How to Validate Supplier IBANs Before Paying: A Finance Team Checklist
A 5-step checklist for accounts payable teams to verify supplier IBANs and prevent BEC fraud — from requesting bank details through a verified channel to maintaining a change log.
Supplier IBAN fraud — more specifically, Business Email Compromise (BEC) targeting accounts payable teams — is the single fastest-growing category of corporate payment fraud. In a typical attack, a threat actor intercepts or spoofs a supplier email, substitutes their own IBAN into an invoice or payment update request, and waits for a routine payment to land in an account you cannot recover funds from. The FBI estimates BEC losses exceeded $2.7 billion in 2022 alone, and the majority of cases involve a fraudulent bank account number supplied at exactly the right moment.
Validating supplier IBANs before payment does not require specialist software or a dedicated compliance team. It requires a repeatable process — one that your accounts payable team follows without exception. This checklist gives you that process.
Why Supplier IBAN Fraud Is Easier Than It Looks
The attack surface is smaller than most finance teams realize. A fraudster does not need to compromise your systems — they need only to intercept one email thread, create a convincing lookalike domain, and send a single PDF invoice with updated bank details. The IBAN on that invoice passes a basic visual inspection: it starts with the right country code, it's the right length, and the supplier name matches. What it does not pass is a structured verification process.
Finance teams that validate supplier IBANs only when something "seems off" are vulnerable. Fraud is designed to seem normal. The only reliable defense is a consistent process applied to every payment, not just suspicious ones.
The 5-Step Supplier IBAN Verification Checklist
Step 1: Request Bank Details Through a Verified Channel
Never accept an IBAN change — or a first-time IBAN submission — solely via email, even from a known supplier address. Email is the primary attack vector in BEC fraud. Instead, establish a policy: new bank details must be confirmed through a secondary channel that you initiate.
Practical options include calling the supplier using a phone number you sourced independently (not one in the email), using a supplier portal where they log in to update bank details, or requiring a signed letter on company letterhead. The key principle is that you initiate the confirmation, not the supplier — so a fraudster who controls the email thread cannot also control the verification.
For high-value suppliers or large payment runs, consider a callback verification policy: any IBAN change requires a call to the supplier's main reception number before the new IBAN is saved to your system.
Step 2: Run the IBAN Through a Structural Validator
Once you have the IBAN, validate its structure before anything else. A structurally invalid IBAN — wrong length for the country, failed MOD-97 check digits, unrecognized country code — is an immediate red flag that should halt payment and trigger a call to the supplier.
ibanchecker.cash runs this check instantly: paste the IBAN, and you get confirmation that the country code is a recognized IBAN country, the length matches that country's specification, and the MOD-97 check digits are valid. If any of these fail, the IBAN is not payable and should not be entered into your payment system.
For teams managing many suppliers, the bulk IBAN checker accepts a CSV or Excel upload and validates up to 100 IBANs simultaneously — returning a status column for each row that your AP team can filter and act on in seconds.
Step 3: Verify the BIC Code Matches the Stated Bank
A valid IBAN tells you the account exists in the right country with the right check digits. It does not tell you that the bank name the supplier stated is the actual bank holding the account. Cross-reference the BIC (Bank Identifier Code) embedded in or accompanying the IBAN against the bank name your supplier claims.
ibanchecker.cash returns the bank name and BIC associated with each valid IBAN. If a supplier says the IBAN is with Deutsche Bank but the BIC resolves to a different institution, that discrepancy requires explanation before payment. Use the SWIFT/BIC directory to look up any BIC code and confirm the bank, country, and city.
Legitimate suppliers will have no objection to explaining a BIC mismatch — for example, a payment routing through a correspondent bank. Fraudsters cannot explain the discrepancy because they do not control the named institution.
Step 4: Run a Final Check Before Payment Execution
Even if an IBAN passed validation when it was first submitted, run one more check on the day of payment — specifically for any IBAN that was submitted more than 30 days ago, any payment above a defined threshold (e.g., €10,000), or any supplier for whom you have not paid before.
This final check catches two scenarios: a bank account that has been closed or changed since original submission, and an internal data entry error between validation and payment execution. Many ERP systems allow AP teams to flag accounts for re-verification before payment runs — use that feature if available.
If your payment system pulls IBANs from a master vendor file, treat the master file itself as an attack surface: access should be restricted, changes should require a second approver, and the change log should be reviewed monthly.
Step 5: Log Every IBAN and Every Change
Maintain a timestamped audit trail of every IBAN your organization stores, along with who submitted it, when it was validated, who approved it, and when it was last used for payment. For any change, the log should also record the previous IBAN, who requested the change, and through which channel the change was confirmed.
This log serves two purposes. First, if fraud does occur, you have the documentation to support an insurance claim and assist with law enforcement. Second, the existence of the log creates accountability — AP team members are more careful when they know their actions are recorded and auditable.
A simple spreadsheet with version control is sufficient for smaller teams. Larger organizations should capture this data in their ERP or vendor management system with field-level audit trails.
IBAN Validation in ERP and Accounting Systems
Most major accounting platforms — including SAP, Xero, and QuickBooks — store vendor bank details in a master vendor file. Some offer built-in IBAN format validation (checking length and structure), but very few validate the MOD-97 check digits or return bank name data at the point of entry.
For teams that need more thorough validation integrated into their ERP workflow, the ibanchecker.cash API provides a single-endpoint validation call that returns full structural validation, check digit verification, bank name, and BIC. This can be called at the point of vendor bank detail entry — before the IBAN is saved — using a simple webhook or custom field validation rule in most platforms.
Even without API integration, a two-minute manual validation step in ibanchecker.cash for every new or changed supplier IBAN provides a meaningful security layer that stops the majority of BEC attacks before they result in a payment.
Summary: The Non-Negotiable Rules
Three rules that finance teams should treat as non-negotiable:
- Never process a first-time or changed IBAN based solely on an email — always confirm through a channel you initiate.
- Always validate IBAN structure and check digits before entering an account into your payment system, not just when something seems suspicious.
- Maintain a change log for every vendor IBAN, with timestamps and approver names, and review it monthly.
These steps add under five minutes to any new vendor onboarding. The cost of skipping them is measured in five or six figures — and often, those funds are unrecoverable once transferred to a fraudster-controlled account.
Last updated: June 2026
Validate an IBAN instantly
Free IBAN checker — MOD-97 verification, bank lookup, and SEPA status across 84 countries.
Open IBAN Checker →Related Articles