Bank Account Change Fraud (BEC): How to Prevent It

What is bank account change fraud?

Bank account change fraud is a targeted attack on the accounts-payable process. The attacker impersonates a trusted vendor — or, less commonly, an internal executive — and convinces your AP team to update the bank routing and account number on file for that vendor. Once the fraudulent details are saved in your system, the next legitimate invoice payment flows to the attacker's account instead of the real supplier. By the time either party notices, the funds are gone.

This attack is a subcategory of Business Email Compromise (BEC). BEC is the FBI's term for any scheme in which an attacker compromises or impersonates a legitimate business email account to conduct an unauthorized transfer of funds. Bank-account-change fraud is the most common and most costly BEC variant, because it does not require a single-use wire order — it silently redirects an entire ongoing payment relationship.

The attack works because most AP teams are built for throughput, not for verifying every payment-detail change. A professional-looking email from what appears to be a known vendor requesting a routine banking update does not trigger alarm in a high-volume environment. That is exactly what the attacker counts on.

How the attack works

Bank account change attacks follow a predictable three-phase playbook. Understanding each phase makes the control points obvious.

Phase 1: Reconnaissance and impersonation setup

The attacker first identifies a vendor relationship worth targeting. Public records, LinkedIn, company websites, and AP job postings (which often name software platforms and processes) all provide enough detail to select a target vendor and identify the right AP contact. The attacker then does one of three things:

• Registers a look-alike domain. A domain like acme-invoicing.com or acmecorp.netis cheap, quick to set up, and bypasses most basic email filters because the domain itself is not on any blocklist. The attacker configures an email address that mirrors the real vendor contact's name.
• Spoofs the vendor's domain.If the real vendor's email infrastructure lacks proper SPF, DKIM, and DMARC records, the attacker can send email that appears to come directly from the legitimate domain — no fake domain required.
• Compromises the vendor's real email account. In higher-sophistication attacks, the attacker takes over an actual vendor inbox and sends the fraudulent banking-change request from the genuine address, bypassing all sender-verification controls entirely.

Phase 2: The banking-change request

The fraudulent message typically opens with a plausible business reason: "We recently switched banks as part of a consolidation." "Our previous bank closed our business account." "Effective immediately, please update our payment details." The email includes new routing and account numbers and often adds urgency — an upcoming invoice, a contractual deadline, or a note that the old account will be closed in days. Some attacks also include a forged letter on what appears to be vendor letterhead.

The request intentionally looks routine. It arrives via email, the normal channel for vendor communication. The contact name and tone match the real relationship. Nothing in the message itself triggers suspicion — which is why the only reliable control is comparing the new routing number against the one already on file in vendor master, rather than reading the email for red flags.

Phase 3: Payment interception

Once the fraudulent routing details are saved in the AP system, the attacker waits. The next invoice from that vendor — which may be a completely legitimate invoice for real services — is processed normally and paid to the attacker's account. The real vendor eventually follows up on non-payment, at which point the fraud surfaces. By then, the funds have typically been moved multiple times and are unrecoverable.

Real-world data on BEC losses

The scale of business email compromise is documented annually by two authoritative sources. Their findings, combined, give a clear picture of the financial exposure.

The FBI Internet Crime Complaint Center (IC3) 2025 Internet Crime Report recorded 24,768 BEC complaints with total adjusted losses of $3.046 billion in 2025 alone. Cumulatively, BEC losses from 2022 through 2024 reached approximately $8.5 billion. The IC3 also found that 86 to 88 percent of BEC funds were moved via wire transfer or ACH — meaning the overwhelming majority of attacks involve exactly the kind of payment-detail redirect described in this guide.

The Verizon 2025 Data Breach Investigations Report (DBIR) puts the median BEC loss at approximately $50,000 per incident. The median figure is more useful than the mean for planning: it tells you what a "typical" successful attack costs, not what the rare outlier looks like. Fifty thousand dollars represents a vendor payment that looks completely ordinary — a mid-sized invoice from a regular supplier that goes through without any friction.

Recovery rates are low. Once funds clear through an international wire or are swept from a mule account, the FBI's Asset Recovery Team (operating through the Financial Crimes Enforcement Network) estimates that recovery is possible only when reported within 24 to 48 hours of the transaction. Most fraud is discovered on vendor follow-up, days or weeks later. Prevention is not a nice-to-have — it is the only viable strategy.

How to detect bank routing-number changes in AP

The detection logic is straightforward once you frame it correctly: every invoice carries a bank routing number and account number. Your vendor master data also carries a bank routing number and account number for each supplier. Any divergence between the two is a signal that must be investigated before payment is released.

The check has three steps:

1. Extract the routing number from the incoming invoice.This may be explicit (printed on the invoice as "Routing:" or "ABA:") or embedded in bank account details. For structured invoice data, this field should be normalised as part of ingestion.
2. Look up the routing number on file for that vendor in vendor master data. Vendor master is the authoritative internal record — not a prior email, not the previous invoice, but the record your AP system holds as the verified baseline.
3. Flag any mismatch for human review before releasing payment. If the routing number on the invoice does not match vendor master, do not pay automatically. Route the invoice to a verification queue. Contact the vendor via an out-of-band channel (a phone number already in your records, not one supplied in the invoice or any associated email) to confirm the change is legitimate.

