If a supplier’s bank details change on an invoice and you pay the new account, South African courts will most likely leave the loss with you, not the supplier. That is the blunt starting point for any South African business shopping for invoice fraud prevention software: money sent to a fraudster is money you have to find twice. In 2024 the South African Banking Risk Information Centre (SABRIC) recorded R2.7 billion in gross financial crime losses, and digital banking fraud made up 65.3% of reported incidents. Case volumes nearly doubled from 31,612 in 2023 to about 64,000 in 2024, with losses climbing from R1 billion to over R1.4 billion.
Most of that is social engineering, not hacked bank platforms. SABRIC is explicit that these losses come from exploiting human error. The Southern African Fraud Prevention Service (SAFPS) prevented R5.04 billion in fraud losses in 2024, and impersonation listings rose 38% over the year. INTERPOL’s Africa Cyberthreat Assessment 2025 names South Africa among the continent’s main hubs for business email compromise, where fraudsters use lookalike domains and slightly altered addresses to reroute invoice payments.
This guide covers what the scam looks like, who carries the loss under South African law, why the standard manual check falls apart as your creditors volume grows, and how a Xero creditors workflow can catch a changed account before the EFT run instead of after. Accounting software on its own will not do this, because the ledger is a record, not a control.
What the change of banking details scam looks like
The change of banking details scam is a fraud where someone impersonating a supplier sends altered payment details, so the money lands in an account they control. It is a form of bank account change fraud, and it does not require breaking into anything. A fraudster needs a cloned letterhead, a believable email address, and enough knowledge of the supplier relationship to look routine.
Two versions exist. In the simpler one, a letter or email arrives claiming the supplier has “changed banks” and asking that future payments go to a new account. In the more dangerous one, the fraudster has compromised the supplier’s own email, intercepts a genuine invoice, and swaps the account number before it reaches you. The invoice is real. Only the banking line is wrong.
A 2026 case out of Gqeberha shows the internal version. An employee of an accounting firm and his partner allegedly altered the firm’s official invoice templates, replacing the business banking details with their own personal accounts. Clients paid roughly R633,630 into the fraudsters’ accounts between November 2024 and April 2025 before the Hawks made arrests. The paying clients did nothing obviously wrong. They paid an invoice that looked exactly like every other invoice from that firm.
This is why vendor impersonation and BEC sits at the top of the creditors risk list. A convincing fake reaches the person who pays it, and visual inspection is a poor defence against a document built to pass visual inspection.
Who is liable when banking details are altered on an invoice
The paying business carries the loss, in most cases. South Africa’s Supreme Court of Appeal has held that a debtor paying by EFT bears the risk of misdirected payments and must ensure the funds reach the correct account. In the 2025 ruling on that point, a buyer paid for vehicles into an account that had been swapped by a cybercriminal, and the court found payment was only complete once the money reached the seller’s genuine account. The interception did not discharge the debt. The buyer still owed the seller and still had to pay again.
The court also declined to place a general duty on suppliers to protect their customers from having their emails hacked. Creating that duty, it reasoned, would expose every creditor to open-ended liability. So the obligation runs the other way: the party releasing the money is the party expected to verify where it is going.
For a creditors clerk, that reframes the whole problem. A changed bank account is not the supplier’s admin update to accept on trust. It is a payment your business will be liable for if it turns out to be fraud. That legal reality is the argument for building verification into the process rather than leaving it to whoever happens to open the email.
Why manual verification breaks at volume
The standard advice works for one invoice and fails for a hundred. Every South African bank and SABRIC give the same guidance: confirm any change of banking details by phoning a known contact on a number from your own records, never the number on the letter, because that number will in all likelihood reach the fraudster. It is sound advice. It is also a per-invoice manual task, and that is where it comes apart.
A creditors clerk processing a full month’s supplier invoices cannot phone-verify every account against memory. The check depends on someone noticing that this account looks different from last time, on a day when they are also chasing statements, preparing the creditors recon, and clearing a backlog before the EFT run. Fraudsters time their approach for exactly that pressure. Staff turnover makes it worse: a new clerk has no memory of what the account “should” be.
