Fraud & Compliance / Learning brief
Business email compromise and mandate fraud
Your notes
In simple terms / 01
What this means in plain language
Business email compromise and mandate fraud trick a payer into sending money to a criminal's account by impersonating a supplier or executive. Verification, call-backs, and Confirmation of Payee are the controls that catch them.
Business email compromise (BEC) and mandate fraud are frauds that target the person who authorises a payment rather than any weakness in the bank's systems. The criminal impersonates someone the payer trusts, a supplier, a landlord, or a senior executive, and asks for a payment to be sent to new account details. In invoice or mandate fraud, a genuine supplier's bank details are quietly replaced with the criminal's account, so a real invoice is paid to the wrong place. The payment itself looks ordinary, which is why it succeeds. The defence is not a single tool but a habit of independent verification: confirming any change of bank details through a known, separately sourced contact before releasing funds. Controls such as call-backs on a trusted number, dual authorisation for changes, and Confirmation of Payee name-checking are designed to interrupt the payment at the moment the details change.
Complete lesson / 02
Understand the full idea, step by step
Imagine a supplier you have paid for years emails to say their bank has changed — please use the new account from now on. Nothing about the request looks alarming. That ordinary-looking email is the whole attack, and defending against it means verifying the instruction, not just inspecting the payment.
Business email compromise (BEC) — impersonation of a trusted party by email to trigger a payment
Business email compromise works by impersonation. The criminal studies a target — its suppliers, its approval chain — then sends a message that fits what the victim expects. Two shapes are common: executive impersonation, an email that appears to come from a senior figure demanding an urgent, confidential transfer; and supplier impersonation, posing as a genuine supplier to report a change of account. The pressure is usually urgency and secrecy, designed to bypass the normal checks.
Mandate (invoice-redirection) fraud — a genuine payee's banking details are quietly replaced with the criminal's
Mandate fraud, also called invoice redirection, changes where a legitimate payment goes. The account details are altered on an intercepted invoice, a forged letter, or inside a compromised email thread, so a real invoice for a real debt is paid into the wrong account. What makes it effective is that the resulting payment is unremarkable — a known payee, a plausible amount, an ordinary reference. The weakness exploited is human trust and process, not the bank's technology.
Why detection must shift to the instruction
Because nothing in the transaction itself looks wrong, a defence that only hunts for strange payments will miss it. The one thing that *is* wrong is the instruction behind the payment — specifically, an instruction that changes where money is sent. So the defence shifts upstream: verify the change of details before any funds move, using a route the criminal does not control. Any request to alter payee bank details becomes the moment to slow down and confirm.
The call-back control, step by step
- INSTRUCTION
Asha Traders receives the request to change the supplier's bank details. It is treated as unverified until confirmed — not acted on because it looks plausible.
- VALIDATION
A staff member calls the supplier back on a number held on file from before the request — never a number supplied in the email itself, which the criminal controls.
- VALIDATION
A second, separate person must approve the change of payee details under dual authorization, so no one individual can wave through a redirection.
- NOTIFICATION
Only once the change is confirmed through the trusted channel is the new account used. A new-payee cooling-off step can hold the first payment briefly so verification completes before value moves.
The criminal knows a call-back is coming — so they put their own phone number in the email. Does that defeat it?
Only if the payer uses that number, which is why the control is stated so precisely: confirm using a contact route already trusted from before the request, not one supplied inside the request itself. The whole point is to reach the real supplier through a channel the criminal does not control. This is also why training frames urgency and secrecy as warning signs rather than reasons to move faster — a genuine supplier will not mind a verification call, and a fraudster is counting on you skipping it.
Payee verification (Confirmation of Payee, Verification of Payee) — the payer's bank checks the entered name against the receiving account's registered name
Before a payment is sent, a payee-verification service checks whether the name the payer entered matches the name registered on the receiving account and warns of a mismatch — Confirmation of Payee is the term in some markets, Verification of Payee the SEPA scheme. Against mandate fraud this is valuable, because the criminal's account rarely carries the real supplier's name, so a mismatch surfaces right at the moment of payment. It is a prompt to stop and verify, not a guarantee: a close-but-not-exact name can still slip through.
