Financial & Payment Risk
Could Supplier Banking Details Be Changed Without Detection?
Fraudulent banking detail changes are among the most financially damaging risks facing South African businesses - and most organisations have no reliable process to prevent them.
2
What This Looks Like In Practice
"Your finance team receives an email from what appears to be a long-standing supplier. It explains that the supplier has changed banking details and asks that all future payments use the new account. The email looks authentic - correct name, professional layout, familiar tone. Payment is processed three days later. The real supplier calls a week after that about the outstanding invoice. The money is gone."
Direct financial loss - commonly ranging from R50,000 to several hundred thousand rands in SME environments
Very limited prospect of recovering funds once transferred to a fraudulent account
Insurance complications - many policies exclude social engineering fraud without specific riders
Damage to the legitimate supplier relationship and potential legal dispute
Management time, legal costs and bank liaison costs to investigate and report
4
Questions Management Should Ask
?
Does your business have a formal documented process for verifying changes to supplier banking details before processing?
?
Is a call-back to a verified, pre-existing phone number required before any banking detail change is applied?
?
Who is authorised to approve a banking detail change, and is this formally documented?
?
Have your finance staff been briefed on how to recognise a fraudulent banking detail request?
This attack vector is known as Business Email Compromise (BEC) - fraud that exploits weak process controls rather than technical vulnerabilities. BEC consistently ranks among the highest-value cybercrime categories globally, with South Africa experiencing significant volumes. The fraud succeeds because it exploits trusted communication channels (email) and targets business processes not designed with verification in mind. Controls fall into three categories: process controls (mandatory call-back verification), system controls (dual-authorisation workflows in financial platforms) and awareness controls (staff training to recognise impersonation). None of these require specialised technology - they are policy and process decisions that any organisation can implement immediately.
6
Practical Steps to Improve Visibility
1
Implement a mandatory call-back rule: any banking detail change received by any channel must be verified by phone to a number already on file - not the number in the email
2
Require dual authorisation for all banking detail changes: one person to receive and log, a second person to verify and approve - the approver must not be the same as the receiver
3
Brief your finance team on what BEC attempts look like: urgency, authority, slightly wrong email domains, requests to avoid calling
4
Document the verification process in writing so it applies consistently regardless of who is in the finance function
5
Report any suspected BEC attempt to your bank and to the South African Banking Risk Information Centre (SABRIC) immediately
Section 7 - Assessment
Find Out Where Your Business Stands
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.
From R750 • Delivered online • No commitment required