GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

Business email compromise and mandate fraud

Your notes

What this means in plain language

Business email compromise and mandate fraud trick a payer into sending money to a criminal's account by impersonating a supplier or executive. Verification, call-backs, and Confirmation of Payee are the controls that catch them.

Business email compromise (BEC) and mandate fraud are frauds that target the person who authorises a payment rather than any weakness in the bank's systems. The criminal impersonates someone the payer trusts, a supplier, a landlord, or a senior executive, and asks for a payment to be sent to new account details. In invoice or mandate fraud, a genuine supplier's bank details are quietly replaced with the criminal's account, so a real invoice is paid to the wrong place. The payment itself looks ordinary, which is why it succeeds. The defence is not a single tool but a habit of independent verification: confirming any change of bank details through a known, separately sourced contact before releasing funds. Controls such as call-backs on a trusted number, dual authorisation for changes, and Confirmation of Payee name-checking are designed to interrupt the payment at the moment the details change.

Understand the full idea, step by step

Imagine a supplier you have paid for years emails to say their bank has changed — please use the new account from now on. Nothing about the request looks alarming. That ordinary-looking email is the whole attack, and defending against it means verifying the instruction, not just inspecting the payment.

Business email compromise (BEC)impersonation of a trusted party by email to trigger a payment

Business email compromise works by impersonation. The criminal studies a target — its suppliers, its approval chain — then sends a message that fits what the victim expects. Two shapes are common: executive impersonation, an email that appears to come from a senior figure demanding an urgent, confidential transfer; and supplier impersonation, posing as a genuine supplier to report a change of account. The pressure is usually urgency and secrecy, designed to bypass the normal checks.

Mandate (invoice-redirection) frauda genuine payee's banking details are quietly replaced with the criminal's

Mandate fraud, also called invoice redirection, changes where a legitimate payment goes. The account details are altered on an intercepted invoice, a forged letter, or inside a compromised email thread, so a real invoice for a real debt is paid into the wrong account. What makes it effective is that the resulting payment is unremarkable — a known payee, a plausible amount, an ordinary reference. The weakness exploited is human trust and process, not the bank's technology.

Why detection must shift to the instruction

Because nothing in the transaction itself looks wrong, a defence that only hunts for strange payments will miss it. The one thing that *is* wrong is the instruction behind the payment — specifically, an instruction that changes where money is sent. So the defence shifts upstream: verify the change of details before any funds move, using a route the criminal does not control. Any request to alter payee bank details becomes the moment to slow down and confirm.

The call-back control, step by step

  1. INSTRUCTION

    Asha Traders receives the request to change the supplier's bank details. It is treated as unverified until confirmed — not acted on because it looks plausible.

  2. VALIDATION

    A staff member calls the supplier back on a number held on file from before the request — never a number supplied in the email itself, which the criminal controls.

  3. VALIDATION

    A second, separate person must approve the change of payee details under dual authorization, so no one individual can wave through a redirection.

  4. NOTIFICATION

    Only once the change is confirmed through the trusted channel is the new account used. A new-payee cooling-off step can hold the first payment briefly so verification completes before value moves.

The criminal knows a call-back is coming — so they put their own phone number in the email. Does that defeat it?

Only if the payer uses that number, which is why the control is stated so precisely: confirm using a contact route already trusted from before the request, not one supplied inside the request itself. The whole point is to reach the real supplier through a channel the criminal does not control. This is also why training frames urgency and secrecy as warning signs rather than reasons to move faster — a genuine supplier will not mind a verification call, and a fraudster is counting on you skipping it.

Payee verification (Confirmation of Payee, Verification of Payee)the payer's bank checks the entered name against the receiving account's registered name

Before a payment is sent, a payee-verification service checks whether the name the payer entered matches the name registered on the receiving account and warns of a mismatch — Confirmation of Payee is the term in some markets, Verification of Payee the SEPA scheme. Against mandate fraud this is valuable, because the criminal's account rarely carries the real supplier's name, so a mismatch surfaces right at the moment of payment. It is a prompt to stop and verify, not a guarantee: a close-but-not-exact name can still slip through.

WHAT IF — The payee-verification check returns a name mismatch on the new supplier account

What happens: The payer is warned before confirming — the entered supplier name does not match the name registered on the account the funds would reach.

How it is handled: Asha Traders treats the warning as a reason to stop and run the call-back on the trusted number, and to have the change approved by a second person. The mismatch does not prove fraud by itself, but it is exactly the interruption BEC and mandate fraud rely on the payer ignoring.

COMMON CONFUSION

Sanctions screening will catch a payment to a criminal's account.

Screening asks whether a party is on a sanctions or watch list — a legal, list-based check. It will not flag a payment to a criminal account that belongs to no listed person, and AML monitoring looks for patterns of illicit funds, not this specific deception. BEC and mandate fraud sit alongside both: the payer is deceived into authorising a legitimate-looking payment, so the defence is payment-verification controls — call-backs, dual authorization, and payee name-checking — with any confirmed attempt reported so the wider system can learn.