WHAT IF — The payee-verification check returns a name mismatch on the new supplier account
What happens: The payer is warned before confirming — the entered supplier name does not match the name registered on the account the funds would reach.
How it is handled: Asha Traders treats the warning as a reason to stop and run the call-back on the trusted number, and to have the change approved by a second person. The mismatch does not prove fraud by itself, but it is exactly the interruption BEC and mandate fraud rely on the payer ignoring.
COMMON CONFUSION
“Sanctions screening will catch a payment to a criminal's account.”
Screening asks whether a party is on a sanctions or watch list — a legal, list-based check. It will not flag a payment to a criminal account that belongs to no listed person, and AML monitoring looks for patterns of illicit funds, not this specific deception. BEC and mandate fraud sit alongside both: the payer is deceived into authorising a legitimate-looking payment, so the defence is payment-verification controls — call-backs, dual authorization, and payee name-checking — with any confirmed attempt reported so the wider system can learn.
FOR NOW, REMEMBER
- BEC and mandate fraud impersonate a trusted party to redirect a legitimate payment, so the payment itself looks ordinary.
- Because the transaction looks normal, the defence shifts to verifying the instruction — especially any change of payee bank details.
- The strongest control is an independent call-back on a contact route trusted from before the request, backed by dual authorization and a cooling-off step.
- Payee verification catches many redirections at the moment of payment, but sanctions screening does not — the criminal's account is on no list.
TRY IT YOURSELF
Asha Traders gets an email from a long-standing supplier giving new bank details and a phone number to confirm the change. What is the sound way to verify before paying EUR 62,500.00?
Call-backs and payee checks are human-and-process controls. Behind them sits software that scores every payment in real time. Next, how a fraud-detection product actually reaches its decision.
KEEP GOINGKey takeaways / 03
Three things to remember
- 01
Business email compromise and mandate fraud attack the payer's trust and process, not the bank's technical systems.
- 02
The common trigger is a request to change a supplier's or payee's bank details, so any change should be independently verified.
- 03
Call-backs on a known number, dual authorisation, and Confirmation of Payee name-matching are the controls that interrupt these payments.
Practical use cases / 04
Where you would use this
An accounts-payable team verifies every change of supplier bank details by calling a number held on file, not one supplied in the request.
A bank's fraud operation reviews large first-time payments to new payees and holds them for confirmation before release.
A payment service uses Confirmation of Payee to warn a payer when the account name does not match the intended recipient.
Worked example / 05
Put the idea into a real situation
Illustrative example: a fictional company, Larkspur Interiors, receives an email appearing to come from a regular supplier, Fenwick Timber, saying its bank details have changed and the next invoice of EUR 48,750.00 should go to a new account. The email address differs by one character from the real one. Larkspur's finance clerk follows the control and calls Fenwick on the number already held on file, not the number in the email. Fenwick confirms it never changed its details. The payment is stopped before release, and the attempted mandate fraud is reported.
Evidence & review / 07
Evidence & review
General BEC and mandate/invoice-redirection defences; payee-verification framing reflects SEPA Verification of Payee and equivalent Confirmation of Payee services in other markets. Screening/AML boundary is universal in principle.
What this brief simplifies: Controls described at pattern level with a fictional business scenario; specific bank procedures, thresholds, and reporting routes are not reproduced.
Sources for this brief3
- Simplified educational illustration
Payments Signal editorial teaching models — Payments Signal · Asha Traders scenario and illustrative call-back workflow
Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.
- Scheme-specific ruleversion 1.1 (EPC218-23)
Verification Of Payee scheme rulebook ↗ — European Payments Council · Verification of Payee name-matching before a SEPA credit transfer
The first rulebook version entered into force on 5 October 2025; version 1.1 was published in March 2026 to address issues found after deployment, and the EPC has announced a version 2.0 for later in 2026.
- Market practice
Wolfsberg Group Payment Transparency Standards ↗ — The Wolfsberg Group · Verification of payment instructions and escalation of changed payee details
The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.