Supplier bank-detail change fraud

The supplier-bank-change scam is a specific deep dive on the invoice-fraud pattern. An attacker compromises a vendor's mailbox (or registers a lookalike domain) and emails the customer to update banking details for the next invoice. Often the attacker has been quietly reading the email thread for weeks, learning the timing of routine payments, the names of the AP contacts, and the company's tone.

The new bank account is the attacker's mule. When the customer's accounts-payable team processes the next invoice, the wire goes to the attacker. Recovery requires reporting to IC3's Recovery Asset Team within 72 hours.

Construction, manufacturing, real estate, and professional services suffer the largest losses in this category — single transactions can be six or seven figures.

• Banking change communicated only by email, with no phone follow-up.
• Email comes from a slightly different domain (.co vs .com, or with a hyphen added).
• Reply-to address differs from the from address.
• Banking change request arrives close to a known large invoice cycle.
• The new bank is in a state or country different from the vendor's known location.
• The change is justified by "merger," "treasury optimization," or "new banking relationship."
• New AP contact name added to the email thread.
• The vendor calls you a week after the wire saying they're missing payment.

1. Phone callback to a known number. Call the vendor's AP contact at a number you already have, not one in the email. Voice-confirm the change.
2. Vendor master changes require dual control. Two people verify, two people approve.
3. Verify the bank name and location against the vendor's stated operations. Out-of-region banks are suspect.
4. Inspect email headers for sender / reply-to mismatch.
5. For any wire above a threshold (decide your own), require a callback to the recipient's known phone number before sending.
6. Use a vendor portal where vendors update their own banking and require multi-step verification.

• Call your bank immediately. Request a SWIFT recall.
• File an IC3 report. The Recovery Asset Team has 72 hours of high effectiveness.
• Notify the vendor. Their mailbox is likely compromised — other clients may be at risk.
• Notify your cyber-insurance carrier.
• Trigger incident response. Reset credentials on the vendor's affected mailbox (if you control it), check for mailbox rules, audit OAuth grants.
• Document everything. You'll need it for the IC3 report and any insurance claim.

• Do not treat the email thread as authoritative for a banking change.
• Do not rely on PDF attachments (bank letters, voided checks) as verification — both are trivially forged.
• Do not wait to report. The 72-hour window matters.
• Do not assume the vendor's reputation eliminates risk — large vendors are heavily targeted.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.