Preventing invoice fraud: three checks before you pay a new IBAN

Invoice fraud is dull, simple, and brutally expensive. Here's how three quick checks and one phone call rule stop you from sending money to the wrong IBAN.

You ask a new supplier for a quote. A few days later an email arrives with an IBAN and a request to transfer the deposit. Sounds routine. But how do you know that IBAN is correct — and hasn't been swapped out somewhere along the way by someone intercepting your email?

Invoice fraud is one of the dullest, yet most expensive, forms of cybercrime for SMBs. No dramatic hack, no ransomware screen. Just a payment that goes to the wrong account number and disappears. In this post we show you how to prevent that in a few minutes — without installing anything complicated.

How invoice fraud works in practice

The most common variant is called CEO fraud or BEC (Business Email Compromise). The trick is almost always the same:

1. Someone gains access to a supplier's mailbox (or impersonates that supplier using a lookalike domain, e.g. supp-lier.com instead of supplier.com).
2. A real invoice is intercepted or forged.
3. Only the IBAN is changed. Everything else on the invoice looks identical: logo, layout, VAT number — it all checks out.
4. You pay. A few days later the real supplier calls asking where their money is.

By then the money has usually already been routed through a mule account and moved abroad. Recovery is rarely possible.

Three checks you should always run

You don't need a finance department for this. For every payment above a threshold you consider significant (we often suggest €500), run these three checks.

1. Is the IBAN technically valid?

An IBAN includes a built-in check-digit calculation. If someone accidentally types one digit wrong in a hurry, it gets caught. But if a fraudster deliberately uses a valid IBAN, it sails straight through. The technical check catches typos — not malicious intent.

Still useful: you can tell from an IBAN which bank and country it belongs to. If your supplier has always banked with ING and you suddenly receive a Lithuanian IBAN starting with LT, something is off. Our IBAN check surfaces that in two seconds.

2. Does the VAT number match the company name?

With new suppliers or larger amounts, you want to confirm that the VAT number actually belongs to the company shown on the invoice. The European VIES database can tell you. Our VAT check runs that lookup for you and shows which company name and address the tax authority has on file. If it doesn't match the invoice, pick up the phone — don't reply by email.

3. Does the address match the postcode?

It sounds trivial, but it's a surprisingly effective check against lookalike invoices. With the postcode check you can instantly see whether the address exists and where it is. An invoice where the postcode doesn't match the street address is one you don't even need to question further.

Always verify changes through a second channel

The golden rule: if a supplier changes their bank account number, call the phone number you already have on file. Not the number at the bottom of the email (that may have been changed too). Not WhatsApp (easy to spoof). Call — your own contact — and ask: "Can you confirm you have a new IBAN?"

That one two-minute phone call has already saved countless SMBs from serious losses. Make it an internal rule and ensure everyone who processes payments knows it.

Four-eyes principle for payments

The second rule: always have payments above a threshold approved by a second person. In virtually every modern banking platform — Rabo, ING, ABN, Knab, bunq Pro — you can configure this as a second approver. The person who sets up the payment cannot authorise it themselves. Someone else takes one more look at the IBAN before hitting send.

This is especially valuable because the system itself forces a brief pause. And in that pause, 90% of fraud attempts fall apart — because urgency is the fraudster's most important weapon ("can this be transferred today?").

Securing your email stops you from being the weak link

So far we've focused on how to avoid paying a fraudster yourself. But it can work the other way too: a criminal hijacks your email or impersonates you, and your customers end up paying the wrong account number. That destroys the relationship — and your reputation.

The technical measures that prevent this are SPF, DKIM, and DMARC. Together, these three allow a receiving mail server to verify that an email genuinely came from your domain. We regularly set this up for SMB clients as part of our email security service. It usually takes less than a day.

A quick checklist for Monday morning

• Agree on a threshold amount above which additional checks are always required.
• Enable a second approver in your banking environment.
• Establish the rule: IBAN change? Call via a known number — never rely on email alone.
• Always check new suppliers with the IBAN, VAT, and postcode checks before the first payment.
• Verify that SPF, DKIM, and DMARC are correctly configured on your own domain.

Want to validate an invoice right now? Start with our IBAN check and VAT check. Two minutes of work, and you'll know the money is going exactly where it should.