Updated 2026 · 7 min read
It usually looks completely ordinary: an email from a supplier you've worked with for years, referencing a real invoice number, informing you that they've "changed banks" and asking you to update their account details before the next payment. You update the record, pay the invoice as normal — and the money disappears into a fraudster's account. This is Business Email Compromise (BEC), also called vendor payment fraud, invoice fraud, or authorised push payment (APP) fraud, and it's one of the most financially damaging forms of cybercrime in the world today.
Unlike ransomware or a data breach, BEC doesn't require breaking into any system you control. Fraudsters either compromise a vendor's actual email account, through a separate phishing attack, or register a look-alike domain that's nearly identical to the real one — swapping a lowercase L for a capital I, or adding a hyphen — so the email address looks authentic at a glance. They study real invoices, mimic writing style, and time the request to align with an expected payment, making the whole thing feel completely routine.
Authorised push payment fraud cost UK consumers and businesses over £145 million in reported losses in a recent year, according to UK Finance data, and that's likely an undercount since many cases go unreported. In the United States, the FBI's Internet Crime Complaint Center (IC3) has tracked billions of dollars in cumulative BEC losses, consistently ranking it among the costliest categories of cybercrime reported each year. Because the victim authorises the transfer themselves, banks often have limited legal obligation to reimburse the loss, and recovery rates after 48 hours are low since funds are typically moved on or withdrawn quickly.
1. New or unfamiliar contact channel. The request comes from a new email address, phone number, or contact not previously on file for this vendor.
2. No independent callback yet. You haven't verified the change by calling a number from your own records — not one provided in the message itself.
3. Urgency or pressure. The message pushes you to act fast, threatens late fees, or asks you to skip your normal approval process.
4. Country mismatch. The new account is suddenly in a different country than where you've always paid this vendor.
5. Name similarity issues. The beneficiary name is subtly different — even one character off — from what's on file.
Before updating any vendor's bank details: 1) Do not reply to the email or call any number it contains. 2) Look up the vendor's phone number independently — from a previous invoice, your CRM, or their official website — not from the suspicious message. 3) Call and ask them to confirm, verbally, that they sent a bank change request and read back the new account number. 4) Cross-check the beneficiary name and country against your existing records. 5) Only update your records after independent verbal confirmation. 6) If anything still feels off, escalate to a manager or your finance team lead before processing the payment.
"Hi, this is [your name] from [your company]. I'm calling to verify a bank account change request we received today, apparently from [vendor name]. Can you confirm: did your organisation recently send a request to change your bank account details? Can you confirm the new account number ending in [last 4 digits]? And what's the full name the payment should be addressed to? Thank you — I'll update our records only after confirming with you directly." This script, and an automated risk score based on the five warning signs above, is built into Banqcheq's free fraud checker.
Before your next vendor payment involving updated bank details, run it through Banqcheq's free Verify Before You Pay tool. It scores the risk signals, checks beneficiary name similarity, flags country mismatches, and generates the verification call script above — all in under a minute, for free.
Ready to check it yourself?
Use Verify Before You Pay freeRelated tools: