The email arrives from a supplier: "Please update our bank details for future payments." It looks legitimate. The sender address seems right. The tone is professional. It even includes the supplier's logo in the signature.

It is, of course, fraudulent. But by the time anyone realises, £180,000 has been transferred to an account controlled by criminals. The money is gone within hours, moved through multiple jurisdictions, and is never recovered.

This isn't a hypothetical scenario. It happens to UK organisations regularly—large and small, public and private, sophisticated and naive. Bank detail change requests are the single most dangerous touchpoint in supplier management.

The Attack Vector

The fraud is deceptively simple. Criminals research a target organisation, identify their suppliers, and impersonate those suppliers in communications requesting bank detail changes. When the organisation updates their payment records and makes the next payment, the money goes to the fraudster instead of the legitimate supplier.

The impersonation can be remarkably convincing. Criminals harvest information from LinkedIn, company websites, and previous correspondence to make their requests seem authentic. They may compromise actual email accounts, making the sender address genuinely correct. They may time requests to coincide with known payment cycles.

The amounts are often significant. Fraudsters target payment relationships worth pursuing—regular, substantial payments that won't trigger unusual activity alerts. A single successful fraud can net tens or hundreds of thousands of pounds.

Action Fraud reports that UK organisations lose hundreds of millions annually to this type of fraud. The true figure is likely higher, as many incidents go unreported due to embarrassment or concerns about reputation.

The Verification Protocol

The only effective defence is systematic verification of every bank detail change request, without exception.

Independent verification means confirming the request through a channel separate from the one it arrived through. If the request came by email, verify by phone—using a number from your existing records, not one provided in the email. If it came by post, call to confirm. Never verify through the same channel.

Known contacts mean speaking to people you've dealt with before, not whoever happens to answer. If your regular contact is John and someone named Sarah confirms the change, that's a red flag. Criminals can answer phones and create new contact personas.

Call-back procedures require you to initiate the call, not accept incoming calls claiming to be verification. Fraudsters will call pretending to be suppliers confirming legitimate change requests. Only calls you initiate to numbers you already hold can be trusted.

Dual authorisation means no single person can change bank details unilaterally. The request must be verified by someone other than the person who received it. This protects against both external fraud and internal collusion.

Process Design

Effective bank detail verification needs to be designed into your processes, not bolted on as occasional caution.

Every change triggers verification, without exception. "We've worked with this supplier for years" or "it's a small amount" or "they seem genuine" are exactly the reasoning fraudsters hope for. No change is so routine that verification can be skipped.

Verification is documented. The person who verified, the method used, the contact spoken to—all recorded. If questioned later, you can demonstrate due diligence was performed.

Delay is acceptable. Legitimate bank detail changes can wait a few days for proper verification. Any supplier pressuring for immediate update without verification is either a fraudster or doesn't understand the risk environment. Either way, they can wait.

Escalation paths exist for uncertainty. When something feels wrong but can't be pinpointed, there should be someone to escalate to. Gut feelings about fraudulent requests are often correct and deserve attention.

Technology Supports

Technology can help but doesn't replace human verification. Several mechanisms provide additional protection layers.

Supplier portal changes require suppliers to log into your system with their credentials to request bank detail changes. This is harder (though not impossible) for fraudsters to compromise than email impersonation.

Confirmation workflows route bank detail change requests through explicit approval processes with required verification steps. The system enforces the protocol rather than relying on individual memory.

Bank account validation services can verify that account details match the expected company name. If a supplier's bank details resolve to a different entity, that's an obvious red flag. These services have limitations but provide useful additional checks.

Anomaly detection can flag unusual patterns—bank detail changes close to payment dates, multiple changes in short periods, changes to banks in unexpected jurisdictions. These patterns deserve extra scrutiny.

The Human Factor

Process and technology matter, but the human factor remains central. Finance and procurement staff are the last line of defence, and their vigilance determines whether frauds succeed.

Training must be regular and realistic. People need to understand the threat, recognise warning signs, and internalise verification procedures until they're automatic. One-off training isn't enough—refreshers should happen at least annually.

Psychological pressure resistance matters. Fraudsters create urgency: "we won't be able to make payroll if you don't update this today." Staff need permission and support to resist pressure and follow verification protocols regardless of apparent urgency.

No-blame culture for reporting suspicions encourages people to raise concerns. If someone feels they might look foolish for questioning a legitimate request, they may not question fraudulent ones either. Making it safe to verify protects the organisation.

Senior support is essential. When a CFO or Managing Director tells their team that verification is non-negotiable, it becomes cultural. When leaders are seen as too busy or too important for verification, protocols erode.

When It Happens Anyway

Despite best efforts, some frauds will succeed. Response speed can affect recovery.

Immediate bank notification gives the best chance of intercepting funds before they're moved further. Have your bank's fraud line accessible and know the escalation process. Hours matter.

Police reporting through Action Fraud creates an official record even if recovery seems unlikely. Some frauds are eventually traced, and early reporting contributes to pattern recognition.

Internal investigation should understand how the fraud succeeded. Was process followed but defeated? Was process not followed? Was the impersonation particularly sophisticated? Lessons inform improvements.

Supplier notification ensures the legitimate supplier knows their identity was misused. They may be experiencing similar attacks on other customers and can warn their relationship network.

The Cost of Prevention

Verification takes time. Phone calls, callbacks, documentation—these aren't free. Some argue the overhead isn't worth it for every transaction.

This calculation is wrong. The cost of verification is trivial compared to the cost of successful fraud. A few minutes per bank detail change versus losses that can reach six figures. There's no scenario where skipping verification makes financial sense.

Moreover, consistent verification protects legitimate suppliers. When their bank details genuinely change, proper verification ensures their payments aren't misdirected. The process protects everyone.

The organisations that treat bank detail verification as negotiable inevitably become victims. Those that treat it as non-negotiable occasionally frustrate suppliers with short delays but keep their money. The choice should be obvious.