Fake Bank Details Fraud: Detection for Canadian Finance Teams
How Canadian AP teams spot AI-generated fake bank details before paying invoices, with FINTRAC, CAFC and PCMLTFA regulatory context, red flags and controls.

Summarize this article with
Fraudsters do not need to breach a bank's systems to steal a supplier payment. They only need one convincing document. Vendor payment fraud โ also called invoice redirection fraud, supplier swap fraud, or CEO "change of bank details" fraud โ tricks a finance team into updating the bank details held for a genuine payee, so the next legitimate payment lands in an account a criminal controls. Generative AI has made the fake documents behind this scam markedly harder to spot: a fabricated letterhead, a cloned signature, and a plausible transit and account number now take minutes to produce, not days.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
What Vendor Payment Fraud Is and Why It Targets Accounts Payable
Vendor payment fraud is a form of business email compromise (BEC) in which a criminal persuades a business to change the bank account details held for a genuine payee โ a supplier, contractor, landlord, or employee โ so that future payments are diverted to an account the criminal controls. The RCMP's Federal Policing cybercrime unit documents three recurring schemes in Canada: payroll fraud, where a compromised mailbox redirects paycheques; vendor impersonation, where scammers pose as an established supplier requesting payment to new banking details; and financial industry targeting, where criminals impersonate a bank client demanding urgent transfers.
Spear phishing and business email compromise accounted for more than $67 million in reported losses to the Canadian Anti-Fraud Centre (CAFC) in 2024, out of over $638 million in total fraud losses reported that year (RCMP Gazette; CAFC 2024 Annual Statistical Report). The CAFC estimates only 5 to 10 percent of victims report, so the true scale is materially higher. Phishing and deceptive email remain the most common cybercrime vector against Canadian businesses (Statistics Canada, Canadian Survey of Cyber Security and Cybercrime) โ the delivery channel vendor payment fraud almost always rides in on. Accounts payable is targeted because it routinely processes legitimate payee-detail update requests.
How Fraudsters Build a Convincing Fake Bank Details Document
Most vendor payment fraud begins with reconnaissance, not forgery. A criminal identifies a real supplier relationship โ often from a hacked mailbox, a leaked invoice, or public tender information โ before producing a document engineered to pass a quick check.
Business email compromise as the delivery channel
The fraudulent bank details rarely arrive out of nowhere. They are usually attached to, or embedded in, an email that appears to come from a trusted contact, either because the criminal has compromised the supplier's real mailbox or registered a near-identical look-alike domain. This is why the request often looks routine: same tone, same signature block, same invoice template the team already recognises โ a pattern a CAFC bulletin circulated to provincial regulators names as one of its most common referral types (New Brunswick Financial and Consumer Services Commission, citing CAFC).
AI-generated letters, remittance forms and cloned signatures
Generative tools let a fraudster take a genuine letterhead or invoice as a reference and reproduce it with substituted bank details in seconds, matching fonts and layout almost exactly. Inpainting tools can also alter just the transit and account number on a scanned original, leaving the rest of the document untouched โ the hardest variant to catch by eye, since most of the page really is authentic. Voice cloning is an emerging companion technique: short samples of an executive's public speech can fabricate a call authorising a bank detail change, defeating the "call to confirm" step many teams rely on. Globally, the RCMP notes business email compromise "has stolen more than $26 billion dollars from unsuspecting victims worldwide, including Canadian businesses" (RCMP) โ vendor scams sit inside that total as one of the most damaging categories, since diverted sums are typically far larger than a consumer-facing scam.
Red Flags That Reveal a Fake Bank Details Document
A fake bank details document rarely fails on a single obvious point. It usually fails several quieter checks at once, which is why a structured review catches what a glance misses:
| Signal | What to check | Why it matters |
|---|---|---|
| Unsolicited change request | Requested by the supplier, or only confirmed after you called first? | Fraudsters initiate; genuine suppliers rarely chase a bank detail change |
| Transit/institution number mismatch | Does the transit and institution number match the bank named on the letter? | AI-generated documents often pair a real-looking account number with the wrong institution |
| Document metadata | Does creation software match how this supplier normally sends documents? | Generic editors or stripped metadata are inconsistent with routine correspondence |
| Contact channel | Confirmed using contact details supplied in the same message? | A closed loop controlled by the fraudster defeats callback checks |
| Urgency and pressure | Deadline, penalty, or threat to disrupt future deliveries? | Urgency is designed to bypass dual-authorisation workflows |
| Formatting drift | Fonts, logo resolution, or layout differ from recent communications? | AI-cloned templates are close but rarely pixel-identical over time |
The RCMP consistently identifies verifying any bank detail change through contact details already held on file โ never those supplied in the request itself โ as the primary defence against vendor payment fraud (RCMP Business Email Compromise guidance). No document-level check replaces that step.
Does the transit number and account actually belong to the named bank
A transit number, institution number, or account number can be syntactically valid and still belong to the wrong institution or account holder. Structural validation catches typing errors, but Canada has no widely adopted confirmation-of-payee service, so most businesses still confirm ownership by other means, typically a callback or a bank-issued void cheque. Our companion guide on validating bank accounts and IBANs before payment covers the underlying structural checks, including how they apply to Canadian institution and transit numbers.
