How this scam works
In business email compromise, criminals target the way companies pay invoices. They may hack or imitate the email account of a supplier, a manager, or a colleague, then send a message that looks like a normal payment request.
The twist is a change of bank details: an invoice you expected now shows a new account, or an email claims the supplier has switched banks. The money you send goes to the criminals instead of your real partner, and is often quickly moved on and hard to recover.
Why it works and who scammers target
It works because the request fits into normal business: a real supplier, an expected invoice, and a believable reason for the change. Staff who handle many payments may not question a familiar-looking email, especially if it appears to come from a boss asking for urgency and discretion.
Scammers target finance and accounts teams in companies of all sizes, as well as anyone making a large one-off payment such as buying a home or paying a deposit.
The warning signs in detail
The key warning sign is any change to bank details, especially when it arrives by email and comes with urgency or secrecy. Look closely at the sender address - a single changed or added letter in the domain is a common trick - and watch for slightly different wording or formatting than usual.
Unexpected pressure to pay quickly, requests to bypass normal approval steps, and a reply address that differs from the usual contact all deserve a second look before any money moves.
How to protect yourself and what to do if hit
Always verify changed bank details through a separate, known channel - call the supplier on a number you already have on file, not one from the new email. Use a two-person approval rule for payments and for any change to account information, and train staff to treat urgency as a reason to slow down, not speed up.
If a payment has already gone out, contact your bank immediately to attempt a recall, as fast action improves the chance of recovery. Preserve the emails, inform the genuine supplier, and report the incident to your bank and your national cybercrime or fraud authority.