Skip to content
All guidesGuide

Invoice fraud & business email compromise

A scammer poses as a supplier, contractor or boss and emails a fake or altered invoice, or a "change of bank details", to redirect a legitimate payment to their account. Common against businesses but also private home buyers and tenants.

Reviewed by Florian Wartner · Last updated

How this scam works

In business email compromise, criminals target the way companies pay invoices. They may hack or imitate the email account of a supplier, a manager, or a colleague, then send a message that looks like a normal payment request.

The twist is a change of bank details: an invoice you expected now shows a new account, or an email claims the supplier has switched banks. The money you send goes to the criminals instead of your real partner, and is often quickly moved on and hard to recover.

Why it works and who scammers target

It works because the request fits into normal business: a real supplier, an expected invoice, and a believable reason for the change. Staff who handle many payments may not question a familiar-looking email, especially if it appears to come from a boss asking for urgency and discretion.

Scammers target finance and accounts teams in companies of all sizes, as well as anyone making a large one-off payment such as buying a home or paying a deposit.

The warning signs in detail

The key warning sign is any change to bank details, especially when it arrives by email and comes with urgency or secrecy. Look closely at the sender address - a single changed or added letter in the domain is a common trick - and watch for slightly different wording or formatting than usual.

Unexpected pressure to pay quickly, requests to bypass normal approval steps, and a reply address that differs from the usual contact all deserve a second look before any money moves.

How to protect yourself and what to do if hit

Always verify changed bank details through a separate, known channel - call the supplier on a number you already have on file, not one from the new email. Use a two-person approval rule for payments and for any change to account information, and train staff to treat urgency as a reason to slow down, not speed up.

If a payment has already gone out, contact your bank immediately to attempt a recall, as fast action improves the chance of recovery. Preserve the emails, inform the genuine supplier, and report the incident to your bank and your national cybercrime or fraud authority.

Warning signs

  • A supplier suddenly announces new bank details for an existing invoice.
  • An urgent payment request, often "from the CEO", outside normal process.
  • Slightly altered sender domain or reply-to address.

Example

Please note our change of bank details. Kindly remit payment for the outstanding invoice to our new bank details below for all future transactions.

Made-up example - not a real message.

How to protect yourself

  1. 01Verify any change of bank details by phone using a known number, never the one in the email.
  2. 02Use a two-person rule for large transfers.

Already caught out?

  1. 01Contact your bank instantly to attempt a recall of the transfer.
  2. 02Report to police and warn the impersonated party.