Is the document metadata consistent with the claimed sender
Genuine business documents carry metadata trails โ creation software, timestamps, revision history โ that are difficult to fake convincingly at scale. A "change of bank details" letter claiming to come from a supplier's finance department but generated in a generic PDF editor, with metadata stripped, is a stronger signal than the letter's visual quality.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotWhy Standard Accounts Payable Controls Miss This Fraud
Segregation of duties, three-way matching, and approval thresholds catch quantity and pricing errors, not a plausible change to payee bank details buried in a routine email. Manual fraud detection catches roughly 37% of cases, with an average detection delay of 87 days, according to the ACFE 2024 Report to the Nations. By the time a delayed review surfaces a diverted payment, the funds have usually left the receiving account, often moved through several accounts within hours.
A Verification Protocol Before You Change Any Bank Detail
A short, enforced sequence closes most of the gap AI-generated documents exploit.
Step 1 โ Freeze the change. Do not update the supplier master file or process any payment against new bank details until the request has passed independent verification, regardless of the stated urgency.
Step 2 โ Call back on a known number. Contact the supplier using a number already held on file โ never one provided in the request itself. This single control, repeatedly cited by the RCMP and provincial fraud prevention bodies, defeats most vendor payment fraud attempts because the fraudster does not control the callback channel.
Step 3 โ Validate the bank details independently. Cross-check the institution, transit, and account numbers against your supplier records and, where available, request a bank-issued void cheque rather than relying on the document's printed name.
Step 4 โ Require dual sign-off and log the decision. A second, independent approver should confirm the change, with verification steps and outcome recorded โ the audit trail auditors, insurers, and FINTRAC examiners expect if the fraud is later disputed.
Will Your Bank Refund a Fraudulent Payment
The Canadian position differs sharply from some other markets here. Canada has no equivalent to the mandatory reimbursement scheme some regulators overseas impose on payment providers for authorised push payment fraud. There is no statutory requirement compelling a Canadian bank to reimburse a business that authorised a payment based on fraudulent instructions, even where a convincing forged document was involved. Recovery instead depends on the account agreement, the speed of any recall request under the relevant clearing system rules, discretionary decisions by the banks involved, and, where the loss is significant, provincial commercial law โ the common-law principles that apply outside Quebec differ procedurally from the remedies available under Quebec's civil law.
A Canadian business therefore bears more of the loss risk than a consumer would, and materially more than a business in a jurisdiction with mandatory reimbursement rules. Prevention, not recovery, carries the weight here.
OSFI, the Office of the Superintendent of Financial Institutions, does not regulate reimbursement for payment fraud; its mandate is the prudential soundness of federally regulated banks and insurers, and its cyber risk expectations push those institutions toward stronger fraud controls on their own payment rails. Separately, PCMLTFA reporting entities โ banks, credit unions, money services businesses โ carry an independent duty to FINTRAC: a transaction connected to suspected fraud can trigger a Suspicious Transaction Report regardless of dollar value (FINTRAC guidance), a compliance duty owed to FINTRAC, not a payment guarantee owed to the victim.
How CheckFile Complements Manual and Procedural Controls
Callback verification and dual sign-off remain essential, but both depend on staff catching a well-made forgery in the first place. Our approach applies multi-layer analysis โ structural checks, metadata forensics, and cross-document consistency validation โ to the bank detail documents finance teams receive, alongside AI-generated content detection deployed as a complementary layer to existing structural controls. This does not replace callback verification; it gives the reviewer a structured signal before that step happens. The CheckFile banking KYC solution applies this pipeline to onboarding and payment documents, and the CheckFile security infrastructure provides the audit logging FINTRAC-regulated entities expect. Because these documents carry personal and financial information, processing them also falls under PIPEDA and, in Quebec, the stricter obligations of Loi 25 on privacy impact assessments and breach notification. Teams evaluating deployment can review the CheckFile pricing page or the CheckFile platform directly.
For a broader view of document verification obligations across sectors, see our industry verification guide. Finance teams focused on invoice-borne fraud may also find the guide to detecting AI-generated fake invoices useful alongside this article.
To place fake bank details detection within a dedicated approach, see AI-generated and forged document detection. CheckFile analyses your files and surfaces signs of AI-generated content as a complement to your existing controls.
Frequently Asked Questions
What is the difference between vendor payment fraud and invoice fraud?
Vendor payment fraud specifically targets the bank details held for a recurring payee. Invoice fraud is broader and includes any fabricated or altered invoice, whether or not bank details change โ the two overlap heavily, since a fraudulent "change of bank details" letter is often disguised as an invoice.
Is my business covered if we pay a fraudulent vendor invoice?
There is no Canadian equivalent to a mandatory bank reimbursement scheme. Recovery options include a payment recall through the applicable clearing system, your bank's discretionary complaints process, cybercrime cover under your commercial insurance, and, in Quebec, remedies under the province's civil law framework, which differs procedurally from the common-law approach used elsewhere.
Does FINTRAC need to be told if we are defrauded?
FINTRAC does not accept fraud reports from the public โ that role belongs to the Canadian Anti-Fraud Centre and local police. If your business is itself a PCMLTFA reporting entity, however, a transaction connected to suspected fraud can independently trigger your own Suspicious Transaction Report obligation, separate from any report about being victimized.
Who should we notify if we suspect vendor payment fraud?
Report the incident to the Canadian Anti-Fraud Centre, which compiles national fraud intelligence, and file with local police for a file number often needed for insurance claims. Contact your bank on a verified number to request a payment recall, and notify the genuine supplier separately, since their identity may also be compromised.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.