Financial Risk
SCENARIO
A Supplier Banking Detail Change Goes Unnoticed
THE SCENARIO
Someone sends your finance team an email that appears to come from a supplier your business has worked with for years. The email explains that the supplier's banking details have changed and provides new account information. The next payment is processed to the new account. The money leaves your business. The real supplier contacts you a week later about the outstanding invoice.
1
How This Typically Happens
This scenario relies on impersonation rather than technical complexity. Fraudsters register domains that closely resemble legitimate suppliers, or sometimes compromise the supplier's actual email account directly, and send convincing banking detail change requests. Without a separate verification process, finance teams have no reliable way to distinguish a legitimate request from a fraudulent one - especially when both look identical.
2
Why Businesses Often Miss the Warning Signs
Most businesses process banking detail changes based on email instructions alone, because that is how legitimate requests typically arrive. There is no separate verification step, no call-back requirement and no policy requiring a second person to approve the change. The problem only becomes visible after a payment has already been made to the wrong account.
Direct financial loss - often ranging from tens of thousands to hundreds of thousands of rands
Very limited prospects of recovering funds once transferred to a fraudulent account
Regulatory and insurance complications depending on the circumstances
Damage to the relationship with the legitimate supplier
Management time and legal costs associated with investigating, reporting and seeking recovery
4
Questions Management Should Ask
?
Does your business have a formal, documented process for verifying changes to supplier banking details before they are applied?
?
Is a call-back to a verified, pre-existing phone number required before any banking detail change is processed?
?
Who is authorised to approve a banking detail change, and is this formally documented?
?
Have your finance staff been briefed on how to recognise a fraudulent banking detail request?
5
Practical Steps to Improve Visibility
1
Implement a mandatory verification call: any banking detail change received by email must be confirmed by phone to a number already on file - never the number provided in the email
2
Require two-person authorisation for all banking detail changes: one person to receive and request, a different person to verify and approve
3
Brief your finance team on what fraudulent requests look like and how to handle them - one practical session is enough to significantly reduce the risk
4
Document your process so that it applies consistently, regardless of who is in the finance team at any given time
Could This Scenario Happen In Your Business?
ComplyBar helps businesses find and understand hidden information risks before something goes wrong.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness and audit evidence.
From R750 • Delivered online • No commitment required