Mandate fraud explained: how bank detail change scams catch out UK businesses

Mandate fraud is the single most common way UK businesses lose money to invoice scams, and it’s almost entirely preventable with one habit. Here’s exactly how it works, and the one verification step that stops it.

What mandate fraud actually is

Mandate fraud happens when a criminal convinces your business to change the bank details on a standing payment instruction — a “mandate” — so that future payments to a genuine supplier are redirected into an account the criminal controls. It almost always starts with an email that looks like it’s from a supplier you already pay regularly, saying their bank has changed and asking you to update your records.

According to the Office for National Statistics’ Crime Survey for England and Wales, mandate fraud affected an estimated 7% of UK businesses in the year to March 2025, on top of the 11% hit by fake invoice fraud more broadly. The two often overlap: a mandate fraud attempt frequently arrives disguised as a routine invoice with a quiet note about updated payment details.

Why it works on careful businesses

Mandate fraud doesn’t rely on a finance team being careless. It relies on three things lining up: a criminal who has compromised or closely mimicked a real supplier’s email, a request that looks routine rather than alarming, and a finance team that’s busy enough not to apply the same scrutiny to a “detail update” that they would to a brand-new payment. UK Finance’s own research into invoice and mandate fraud notes that criminals frequently intercept or compromise a genuine email account first, which is exactly why the message can look completely authentic — because in a real sense, it is the supplier’s account, just no longer in the supplier’s control.

The one step that stops it

Never action a bank detail change based on information contained in the request itself. If a supplier emails to say their bank details have changed, call them back — using a phone number you already have on file from before the request, never one included in the email — and verbally confirm the change before you update anything. This single habit, sometimes called callback verification, is the control that the finance industry’s own Take Five campaign points to as the most effective defence against mandate fraud, and it costs nothing to implement.

What to build into your process

  • Treat every bank detail change request as needing independent verification, no matter how routine it sounds
  • Keep a record of suppliers’ verified contact numbers somewhere other than the email thread itself
  • Flag any payment-detail change for a second person to review before it’s actioned
  • Be especially alert around supplier relationships with frequent personnel turnover on either side, where an unfamiliar name making the request is harder to spot as unusual

Mandate fraud is also exactly the kind of pattern that’s well suited to automated checking — a system that already knows a supplier’s previous bank details can flag a change for review the moment it appears on an invoice, before the payment goes anywhere. That’s one of the checks Invixa runs on every invoice it sees.