Bank Account Change Fraud

Bank account change fraud is a form of payment redirection fraud where a fraudster causes a business to update a legitimate supplier's bank account details in the accounting system with account details controlled by the fraudster. The next scheduled payment to that supplier then goes to the fraudster's account rather than the real supplier. The business typically discovers the fraud when the real supplier follows up on non-payment, by which point the funds have usually been moved out of the receiving account and are effectively unrecoverable.

Bank account change fraud is distinct from business email compromise in that BEC is the mechanism (a fraudulent email request), while bank account change fraud is the outcome (payment redirection through a modified vendor master record). BEC is the most common way bank account change fraud is initiated, but the fraud can also be executed through phone calls impersonating supplier finance staff, forged letters on stolen letterheads, or internal collusion where an AP employee modifies their own or a connected supplier's account details.

Why bank account details are a high-value target

In most accounting systems, updating a supplier's bank account details is a routine AP function that can be completed in under two minutes. In businesses without dedicated controls around vendor master changes, a single AP team member can receive a request, update the account, and have no record of the change other than a note in the supplier record that may not be reviewed for months. The value of a single successful attack scales with the size of the business's supplier payments: a payment redirection targeting a major supplier payment of AU$200,000 represents a single event with a clear financial impact that is nonetheless easy to execute if controls are absent.

Fraudsters identify high-value targets through a combination of public information (annual reports, tender notices, supplier directories) and social engineering (calling AP departments under the guise of supplier relationship management). Once a high-value supplier relationship is identified, the timing of the attack is often calibrated to coincide with a known payment cycle -- month-end, quarter-end, or immediately following a project milestone.

Verification controls that prevent bank account change fraud

The core control is a mandatory callback verification policy. Before any change to a supplier's bank account details is made in the accounting system, the AP team member must call the supplier on a telephone number already recorded in the vendor master -- not a number provided in the same email or letter requesting the change. The call must be documented, including the name of the person spoken to, the date and time, and confirmation of the new account details. This policy, applied without exception, stops the vast majority of bank account change fraud attempts because the fraudster cannot intercept a call to the legitimate supplier's registered number.

Secondary controls include dual authorisation for bank account changes (two different people must approve the change before it is made), automated alerts to the supplier contact on file whenever bank account details are modified (using the existing contact email, not the email that made the request), and periodic reconciliation of bank account details against original onboarding documentation.

AP automation platforms that integrate bank account verification -- checking that a BSB and account number match a real account and, where possible, that the account is held in the name matching the supplier record -- add a layer of technical verification that is difficult to fake. Australia's PayTo framework and real-time payment infrastructure increasingly enable pre-payment validation that was not previously available through standard bank transfers.

When bank account change fraud results in a payment being made, the bank should be notified within hours rather than days. Australian banks are required to treat these cases as priority fraud incidents and can initiate a recall through the payment system if the funds remain in the receiving account. The success rate of recalls declines sharply once the funds are moved; bank notification speed is the single most important factor in recovery outcome.