May 7, 2026
Cybersecurity

Payment Redirection Fraud: when a legitimate payment ends up in the wrong account

Learn how Payment Redirection Fraud works, a scam that manipulates invoices, suppliers, and financial processes to divert business payments.

Not every financial attack starts with malware, ransomware, or a direct breach of a company's systems. Many begin with something much simpler: a request to change bank details.

An invoice that looks normal. An email from a known supplier. An urgent request to update an IBAN. A document that appears legitimate. A payment that, at first glance, follows the usual process.

This is where Payment Redirection Fraud comes in. In this type of attack, cybercriminals manipulate companies or employees into sending legitimate payments to bank accounts controlled by attackers.

The danger is that the transaction looks real. The company believes it is paying a supplier, partner, or service provider. In reality, the money has been diverted.

What is Payment Redirection Fraud?

Payment Redirection Fraud is a scam in which criminals convince an organization to change the payment details of a legitimate entity.

Attackers commonly impersonate:

  • Suppliers;
  • Business partners;
  • Service providers;
  • Lawyers or consultants;
  • Logistics companies;
  • Internal finance teams;
  • Managers or executives.

The goal is simple: make the victim send money to a fraudulent account.

This type of fraud is often linked to Business Email Compromise (BEC), Vendor Email Compromise (VEC), phishing, and domain impersonation. In many cases, there is no malware and no dangerous attachment. There is only a well-crafted message, sent at the right time, to the right person.

How does this type of fraud work?

Payment Redirection Fraud usually follows a simple but effective pattern.

1. Information gathering

Before launching the attack, criminals collect information about the company and its processes. They may analyze:

  • The organization's website;
  • Social media;
  • Employees on LinkedIn;
  • Publicly known suppliers;
  • Business documents;
  • Data leaks;
  • Exposed credentials;
  • Domains similar to the original.

The more information they have, the more convincing the fraudulent request becomes.

2. Impersonation of a trusted entity

The attacker then impersonates someone the company trusts.

They may use a compromised email account, a domain that looks very similar to the original, or simply change the sender display name.

Example:

txt finance@supplier-real.com vs. finance@supplier-reai.com

At first glance, the difference can be almost invisible, especially on mobile devices or in high-pressure work environments.

3. Request to change payment details

The attacker sends a message with a plausible request.

Common examples include:

  • "We have updated our bank details."
  • "Please use this new IBAN for future payments."
  • "The previous account has been closed."
  • "Please find the corrected invoice with updated details attached."
  • "The payment must be made today to avoid service suspension."
  • "Please confirm the update in our new finance portal."

The message may include logos, copied signatures, references to real contracts, and professional language.

4. Pressure to act quickly

Urgency is one of the main weapons used in this type of attack.

Criminals try to reduce the time available for review with phrases such as:

  • "Urgent payment";
  • "Final notice";
  • "Avoid penalty";
  • "Service will be suspended";
  • "Request approved by management";
  • "Confidential".

The goal is to make the employee take action before validating the request through another channel.

5. Payment diversion

If the request is accepted, the payment is sent to an account controlled by the attackers.

By the time the fraud is discovered, days or weeks may have passed. At that point, the money may already have been moved across multiple accounts, making recovery much more difficult.

Why is it so difficult to detect?

Payment Redirection Fraud is difficult to identify because it imitates normal business processes.

Unlike many traditional attacks, this type of fraud may not contain:

  • Malicious links;
  • Malware;
  • Infected attachments;
  • Obvious spelling mistakes;
  • Suspicious language.

The email may be well written, professional, and contextualized. It may even refer to a real invoice or an existing business relationship.

The problem is not only technological. It also sits in internal processes, operational pressure, and the trust that exists between companies and suppliers.

Who is most exposed?

Any organization can be targeted, but some teams are more exposed:

  • Finance departments;
  • Accounting;
  • Procurement;
  • Administration;
  • Human resources;
  • Executive teams;
  • Teams that manage suppliers;
  • Teams that approve payments.

Companies that work with many suppliers, recurring payments, or manual approval processes face a higher risk.

Warning signs

There are several signs that should raise suspicion before approving any payment or bank detail change:

  • A request to change the IBAN or other bank details, even when it appears to come from a known supplier;
  • Pressure to pay quickly, with very short deadlines or messages that create unusual urgency;
  • A slightly different email address, with swapped letters, lookalike characters, or small changes in the domain;
  • A change in the usual process, such as a supplier that normally uses a platform suddenly requesting changes by email;
  • A new finance contact handling payments on behalf of an already known entity;
  • An invoice with different details, such as another banking entity, a different account country, a new format, or information that does not match previous records.

Individually, these signs may seem minor. Together, they should be treated as a clear warning to pause the process and confirm the request through an independent channel.

How can companies protect themselves?

Prevention depends on three pillars: processes, technology, and training.

1. Validate changes through an alternative channel

IBAN changes or bank detail updates should never be approved by email alone.

Validation should be done by phone, video call, or another previously known channel. The contact used for confirmation should already be registered internally, not taken from the email that requested the change.

2. Implement dual approval

High-value payments or bank detail changes should require approval from at least two people.

This reduces the risk of a single wrong decision causing a significant financial loss.

3. Create a clear payment policy

The company should have well-defined rules for:

  • Creating suppliers;
  • Changing bank details;
  • Approving payments;
  • Validating invoices;
  • Managing exceptions;
  • Communicating with suppliers.

When the process is clear, it becomes harder for attackers to exploit grey areas.

4. Monitor similar domains

Criminals often register domains that look similar to brands, suppliers, or partners to make the fraud more convincing.

Monitoring similar domains helps identify impersonation attempts before they are used in fraud campaigns.

5. Protect email accounts

Compromised email accounts are one of the most dangerous ways to carry out this type of attack.

Companies should apply:

  • Multi-factor authentication;
  • Strong password policies;
  • Monitoring of suspicious logins;
  • Detection of malicious forwarding rules;
  • Access reviews;
  • Phishing awareness training.

6. Monitor exposed credentials

Exposed credentials on the dark web can allow attackers to access business accounts and observe real conversations before launching the fraud.

Continuous monitoring helps identify risks before they are exploited.

7. Train finance teams

Training should be practical and adapted to the real risk faced by each team.

Finance teams should practice scenarios such as:

  • Fake invoices;
  • IBAN changes;
  • Compromised suppliers;
  • Pressure for urgent payment;
  • Similar domains;
  • Requests from management.

The more realistic the examples are, the better the team will be at identifying fraud attempts.

What should you do if the fraud has already happened?

If the company suspects that it has made a fraudulent payment, it should act quickly.

The first steps should include:

  • Contacting the bank immediately;
  • Requesting a transfer block or reversal;
  • Collecting all related emails and documents;
  • Preserving evidence;
  • Reporting the incident to the relevant authorities;
  • Informing the security team;
  • Reviewing the email accounts involved;
  • Blocking further payments to the same destination;
  • Notifying the legitimate supplier.

In these cases, time is critical. The sooner the incident is identified and reported, the greater the chance of blocking or recovering funds.

Conclusion

Payment Redirection Fraud shows that not every attack needs to compromise systems to cause damage. Often, it is enough to manipulate a financial process and exploit the trust between companies.

A well-written email, a convincing invoice, and a request to change bank details can be enough to divert legitimate payments to fraudulent accounts.

That is why organizations should treat any change to bank details as a sensitive operation. Combining validation through an alternative channel, dual approval, domain monitoring, account protection, and team training is essential to reduce risk.