Fake Bank Details Fraud: How to Detect Mandate Fraud Fast
Learn how finance and AP teams spot AI-generated fake bank details before paying invoices, with UK mandate fraud red flags and PSR/FCA regulatory context.

Summarize this article with
Fraudsters do not need to breach a bank's systems to steal a supplier payment. They only need one convincing document. Mandate fraud โ also called invoice redirection fraud, supplier swap fraud, or CEO "change of bank details" fraud โ tricks a finance team into updating the bank details held for a genuine payee, so the next legitimate payment lands in an account a criminal controls. Generative AI has made the fake documents behind this scam markedly harder to spot: a fabricated letterhead, a cloned signature, and a plausible sort code now take minutes to produce, not days.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
What Mandate Fraud Is and Why It Targets Accounts Payable
Mandate fraud is a form of authorised push payment (APP) fraud in which a criminal persuades a business to change the bank account details held for a genuine payee โ a supplier, contractor, landlord, or employee โ so that future payments are diverted to an account the criminal controls. The National Business Crime Centre and the successor to Action Fraud, Report Fraud, both classify it as a variant of payment diversion fraud, closely linked to business email compromise (BEC).
Mandate fraud was experienced by 7% of UK businesses with employees in the 12 months covered by the Home Office Economic Crime Survey 2024, while the closely related scheme of fake invoice fraud affected 11%. Both sit within a wider pattern: 27% of UK businesses with employees, an estimated 389,000 companies, reported some form of fraud over the same period. Accounts payable is targeted precisely because it routinely processes legitimate requests to update payee details, giving a fraudulent request cover to hide in.
How Fraudsters Build a Convincing Fake Bank Details Document
Most mandate fraud begins with reconnaissance, not forgery. A criminal identifies a real supplier relationship โ often from a hacked mailbox, a leaked invoice, or public tender information โ before producing a document engineered to pass a quick visual check.
Business email compromise as the delivery channel
The fraudulent bank details rarely arrive out of nowhere. They are usually attached to, or embedded in, an email that appears to come from a trusted contact, either because the criminal has compromised the supplier's real mailbox or because they have registered a near-identical look-alike domain. This is why the request often looks routine: same tone, same signature block, same invoice template the team already recognises.
AI-generated letters, remittance forms and cloned signatures
Generative tools let a fraudster take a genuine letterhead or invoice as a reference and reproduce it with substituted bank details in seconds, matching fonts, logo placement, and formatting almost exactly. Inpainting tools can also alter just the sort code and account number on a scanned original, leaving the rest of the document untouched โ the hardest variant to catch by eye, since most of the page really is authentic. Voice cloning is an emerging companion technique: short samples of an executive's public speech can fabricate a call authorising a bank detail change, designed to defeat the "call to confirm" step many teams rely on.
UK Finance recorded ยฃ450.7 million in authorised push payment fraud losses in 2024, spread across nearly 186,000 cases (UK Finance Annual Fraud Report 2025). Invoice and mandate scams sit inside that total as one of the most damaging categories for businesses specifically, since the sums diverted are typically far larger than a consumer payment.
Red Flags That Reveal a Fake Bank Details Document
A fake bank details document rarely fails on a single obvious point. It usually fails several quieter checks at once, which is why a structured review catches what a glance misses.
| Signal | What to check | Why it matters |
|---|---|---|
| Unsolicited change request | Requested by the supplier, or only confirmed after you called first? | Fraudsters initiate; genuine suppliers rarely chase a bank detail change |
| Sort code / bank mismatch | Does the EISCD sort code match the bank named on the letter? | AI-generated documents often pair a real-looking IBAN with the wrong institution |
| Document metadata | Does creation software match how this supplier normally sends documents? | Generic editors or stripped metadata are inconsistent with routine correspondence |
| Contact channel | Confirmed using contact details supplied in the same message? | A closed loop controlled by the fraudster defeats callback checks |
| Urgency and pressure | Deadline, penalty, or threat to disrupt future deliveries? | Urgency is designed to bypass dual-authorisation workflows |
| Formatting drift | Fonts, logo resolution, or layout differ from recent communications? | AI-cloned templates are close but rarely pixel-identical over time |
UK police guidance consistently identifies verifying any bank detail change through contact details already held on file โ never those supplied in the request itself โ as the primary defence against mandate fraud (Metropolitan Police). No document-level check replaces that step; it narrows down which requests need it most urgently.
Does the sort code or IBAN actually belong to the named bank
A sort code or IBAN can be syntactically valid and still belong to the wrong institution or the wrong account holder. Structural validation โ confirming the check digits and bank identifier are internally consistent โ catches typing errors, but only Confirmation of Payee or an equivalent account-verification API confirms that the name on the account matches the payee you believe you are paying. Our companion guide on validating IBANs and sort codes before payment covers the underlying checks in detail.
