What is the most common red flag in IBAN fraud?

The most operationally reliable red flag is a bank name mismatch: validating the IBAN and finding that it resolves to a different institution than the one recorded for that supplier. Fraudulent IBANs are structurally valid but belong to accounts at different banks — often in different countries — from the legitimate beneficiary. Validating the IBAN and comparing the returned bank name against your supplier record at the point of every payment instruction catches this substitution before the payment is authorized.

Why do fraudulent payment instructions often include urgency language?

Urgency is a social engineering technique designed to compress the victim's review time. When a payment must be made 'today to avoid a penalty' or 'immediately before the account closes,' the natural response is to act quickly rather than verify carefully. Attackers exploit this by timing urgent instructions to coincide with periods of organizational pressure — month-end close, public holidays, or known staff absences. A stated policy that urgent payment requests receive the same verification as any other request removes this lever.

How do I check if an IBAN country code matches the supplier's location?

The first two characters of an IBAN are always the ISO 3166-1 alpha-2 country code — DE for Germany, GB for the United Kingdom, FR for France, and so on. Use the ibanchecker.cash IBAN checker to extract and display the country behind any IBAN instantly. If your German supplier provides an IBAN starting with RO (Romania) or CY (Cyprus) without a prior explanation, treat this as a red flag and request written confirmation of the new account details before processing any payment.

IBAN Fraud Red Flags: 10 Warning Signs in Payment Instructions

Most IBAN fraud succeeds not because the technical controls fail, but because no one noticed the warning signs in the payment instruction before authorizing it. The fraud is hidden in plain sight — in the phrasing of a request, the timing of a message, or a small inconsistency in the bank details. This guide covers ten red flags that appear repeatedly in documented IBAN fraud cases, and what to do when you encounter them.

Red Flag 1: Is the IBAN Country Code Different from the Supplier's Country?

A German supplier sending you a payment instruction with an IBAN starting with RO (Romania), CY (Cyprus), or BG (Bulgaria) is a significant mismatch. While legitimate businesses do hold foreign accounts — for cash pooling, subsidiary management, or multi-currency operations — an unexplained change to an IBAN in a different country from the supplier's registration is a strong fraud signal.

Use the ibanchecker.cash checker to confirm the country behind any IBAN. If the country does not match your supplier's registered location, ask for a written explanation and verify it independently before processing the payment.

Red Flag 2: Has the Bank Name Changed Since the Last Payment?

Paste the IBAN into the IBAN checker and compare the bank name returned against the bank name in your supplier record. If you paid this supplier last month and the bank was Commerzbank, but today's validation returns a Baltic fintech or an unfamiliar institution, the IBAN has changed. Either the supplier switched banks and did not notify you through your verified process, or someone substituted the IBAN.

Store the bank name alongside every IBAN in your system at the time of first validation, and re-validate before each payment run. The bulk IBAN checker makes this practical for large supplier databases.

Red Flag 3: Did You Receive an Unsolicited Request to Update Bank Details?

Legitimate businesses rarely change their banking details. When they do, they typically notify customers through official channels — a signed letter, a secure supplier portal update, or a phone call from a known contact. An unsolicited email from a supplier's address asking you to update payment details to a new IBAN — without any prior communication about a bank change — is a classic APP fraud trigger.

The attacker relies on the payer treating an email from a familiar domain as trustworthy. Never update a supplier's IBAN based solely on an email. Always call the supplier on a number from your existing records to confirm.

Red Flag 4: Is the Sender Domain a Lookalike?

Inspect the email address from which the payment instruction was sent. Attackers register domains that are visually similar to the legitimate supplier's domain: supplier-invoices.com instead of supplier.com, acme-uk.co instead of acme.co.uk, or a domain with a character substitution (rn in place of m, for example, which looks identical in many email clients).

Hover over or copy the sender address — do not rely on the display name. Compare the domain character by character against the domain in your supplier record. A single character difference is enough to confirm fraud.

Red Flag 5: Does the Message Convey Unusual Urgency?

Phrases such as "please process today to avoid a penalty," "this account will be closed tomorrow," or "our finance team requires immediate payment" are designed to compress your review time. Under time pressure, people skip verification steps they would otherwise follow. Urgency in a payment instruction should increase your scrutiny, not reduce it.

A genuine supplier who needs payment quickly will accept a short delay for a verification call. An attacker who knows you are about to perform a verification will often drop the urgency pressure rather than expose themselves.

Red Flag 6: Does the Invoice Amount Seem Unusually Large or Round?

Fraudulent payment instructions often involve large, round amounts — £50,000, €100,000, $250,000 — because the attacker wants to maximize the return from a single successful social engineering attempt. An invoice for an unusual amount, or an amount that is significantly larger than the typical transaction size with that supplier, warrants additional verification of the destination IBAN before processing.

Red Flag 7: Is the Reply-To Address Different from the From Address?

A payment instruction sent from accounts@supplier.com but with a reply-to of accounts@supplier-invoices.net is a strong indicator that the sender is trying to divert your response to an attacker-controlled account. Check the reply-to header in your email client before responding to any payment instruction. If the reply-to differs from the from address, treat the message as suspect.

Red Flag 8: Has the IBAN Format Changed From What Was Used Previously?

If you have a record of previous payments to a supplier, compare the IBAN length and country code format. A supplier who previously provided a 22-character DE IBAN and now provides a 28-character TR IBAN has either changed banks significantly or the new IBAN is fraudulent. Use the IBAN format checker to inspect the structural components of any IBAN and compare them against your records.

Red Flag 9: Is the IBAN Associated with a Newly Opened Account?

Some Verification of Payee implementations include an account age signal — flagging when an account was opened very recently. Fraudsters often open accounts shortly before initiating a fraud campaign. Where VoP is available (EU instant payments, UK Faster Payments), pay attention to any "new account" warnings returned alongside name-match results. An account opened within the past 90 days receiving a large first payment is a combination that warrants additional due diligence.

Red Flag 10: Was the Payment Instruction Sent Outside of Normal Business Hours?

Fraudulent payment instructions are sometimes timed to arrive when key decision-makers are unavailable — late Friday afternoon, before a public holiday, or during a known period of organizational disruption (year-end close, a company merger, staff changes). The attacker is betting that whoever processes the payment will not be able to reach the usual approver and will authorize without full verification.

Establish a policy that payments above a defined threshold are never processed based solely on instructions received outside business hours, and that the usual verification process applies regardless of when the instruction was received.

What Should You Do When You Spot a Red Flag?

Spotting one red flag is not necessarily conclusive — legitimate payment instructions can occasionally trigger individual signals. The presence of two or more red flags, or a single high-confidence signal like a different IBAN country code or a lookalike domain, should trigger a stop-and-verify response:

Do not process the payment.
Validate the IBAN at the ibanchecker.cash checker and note the bank name and country returned.
Call the supplier or beneficiary on a phone number from your existing records — not from the payment instruction.
If the IBAN change is confirmed as legitimate, document the confirmation (date, time, who confirmed, how) and update your supplier record through your standard change management process.
If you cannot confirm legitimacy, escalate to your finance or compliance manager and do not process until fully resolved.

Last updated: June 2026