Bank-level verification exists but is gated. South African banks run BankservAfrica’s Account Verification Service, which confirms whether an ID or registration number matches an account. Only banks connect to it directly, so a business reaches it through its own bank’s enterprise portal, and there is no free, universal confirmation-of-payee prompt at the moment you pay. Standalone verification services sit at enterprise price points. For an SMME running creditors on Xero, neither option lands as a control the clerk can use on every invoice.
So the practical gap is this: the only advice that scales to one invoice does not scale to a creditors ledger, and the tools that scale are priced for the banks and the large corporates. That leaves the mid-market business paying by EFT with the liability and without a working check.
What invoice fraud prevention software does in a Xero creditors workflow
Invoice fraud prevention software moves the bank-detail check off the clerk’s memory and into the intake step, before an invoice can reach the EFT run. Inside a Xero creditors workflow, that means the account number on each incoming invoice is compared against what your business paid that supplier before, so a change surfaces as an exception instead of slipping through as routine.
Pulsify is AP automation built for businesses running Xero. Its controls sit between the invoice arriving and the payment being approved. On bank details, it compares the account on the incoming invoice against your historical invoice records and your Xero contact data, and holds any invoice where the account has changed. To be clear about what that is and is not: it is a comparison against your own past behaviour and ledger, not a bank-verified confirmation-of-payee check and not a lookup against any national register. Where a mismatch appears, a human reviews it through the validation and exception review step before the invoice can move on.
Alongside that, it runs duplicate invoice detection at intake, matching on invoice number, supplier, amount, and date so a resubmitted or slightly modified invoice is flagged rather than paid twice. Our duplicate invoice checker lets you test a batch for repeats before the EFT run. Approval routing then sends invoices to a set approver by rand threshold, so no single person receives, captures, and releases a payment on their own. Every action is logged with a timestamp and user, which is the audit trail you need if a payment is ever disputed.
Here is how the manual protocol and a systematic control compare on the checks that matter.
| Check | Manual creditors protocol | Systematic control layer |
|---|---|---|
| Changed bank details | Clerk notices a difference from memory, phones to confirm | Incoming account compared against historical records and Xero contact data; mismatch held for review |
| Duplicate invoice | Caught at month-end recon, if at all | Flagged at intake on invoice number, supplier, amount and date |
| Approval before EFT run | Depends on who is in the office that day | Routed to a set approver by rand threshold before release |
| Audit trail | Notes and emails scattered across inboxes | Every change and approval logged with timestamp and user |
| Behaviour at volume | Degrades as invoice count and staff turnover rise | Holds regardless of volume |
Xero itself does not close this. It stores supplier bank details and records what you paid, but it does not compare a new invoice’s account against the last one or raise an alert when the number changes. That check is the add-on layer’s job, which is the same conclusion Australian businesses reach when they compare native controls against dedicated fraud tooling.
What to do if you have already paid
Move inside the first 24 to 72 hours, because after that recovery becomes unlikely. The receiving account is usually emptied fast, so speed is the whole game. Do these in order.
Phone your bank’s fraud desk first and ask for an immediate recall while the funds may still be sitting in the beneficiary account. Do this before anything else, including internal reporting, because the recall only works while the money is still there. Then open a case with the South African Police Service and get the CAS number, which you will need for the bank, for insurers, and for any claim. List the fraudulent account with the SAFPS so it can be flagged against future use. Preserve everything: the invoice, the email headers, the letter, and the payment confirmation.
Do not assume the bank will carry the loss. Banks may assist where the report is fast, but the SCA position on EFT liability means the paying business cannot count on being made whole. The verification log from your creditors process becomes evidence at this point. If you can show a documented check was run and the fraud still got through, that changes both the internal post-mortem and any conversation with insurers, which is a large part of why the check belongs in the process and not in someone’s head.
Frequently Asked Questions
The answers below draw on SABRIC guidance, the SCA ruling on EFT liability, and standard South African bank fraud-desk practice.
Want to see the bank-detail check on your own creditors? Start a free Pulsify trial or book a 30-minute demo and run a few real invoices through it in Xero.
Sources: SABRIC Annual Crime Statistics 2024 · SAFPS 2024 fraud statistics (Daily Maverick) · INTERPOL Africa Cyberthreat Assessment 2025 · SCA on EFT cyber-fraud liability (Moonstone) · Standard Bank, change of banking details scam
Further reading: Why delegation of authority matters more than automation speed · Financial control principles every approval workflow should follow · Why invoice volume growth exposes weak financial controls