirm the request, one that was not provided in the email itself. The only way to be certain you are speaking to your legitimate supplier is to use contact information you already have on file.
Never, under any circumstances, use the phone number or email address from the signature of the suspicious email to verify the change. This information is almost certainly controlled by the fraudster.
The correct procedure is to look up the supplier’s primary contact number from your own trusted records—your CRM, your supplier database, or a previous contract. Make a voice call to a known contact at the supplier’s company, preferably someone you have spoken to before. During the call, verbally confirm the reason for the change and have them read back the new account number, bank name, and sort code. For high-value suppliers or particularly large payments, consider a video call as an even more secure method of confirmation. This multi-layered approach is part of the comprehensive security protocols that protect modern businesses from financial crime.
Step 3: Document Everything and Separate Duties
Once the change has been verbally confirmed via a trusted, out-of-band channel, it must be meticulously documented. This creates an audit trail that is invaluable for accountability and future reference. The documentation should include:
- The date and time the original request was received.
- The name of the employee who received it.
- The date and time of the verification call.
- The name and title of the person at the supplier company who confirmed the change.
- The trusted phone number used for verification.
- The new bank details that were confirmed.
Crucially, the workflow must incorporate the principle of “segregation of duties.” The employee who performs the out-of-band verification and documents the change should not be the same person who has the authority to update the bank details in the payment system. A second employee, preferably a manager, should review the verification documentation and provide final approval before the change is officially made. This two-person-rule adds a vital layer of oversight, making it significantly harder for a fraudulent request to succeed, whether it originates from an external scammer or an internal threat.
Implementing the Workflow and Strengthening Your Defenses
Having a well-defined workflow on paper is a great start, but its effectiveness depends entirely on its implementation and the surrounding security culture within your organization. This means going beyond the three steps and embedding security-conscious practices into your company’s DNA.
Training and Awareness: Your Human Firewall
Technology alone cannot prevent payment diversion fraud. Your employees are your first and last line of defense, making continuous training an essential investment. Conduct regular training sessions for all employees, especially those in the finance department, on the dangers of BEC and bank detail change scams. Use real-world examples to illustrate how these scams work and run phishing simulations to test their awareness in a controlled environment. Fostering a culture where employees feel empowered to question and delay suspicious requests without fear of reprimand is paramount. They should understand that it is always better to delay a payment for a day to verify a change than to rush and lose the funds forever. These proactive security measures transform your workforce from a potential vulnerability into a powerful human firewall.
Furthermore, establish a clear protocol for what an employee should do if they suspect a fraudulent request. They should know exactly who to report it to—such as the IT security team or a finance manager—so that the threat can be analyzed and, if necessary, an alert can be sent to other employees. This quick communication can prevent other team members from falling for the same scam.
What to Do if You Fall Victim to Fraud
Even with the best procedures in place, mistakes can happen. If your company discovers it has sent a payment to a fraudulent bank account, time is of the absolute essence. The chances of recovering the money diminish rapidly with every hour that passes.
Your first step is to contact your bank immediately. Inform their fraud department of the unauthorized transaction and ask them to initiate a payment recall. You will need to provide them with all relevant details, including the amount, date, and the fraudulent account information. Next, report the crime to the relevant law enforcement authorities in your country. This official report is often required by banks and insurance companies.
After these initial steps, navigating the complex process of asset recovery can be overwhelming. This is where professional help is invaluable. At Nexus Group, we specialize in tracking and recovering funds lost to sophisticated online fraud. Our team of experts understands the international banking systems and legal channels required to trace and freeze stolen assets. We work tirelessly with financial institutions and law enforcement agencies across jurisdictions to maximize the chances of a successful recovery. If your business has been targeted, seeking specialized fraud recovery assistance can make all the difference. At Nexus Group, we are so confident in our ability to help that we offer a guarantee of fund recovery or your money back.
In conclusion, bank details change fraud represents a significant and growing threat to businesses of all sizes. However, it is a preventable crime. By implementing a simple, mandatory, and consistently enforced verification workflow—centered on slowing down, performing out-of-band verification, and documenting everything—you can close the procedural loopholes that fraudsters love to exploit. Couple this robust process with ongoing employee training and a security-first culture to build a formidable defense. By taking these steps, you not only protect your company’s finances but also strengthen your financial security against an ever-evolving landscape of corporate crime.
If you have been a victim of fraud or wish to discuss strengthening your company’s defenses, do not hesitate to reach out. Contact us
