The single most effective way to prevent business email invoice fraud is one rule, applied without exception: never change a supplier's bank details, or pay an unexpected urgent transfer, on the strength of an email alone. Verify the request by calling a phone number you already hold for that person or company, not a number taken from the email itself. That one habit stops the large majority of these scams, because the whole attack depends on you trusting the email in front of you.
This is a different problem from ordinary phishing. The criminals aren't trying to harvest a random password. They go after the people who authorise payments - finance managers, bookkeepers, office managers and directors - and they've usually done their homework on how your business pays its bills.
The two scams you actually need to worry about
Most losses come from two closely related tricks. Police and banks group them under "payment diversion fraud", or more broadly authorised push payment (APP) fraud, because you the customer are the one who presses send on the payment.
CEO fraud (the urgent transfer from the boss)
An email arrives, apparently from your managing director, asking you to move money urgently and discreetly. It might be framed as a confidential acquisition, a deposit that has to clear today, or a supplier who'll "down tools" without immediate payment. The address may be spoofed, or sent from a look-alike domain such as coffeecupsolutlons.com in place of coffeecupsolutions.com. The boss is conveniently in a meeting or abroad, so you can't easily check. The pressure is deliberate.
Invoice and mandate fraud (the changed bank details)
This is the one that hits ordinary trading businesses hardest. You receive what looks like a genuine invoice, or a polite note from a real supplier saying their bank account has changed. Often the criminal has been sitting inside the supplier's mailbox reading the thread for weeks, so the request lands at exactly the moment a real invoice is due. You pay the correct amount, to the correct reference, on the correct date - straight into the fraudster's account. Builders' merchants, solicitors handling completion monies, and anyone paying large recurring supplier invoices are favourite targets.
Why these work: it's process, not technology
These attacks succeed by exploiting how people behave under pressure, not by breaking any system. Three levers do almost all the work:
Urgency. "This has to go before 3pm" removes the time you'd normally take to think or check.
Authority. A request that appears to come from a director or a long-standing supplier feels rude, or risky, to question.
Secrecy. "Keep this between us, it's confidential" stops you doing the obvious thing and asking a colleague.
If a payment request carries all three at once, treat that combination as the warning sign in itself.
Process defences that stop most cases
These cost nothing and matter more than any software. Write them into your payment procedure so they happen every time, not only when someone already feels suspicious.
Call back on any change of bank details. If a supplier's account details change, ring them on a number you already hold - from a previous invoice, your accounts system or their website - and confirm verbally before you pay. Never use the phone number printed on the email or the new invoice.
Dual authorisation above a threshold. Require a second named person to approve any payment over a set figure, say £1,000 or £5,000, whichever suits your business. Two people are far harder to rush than one.
Treat email as a request, not an instruction. A change to where money goes always needs a second channel to confirm it - a phone call or a face-to-face word.
Verify the person, not the message. For an urgent transfer apparently from a director, speak to them directly. A 30-second call beats a five-figure loss.
Make it explicit that questioning a payment is encouraged. A junior member of staff who feels they can't challenge an email "from the boss" is exactly the weak point these criminals are counting on.
Technical defences that back up the process
Good process catches the fraud at the point of payment. Technical controls make it harder for the criminal to look convincing in the first place, and harder to get into your mailboxes to begin with.
Multi-factor authentication on every email account. Many invoice frauds start with a compromised mailbox, where the attacker reads real threads and waits. MFA is the most effective single control against account takeover.
SPF, DKIM and DMARC on your domain. These three email authentication records let receiving servers check that mail claiming to be from your domain genuinely is. Set up properly, DMARC makes it much harder for someone to spoof your own domain to your staff or your customers.
Look-alike domain monitoring. An alert when someone registers a domain close to yours - swapping an l for a 1, or .co.uk for .com - gives you early warning that an impersonation campaign may be on the way.
Confirmation of Payee. Most UK banks now check the account name you enter against the sort code and account number. When it flags a mismatch, stop and look - that warning is doing its job.
If money has already gone: the first hours decide everything
Speed is the difference between recovering funds and losing them. The moment you suspect a payment has gone to a fraudster:
Phone your bank straight away and ask them to attempt a recall. The sooner they contact the receiving bank, the better the chance of freezing the money before it's moved on.
Report it to Action Fraud on 0300 123 2040 or at actionfraud.police.uk. This is the UK's national reporting centre for fraud, and your report feeds the wider investigation.
Preserve the evidence - the emails, headers, invoices and payment confirmations. Don't delete anything.
Tell the genuine supplier if it's mandate fraud, as their mailbox may be compromised and other customers could be at risk.
Since 7 October 2024, banks must reimburse most eligible APP fraud victims, with claims assessed and paid within five business days and a cap of £85,000 per claim. Small businesses that qualify as microenterprises, along with charities, are covered. It's a genuine safety net, but not a reason to relax: reimbursement can carry an excess, it depends on you not having been grossly negligent, and it's far more painful than simply not being defrauded in the first place.
Train the finance team specifically
General security awareness training tends to focus on spotting dodgy links. That's useful, but it doesn't prepare the person who processes supplier payments for a clean, professional-looking email with no link in it at all. Finance and accounts staff need training built around their actual job: what a mandate-change request looks like, why an urgent confidential transfer is a red flag, and the exact call-back step they're expected to take. Walk through a realistic example or two so the response is automatic when a real one lands.
If you'd like a hand setting up DMARC properly, hardening your Microsoft 365 mailboxes, or writing payment-verification steps your team will actually follow, we work with Berkshire and Thames Valley businesses on exactly this - process and technology together, because one without the other leaves a gap.