Business email compromise vs mandate fraud: what’s the difference?

Business email compromise and mandate fraud are often used as if they’re the same thing, and in practice they frequently overlap — but they’re not quite the same, and understanding the difference helps you defend against both.

What mandate fraud is

Mandate fraud is specifically about changing a payment instruction. A criminal convinces your business to update a supplier’s bank details — the “mandate” — so future payments go to an account they control. The defining feature is the redirection of a recurring or expected payment.

What business email compromise is

Business email compromise (BEC) is broader — it’s any scam built around impersonating a trusted email identity, whether that’s a supplier, a colleague, or an executive. A classic example is a fraudster impersonating your CFO or managing director, emailing someone in finance with an urgent, slightly unusual payment request. The email might use a near-identical domain, or come from a genuinely compromised account.

Where they overlap

Most mandate fraud is delivered via a form of business email compromise — the bank-detail-change message arrives because a supplier’s email was compromised or convincingly spoofed. So in practice, mandate fraud is often a specific outcome of a BEC attack, rather than a wholly separate category. The reverse isn’t always true: BEC can also be used to request an entirely new, one-off payment rather than changing details on an existing mandate, which is sometimes called CEO fraud.

Why the distinction matters for your defences

If you only build controls around “bank detail changes,” you’ll miss BEC attempts that ask for a new one-off payment instead. If you only train staff to spot impersonated executives, you might miss a mandate fraud attempt that looks like a routine supplier update with no urgency at all. Effective defence covers both: verify any payment-detail change by phone using a number you already had on file, and apply the same scepticism to urgent, unusual payment requests regardless of who they appear to come from — supplier or your own CEO.

Both rely on the same underlying weakness: a request that looks routine enough, or urgent enough, to skip independent verification. Close that gap and you’ve defended against most of what either term describes.