ibanchecker.cash
Fraud & ComplianceJune 3, 2026 · 8 min read

Common IBAN Fraud Schemes and How to Prevent Them

Business Email Compromise, man-in-the-middle account swaps, and fake supplier IBANs cost businesses billions each year. Here's how to protect your payments.

Share

Payment fraud involving IBANs has become one of the most costly forms of business crime. According to the FBI's Internet Crime Report, Business Email Compromise (BEC) — much of which involves fraudulent bank account substitution — caused over $2.9 billion in losses in a single year. Unlike card fraud, IBAN-based payment fraud is extremely difficult to reverse once the transfer is executed.

Business Email Compromise (BEC)

BEC is the most prevalent IBAN fraud vector. The attacker compromises or spoofs a business email account — often a CFO, supplier, or lawyer — and instructs the victim to change the bank account on file for an upcoming payment.

The email looks legitimate. It references real invoice numbers, real supplier names, real transaction amounts. Only the IBAN has changed — to an account controlled by the attacker. By the time the fraud is discovered, the funds have typically been moved through multiple accounts across jurisdictions.

Prevention: Implement a callback verification procedure for any IBAN change request. Call the supplier on a known, previously verified phone number — not one provided in the suspicious email — and confirm the change verbally. No email alone should be sufficient to change payment details.

Man-in-the-Middle Account Substitution

In this attack, the fraudster intercepts a legitimate payment communication — often via an email compromise or by hacking a PDF invoice — and replaces the IBAN with their own. The buyer pays the wrong account, believing the invoice is from their genuine supplier.

This is especially common in real estate transactions (replacing solicitor IBANs) and large B2B invoice payments.

Prevention:Never use IBAN details from an emailed invoice for a first payment. Verify the account directly through the recipient's official website or a previously verified contact. Use encrypted document sharing where possible.

Fake Supplier / CEO Fraud

The attacker impersonates a senior executive (CEO, CFO) and emails the finance team urgently requesting an “emergency” transfer to a new account. The urgency and authority pressure discourage the recipient from verifying through normal channels.

Prevention: Establish a formal dual-authorisation rule for any payment over a threshold. Require out-of-band confirmation for payments to new IBANs, regardless of apparent seniority of the requester.

Validating IBANs Is Necessary But Not Sufficient

A common misconception: if an IBAN passes MOD-97 validation, it's safe. This is wrong. A fraudulent IBAN is still a structurally valid IBAN — the check digits are correct, the country code is legitimate, the length is right. Validation confirms format only, not legitimacy.

IBAN validation should be treated as a basic hygiene step — it filters out typos and formatting errors. It does nothing to prevent payment to the wrong person.

Confirmation of Payee (CoP)

Confirmation of Payee is a UK banking initiative (now extending to SEPA) that allows payers to verify that the account name matches the IBAN before sending. If you enter “Acme Supplies Ltd” but the account belongs to “John Smith”, CoP flags the mismatch.

CoP is now mandatory for UK banks and is being rolled out across the eurozone under the EU's Instant Payments Regulation. If your bank offers CoP, always use it for first-time payments to a new IBAN.

Red Flags Checklist

  • An unexpected request to change payment details via email
  • Urgency or confidentiality pressure from the requester
  • IBAN country doesn't match the supplier's known location
  • Email domain is slightly different from usual (acme-supplies.com vs acmesupplies.com)
  • Payment request arrives just before a deadline or holiday
  • The request bypasses normal authorisation channels

What to Do If You've Been Defrauded

Act immediately. Call your bank's fraud team within minutes of discovering the fraud — many banks can place a hold or initiate a recall if the funds haven't yet been withdrawn by the fraudster. File a report with your national cyber crime agency (Action Fraud in the UK, IC3 in the US, or your national police). Preserve all evidence: emails, call logs, bank statements.

Recovery rates for IBAN fraud are low — typically under 25% — which is why prevention is the only reliable strategy.

Validate an IBAN instantly

Free IBAN checker — MOD-97 verification, bank lookup, and SEPA status across 84 countries.

Open IBAN Checker →

Related Articles

Validating Beneficiary IBANs: AML Compliance Requirements in 2026

9 min read

IBAN Spoofing: How Attackers Manipulate Bank Account Numbers

8 min read

Misdirected Payments: How to Prevent Sending Money to the Wrong IBAN

8 min read

← All articles