This logic catches the attack at the moment the fraudulent payment details first appear in your AP workflow — before any payment is made. It does not depend on reading the banking-change email for red flags, which is unreliable. It depends only on a comparison between two data points your organisation already controls.

Manual vs automated detection

Most AP teams rely on some version of manual review for banking-change requests. The table below compares manual and automated approaches across the dimensions that matter for a high-volume AP environment.

Manual and automated detection are not mutually exclusive. The recommended model is automated detection as the first line — catching every routing-number change at scan time — with manual out-of-band vendor verification as the second line for any flagged invoice. Automated detection removes the burden of catching the signal; human verification confirms whether the change is legitimate before funds move.

Bank account change fraud prevention checklist

The following checklist covers both the technical controls and the process controls that, together, close the main attack vectors. Work through it in order: technical controls first because they are consistent and scalable, then process controls to cover gaps that technology alone cannot close.

1. Implement automated routing-number comparison on every invoice. Submit each invoice alongside your vendor master data so that the bank routing number on the invoice is compared against the verified baseline on every scan — not just on invoices that look suspicious. Any mismatch triggers a flag before payment processing begins.
2. Lock vendor master updates behind an approval workflow. Changes to vendor bank details in your AP system should require a second-level approval that is independent of the person who received the change request. A single AP clerk should not be able to update routing numbers unilaterally.
3. Never use contact information supplied in the banking-change communication. If you need to call a vendor to verify a change, use the phone number from your existing vendor master record, a signed contract, or your organisation's procurement database — never a number provided in the suspicious email or invoice.
4. Enable DMARC, DKIM, and SPF on your own domain. These email authentication standards prevent attackers from spoofing your domain to make internal BEC attempts look legitimate. Also request that major vendors confirm they have these records in place — vendors without them are easier to impersonate.
5. Train AP staff to recognise the "we switched banks" pattern. Short, regular training that specifically addresses the banking-change script — not just general phishing awareness — significantly reduces the chance that a fraudulent request reaches payment without scrutiny. Staff should know that urgency language ("the old account closes Friday") is a red flag, not a reason to act faster.
6. Impose a payment hold on any invoice where routing details have changed. Even if a vendor verbally confirms a banking update, apply a defined hold period (24 to 48 hours is common) before releasing the first payment to new details. This gives time for any compromise of the vendor's own communication channels to surface.
7. Run duplicate-detection in the same scan.Bank-change fraud often coincides with invoice-level fraud: a fraudulent invoice submitted with the attacker's routing number. Scanning for exact and modified duplicates, BEC bank changes, and math errors in a single pass means a single fraudulent submission can trigger multiple corroborating flags.
8. Establish an out-of-band reporting path for suspected fraud. AP staff who suspect a banking-change request is fraudulent need a clear, low-friction path to escalate — a dedicated email alias, a Slack channel, or a defined internal contact. Ambiguity about who to tell creates delays; delays reduce recovery odds.
9. File IC3 reports immediately for confirmed incidents.The FBI IC3 Financial Fraud Kill Chain can interrupt wire transfers if initiated within hours of the fraudulent payment. Every hour of delay reduces recovery probability. File at ic3.gov and contact your bank's fraud line simultaneously.

Why routing-number checks must be automated

The single biggest gap in manual AP fraud prevention is consistency. A team that reviews 50 invoices a day can realistically check vendor master for every one. A team that processes 5,000 invoices a month cannot — and attackers know this. Volume is the attacker's friend. The banking-change request does not need to beat a vigilant reviewer on a good day; it only needs to slip through once, on a busy day, when the reviewer has 200 items in the queue and the email looks plausible.

Automated routing-number comparison removes volume as a variable. The check runs on every invoice, every time, with the same logic, regardless of how many invoices are in the batch. It does not get tired, does not skip the step when under pressure, and does not fail to look up vendor master because it seems like extra work for a familiar vendor. The comparison is deterministic: either the routing number matches what is on file, or it does not.

This is exactly how InvoiceProof applies the BANK_ACCOUNT_CHANGE_DETECTEDrule. On every scan, it compares the invoice's bank routing number against the vendor master data you supply. If there is a mismatch, the finding is surfaced immediately — with severity critical, the rule key, and the specific field that triggered it — before any payment decision is made. The check runs in under 100 milliseconds. No account is required to start scanning.

The vendor master data you already maintain in your ERP or AP system is the input. You do not need a new data source. You need the comparison to happen on every invoice, automatically, before payment — and that is what automation provides.

Catch every routing-number change with InvoiceProof

InvoiceProofchecks every invoice's bank routing number against your vendor master data automatically, on every scan, in under 100 milliseconds, with no account required. When the routing number on an invoice differs from what your vendor master records, InvoiceProof raises a BANK_ACCOUNT_CHANGE_DETECTED finding at critical severity — giving your AP team the signal they need to stop payment and verify before a single dollar moves.

The same scan also checks for exact duplicates, modified duplicates, missing PO references, PO amount overages, vendor address mismatches, and line-item math errors — so a single submission covers the full spectrum of AP fraud patterns, not just bank-change attacks. Submit a JSON invoice batch or raw CSV and receive structured findings with severity levels and rule keys that slot directly into your AP workflow.