FOR NOW, REMEMBER

  • BEC and mandate fraud impersonate a trusted party to redirect a legitimate payment, so the payment itself looks ordinary.
  • Because the transaction looks normal, the defence shifts to verifying the instruction — especially any change of payee bank details.
  • The strongest control is an independent call-back on a contact route trusted from before the request, backed by dual authorization and a cooling-off step.
  • Payee verification catches many redirections at the moment of payment, but sanctions screening does not — the criminal's account is on no list.

TRY IT YOURSELF

Asha Traders gets an email from a long-standing supplier giving new bank details and a phone number to confirm the change. What is the sound way to verify before paying EUR 62,500.00?

Call the number in the email; if a person answers and confirms the new details, proceed.

Not this one — The number in the email is supplied by whoever sent it — in a BEC attack, the criminal. A confirmation through a channel the fraudster controls proves nothing. The call-back only works on a route trusted from before the request.

Call the supplier on a number held on file from before the request, confirm the change with an identifiable person, and have a second colleague approve it.

Correct — Correct. Verifying through an independently trusted channel reaches the real supplier, and dual authorization stops one person waving through a redirection — the combination is what defeats the impersonation.

Rely on sanctions screening at the bank to block the payment if the new account is fraudulent.

Not this one — Screening is a list-based legal check. The criminal's account belongs to no listed party, so screening will not flag it — this fraud is defeated by verifying the instruction, not by list matching.

Call-backs and payee checks are human-and-process controls. Behind them sits software that scores every payment in real time. Next, how a fraud-detection product actually reaches its decision.

KEEP GOING

Three things to remember

  1. 01

    Business email compromise and mandate fraud attack the payer's trust and process, not the bank's technical systems.

  2. 02

    The common trigger is a request to change a supplier's or payee's bank details, so any change should be independently verified.

  3. 03

    Call-backs on a known number, dual authorisation, and Confirmation of Payee name-matching are the controls that interrupt these payments.

Where you would use this

USE CASE 01

An accounts-payable team verifies every change of supplier bank details by calling a number held on file, not one supplied in the request.

USE CASE 02

A bank's fraud operation reviews large first-time payments to new payees and holds them for confirmation before release.

USE CASE 03

A payment service uses Confirmation of Payee to warn a payer when the account name does not match the intended recipient.

Put the idea into a real situation

Illustrative example: a fictional company, Larkspur Interiors, receives an email appearing to come from a regular supplier, Fenwick Timber, saying its bank details have changed and the next invoice of EUR 48,750.00 should go to a new account. The email address differs by one character from the real one. Larkspur's finance clerk follows the control and calls Fenwick on the number already held on file, not the number in the email. Fenwick confirms it never changed its details. The payment is stopped before release, and the attempted mandate fraud is reported.

Evidence & review

REVIEWED 2026-07-13

General BEC and mandate/invoice-redirection defences; payee-verification framing reflects SEPA Verification of Payee and equivalent Confirmation of Payee services in other markets. Screening/AML boundary is universal in principle.

What this brief simplifies: Controls described at pattern level with a fictional business scenario; specific bank procedures, thresholds, and reporting routes are not reproduced.

Sources for this brief3
  1. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Asha Traders scenario and illustrative call-back workflow

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

  2. Scheme-specific ruleversion 1.1 (EPC218-23)

    Verification Of Payee scheme rulebookEuropean Payments Council · Verification of Payee name-matching before a SEPA credit transfer

    Governs the EPC Verification Of Payee scheme under which PSPs check a payee's name against the account identifier before a credit transfer is sent. · Checked 2026-07-12

    The first rulebook version entered into force on 5 October 2025; version 1.1 was published in March 2026 to address issues found after deployment, and the EPC has announced a version 2.0 for later in 2026.

  3. Market practice

    Wolfsberg Group Payment Transparency StandardsThe Wolfsberg Group · Verification of payment instructions and escalation of changed payee details

    Industry standards on preserving complete and accurate party information through payment chains, expressed in ISO 20022 terminology. · Checked 2026-07-12

    The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.

Learn this properly

Related briefs

View Fraud & Compliance archive

Payment fraud typologies

Payment fraud typologies are recognised patterns of attack — authorized push payment fraud, account takeover, and money-mule networks. Knowing each pattern's signals helps a bank detect and prevent it and protect the customer, and stays firmly on the defensive side.

READ BRIEF

How a fraud detection product works

An end-to-end view of how fraud detection products work — real-time scoring, rules engines combined with machine-learning models, behavioural, device, and consortium signals, case management, and feedback loops that retrain the models.

READ BRIEF

Screening for politically exposed persons (PEPs)

Politically exposed persons hold prominent public roles that carry higher corruption risk. Screening flags them so a bank applies enhanced due diligence — a deeper, documented review and senior sign-off — rather than the hard payment stop a sanctions match triggers.

READ BRIEF