Invoice Fraud UK: How to Verify a Payment Safely
An unsolicited change-of-bank-details request always needs an independent phone check.
What invoice fraud looks like for a UK business
This scam is an email that appears to come from a genuine supplier's finance contact, saying their bank details have changed and asking for the next payment to go to a new account. An example of the style is: Please note our bank details have changed with immediate effect due to an internal audit. Kindly update our account details before processing the attached invoice. It's often sent to coincide with a real, expected invoice.
Why these emails are convincing
The National Cyber Security Centre describes this as Business Email Compromise (BEC) — unlike bulk phishing, it's often researched and targeted at a specific business, sometimes using a sender domain only one or two characters different from the real supplier's, and sometimes sent from the supplier's own mailbox after it's been compromised. Either way, it can look exactly like normal supplier correspondence.
Signs an invoice or payment change is fraudulent
- A change-of-bank-details request with no prior verbal confirmation from someone you know at the supplier.
- Urgency or secrecy — being told to process it quickly, or not to mention it to colleagues.
- A sender domain that's subtly different from the supplier's real one.
- An invoice for goods or services your business never ordered.
- A request addressed unusually specifically to one individual, rather than your normal finance inbox.
How the scam works step by step
First, a criminal gains sight of genuine invoice or supplier correspondence — sometimes through a breach, sometimes by closely mimicking a known supplier's usual emails. Second, a bank-detail-change request is sent, timed to land around a real, expected invoice. Third, if it isn't independently verified, the payment goes to the fraudster's account instead of the genuine supplier's — and by the time the real supplier chases the missing payment, the money is usually already gone.
How to verify a payment or bank-detail change safely
Always confirm any change of bank details by phone, using a number you already have on file for that contact — never a number in the email itself, which the NCSC specifically warns may be false.
- Where your bank offers Confirmation of Payee, use it — it checks that the name on the destination account matches who you think you're paying before the transfer completes.
- Treat any unsolicited change-of-bank-details request as needing independent verification, no matter how convincing or official it looks.
If you've already paid a fraudulent invoice
Contact your bank immediately to ask about recalling the payment — acting fast matters, since the chance of recovery drops quickly once funds move on. Report it as soon as possible; delaying reduces the chance of getting the money back.
How to report invoice fraud (UK)
Report it to Report Fraud at reportfraud.police.uk or 0300 123 2040 if you are in England, Wales, or Northern Ireland (this fraud type is often listed as 'mandate fraud'). In Scotland, report to Police Scotland on 101. If a phishing email was involved, forward it to report@phishing.gov.uk.
Frequently asked questions
How do I know if an email claiming to be from my supplier is genuinely them?
Check the sender's domain carefully for subtle differences, and verify any payment or bank-detail change by phone using a number you already have — not one in the email. Remember a genuinely compromised (but real) supplier mailbox can also send these emails, so the domain check alone isn't always enough.
What is Confirmation of Payee and does it protect against invoice fraud?
It's a UK banking check that confirms the name on an account matches who you think you're paying, before your transfer completes. It's a helpful extra check, not a guarantee — always verify a bank-detail change independently too.
We've already paid a fraudulent invoice — can we get the money back?
Contact your bank immediately to ask about a payment recall — speed matters. There's no guarantee, but report it to Report Fraud as soon as possible either way.
Is this called invoice fraud, mandate fraud, or CEO fraud?
All three terms are used for overlapping versions of the same scheme. Report Fraud's formal category for a redirected payment is 'mandate fraud'; 'invoice fraud' and 'CEO fraud' are common public-facing labels for the same pattern.
How do we report invoice fraud in the UK?
Report it to Report Fraud at reportfraud.police.uk or 0300 123 2040 (Police Scotland on 101 in Scotland), and forward any phishing email to report@phishing.gov.uk.