Is the document metadata consistent with the claimed sender
Genuine business documents carry metadata trails โ the software used to create them, timestamps, and revision history โ that are difficult to fake convincingly at scale. A "change of bank details" letter claiming to come from a supplier's finance department but generated in a generic PDF editor or image tool, with metadata stripped entirely, is a stronger signal than the visual quality of the letter itself.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotWhy Standard Accounts Payable Controls Miss This Fraud
Segregation of duties, three-way matching, and approval thresholds catch quantity and pricing errors, not a plausible change to payee bank details buried in a routine email. Manual fraud detection catches roughly 37% of cases, with an average detection delay of 87 days, according to the ACFE 2024 Report to the Nations โ figures relevant wherever detection still depends on a reviewer's eye rather than systematic verification. By the time a delayed review surfaces a diverted mandate payment, the funds have usually left the receiving account already.
A Verification Protocol Before You Change Any Bank Detail
A short, enforced sequence closes most of the gap that AI-generated documents exploit. Invoice and mandate fraud cost UK businesses more than ยฃ93 million in 2024 (Action Fraud Annual Fraud Landscape 2024), a loss that a consistently enforced verification sequence would prevent in the large majority of cases.
Step 1 โ Freeze the change. Do not update the supplier master file or process any payment against new bank details until the request has passed independent verification, regardless of the urgency stated in the request.
Step 2 โ Call back on a known number. Contact the supplier using a phone number already held on file โ never a number provided in the change request itself, by email or on the letter. This single control, repeatedly cited by UK police forces and industry bodies, defeats the large majority of mandate fraud attempts because the fraudster does not control the callback channel.
Step 3 โ Validate the bank details independently. Run the sort code or IBAN through a directory or verification API and check the registered name against your supplier records, rather than relying on the name printed on the document.
Step 4 โ Require dual sign-off and log the decision. A second, independent approver should confirm the change before it goes live, with the verification steps and outcome recorded. This creates the audit trail regulators and insurers expect if the fraud is later disputed.
Will Your Bank Refund a Fraudulent Mandate Payment
Reimbursement for authorised push payment fraud in the UK is not automatic for most businesses. Since 7 October 2024, the Payment Systems Regulator's mandatory reimbursement requirement obliges payment service providers to reimburse APP fraud victims up to ยฃ85,000 within five business days, with the cost split between sending and receiving firm. This protection is scoped to consumers, micro-enterprises, and charities โ it does not extend as a matter of right to most limited companies, so a mid-sized business paying a fraudulent mandate has no guaranteed statutory refund and must rely on discretionary bank policy, insurance, or Faster Payments recovery. In the scheme's first three months, the PSR reported that 86% of in-scope losses were returned to victims, a result that does not extend to business victims outside the scheme's scope.
FCA-authorised firms carry their own obligations regardless: the FCA's financial crime guidance expects regulated businesses to maintain systems and controls proportionate to their fraud exposure, including for outbound payments to suppliers and counterparties.
How CheckFile Complements Manual and Procedural Controls
Callback verification and dual sign-off remain essential, but both depend on staff catching a well-made forgery in the first place. Our approach applies multi-layer analysis โ structural checks, metadata forensics, and cross-document consistency validation โ to the bank detail documents finance teams receive, alongside AI-generated content detection deployed as a complementary layer to existing structural controls. This does not replace callback verification or Confirmation of Payee; it gives the reviewer a structured signal before either step happens. The CheckFile banking KYC solution applies this pipeline to onboarding and payment documents, and the CheckFile security infrastructure provides the audit logging regulators expect. Teams evaluating deployment can review the CheckFile pricing page or the CheckFile platform directly.
For a broader view of how document verification obligations vary across sectors, see our industry verification guide. Finance teams focused specifically on invoice-borne fraud may also find our guide to detecting AI-generated fake invoices useful alongside this article.
To place fake bank details detection within a dedicated approach, see AI-generated and forged document detection. CheckFile analyses your files and surfaces signs of AI-generated content as a complement to your existing controls.
Frequently Asked Questions
What is the difference between mandate fraud and invoice fraud?
Mandate fraud specifically targets the bank details held for a recurring payee, tricking a business into updating a standing order, direct debit, or supplier record. Invoice fraud is broader and includes any fabricated or altered invoice, whether or not bank details change. In practice the two overlap heavily, since a fraudulent "change of bank details" letter is often attached to, or disguised as, an invoice.
Can AI-generated bank detail documents be detected by eye?
Reliable detection by visual inspection alone is increasingly difficult, because current tools reproduce fonts, logos, and layout with high fidelity. Document metadata, sort code and bank name cross-checks, and callback verification through a previously known contact number remain more reliable than appearance-based review.
Is my business covered if we pay a fraudulent mandate?
Mandatory reimbursement under the PSR's October 2024 rules is limited to consumers, micro-enterprises, and charities, so most limited companies have no guaranteed statutory refund. Recovery options include requesting a payment recall from your bank under the Faster Payments scheme, pursuing your bank's discretionary complaints process, and checking whether your commercial insurance includes cybercrime or fraud cover.
Who should we notify if we suspect mandate fraud?
Report the incident to Report Fraud, the successor service to Action Fraud, to obtain a crime reference number required for insurance claims and bank disputes. Contact your bank immediately on a verified number to request a payment recall, and notify the genuine supplier separately, since their email account or identity may also be compromised.
How quickly should a bank detail change request be verified?
Verification should happen before any payment is processed against the new details, regardless of the deadline stated in the request. A callback to a known number and an independent bank detail check typically take under fifteen minutes โ far less time than resolving a diverted payment after the funds have left the account.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.