Supplier Bank-Detail Fraud: 12 Controls to Block Wire-Transfer Fraud in 2026

Short answer. Supplier bank-detail fraud consists of substituting, via a compromised email or system intrusion, the legitimate bank details of a supplier with those of a fraudulent account. No single tool eliminates this risk; only a combination of 12 controls applied end-to-end — from third-party onboarding to signed transfer — neutralises it. This article details those 12 controls, prioritised and compatible with SME constraints.

• Business email compromise (BEC): a fraudster spoofs a supplier address or infiltrates a legitimate inbox, then sends new bank details.
• Direct impersonation: a call or letter purportedly from the supplier requesting a bank-detail change.
• CEO fraud — IBAN variant: simulated executive pressure to urgently approve a transfer to a new IBAN.

Common thread: the third party is legitimate, the invoice is consistent, only the IBAN is manipulated.

Onboarding and update (1 to 4)#

1. Third-party creation by an actor separate from payments (segregation of duties).
2. Bank details collected as official document (KBis, bank attestation), never solely on email.
3. IBAN validation by phone on a previously known number (never the number provided in the new email).
4. Bank-detail change log, time-stamped, retained, auditable.

Invoice receipt and processing (5 to 7)#

1. Three-way matching invoice / purchase order / receipt note.
2. Domain and signature anomaly detection (e.g., example.com vs example-com.net).
3. Special process for any invoice carrying an IBAN different from the master record: mandatory dual validation.

Payment (8 to 10)#

1. Dual signature above a defined threshold.
2. IBAN whitelist active in the wire tool: any new IBAN forces a hold.
3. Country / currency / nature consistency check.

Monitoring and improvement (11 and 12)#

1. Regular social engineering tests (fake bank-detail change emails).
2. Documented incident process: who to alert, what timing, where to file the complaint.

Bank-detail fraud is neither an accounting flaw nor a technology flaw: it is a process flaw. No bank, ERP or single tool replaces an integrated chain of human and software controls across the procure-to-pay cycle.

• The most exposed SMEs are those whose accounts payable depend on a single person.
• The validation phone call has the best cost/efficacy ratio. It is also the most often skipped.
• The IBAN whitelist in the banking portal is now standard, but many companies disable it to avoid operational friction. The friction is precisely the control.

French and European reports emphasise that more than 80% of successful wire-transfer frauds exploit a human weakness, not a technical defect. Simulated executive pressure, month-end fatigue and payment routine are the favourable terrain. A framework limited to software, without team training, is ineffective.

• Who owns the third-party master? The payment? The control?
• What thresholds trigger dual signature, whitelist, validation call?
• What frequency for social engineering tests?
• What incident process? (who contacts the bank in the first hour)
• What insurance coverage for fraud?

• B2B e-invoicing: the French reform changes invoice arrival channels. Bank-detail controls must adapt.
• Generative AI: fraudulent emails become more credible. The "I call to validate" rule gains weight.
• AML obligations (French Monetary and Financial Code, art. L.561-2): regulated entities must document KYC and vigilance procedures.
• Data retention (CNIL): bank-detail change logs fall within accounting data retention periods.

1. What liability does the CEO carry? The CEO is responsible for internal controls. A successful fraud on a poorly secured process can engage civil — and in case of gross negligence, criminal — liability.

2. Does the bank refund a fraudulent transfer? As a rule, no, save where the bank itself failed. The loss stays with the company. Hence the importance of fraud insurance and preventive controls.

3. What channel to report the fraud? THESEE for online fraud, PERCEVAL for card fraud, a local police complaint for the fraudulent transfer. Tracfin remains the reference authority for suspicious-activity reports by regulated entities.

4. How much do the 12 controls cost? Most require no software investment: they are organisational and procedural. The main cost is initial training and rollout time.

5. Do we need a dedicated fraud officer? In a SME, the role is usually held by the CFO. Above a certain threshold or for AML-regulated entities, a designated officer is recommended.

Implementing all twelve controls at once exhausts teams. A three-step trajectory is more realistic for an SME.

Days 1 to 30 — secure the urgent. Priority to first-level controls: hardened third-party master file, dual IBAN validation with a callback to a number verified independently of the e-mail received, two-eye signature on any transfer above a defined threshold, automatic blocking of payments to an IBAN modified in the past 30 days without renewed validation. A flash awareness session for the accounts-payable team and the executive assistant should be scheduled in the first week, since they remain the favourite targets of social engineering. Goal: eliminate 80% of residual risk on the most exposed flows. The cost is mostly process, very little tooling.

Days 31 to 60 — industrialise. Deployment of consistency controls: company-name vs IBAN matching via a third-party service (SEPA account-holder verification), mandatory written trace of every IBAN change in a dedicated workflow, escalation to the CFO above a predefined threshold, default whitelist of authorised SEPA countries. Update of the general purchasing terms and of the standard letters sent to suppliers to remind them of internal rules: no IBAN change by e-mail, mandatory channel for legitimate updates. Briefing of the statutory auditor on the device, so that the next audit covers it.

Days 61 to 90 — harden and audit. Simulated social-engineering intrusion test on the AP team and management. Annual fraud exercise with documented lessons learned. Integration of the framework into the business-continuity plan. Synthesis report to the audit committee or executive management. At this stage, the system also becomes auditable by external parties: insurer (cyber risk), banker, statutory auditor, prospective acquirer in due diligence.

Beyond day 90 — routine. Monthly indicators (number of modified IBANs, dual-validation rate, alerts treated, losses avoided) and annual review of the framework. This phasing avoids the big-project effect that postpones implementation indefinitely. The first measures, free or inexpensive, already divide residual risk significantly. The compounding effect comes later, with the cultural anchoring of a two-eye, two-channel reflex within the finance team.

This 90-day roadmap is also a useful negotiation grid with cyber insurers: wire-fraud policies increasingly demand proof of dual validation and IBAN-change controls before payout. Documenting each milestone serves both the operational dimension and the contractual one.

Common pitfalls along the way. Three patterns derail otherwise solid programmes. First, control fatigue: when every payment requires a callback regardless of amount, the team starts batching validations and bypasses the spirit of the procedure; thresholds and risk-based segmentation are essential. Second, the lone champion: a single person carrying the whole framework leaves the company exposed at the first holiday or resignation; documentation and rotation are mandatory. Third, the false positive of the new supplier: legitimate first-time suppliers often look like fraud signals (new IBAN, urgent invoice, generic e-mail). The procedure must include a fast track for legitimate onboarding, otherwise commercial relationships suffer. Reviewing these three pitfalls in the quarterly steering committee prevents the framework from drifting into theatre or, on the opposite end, into bureaucratic friction that kills its own credibility. A short post-mortem after every confirmed or attempted incident keeps the framework anchored in real cases.

Supplier bank-detail fraud is not neutralised by a tool but by a system combining procedures, segregation of duties, whitelists, validation calls and team training. The 12 controls presented here are the minimum baseline for a SME in 2026.

If you want to audit or strengthen your anti-fraud framework, our team supports CEOs and CFOs in designing and implementing internal controls aligned with company size and risk profile.

Updated as of 5 May 2026.