You got an email from a vendor: “Our bank details have changed — please use the new account for the next payment.” It looks legitimate, the invoice is one you recognize, and now you are wondering whether to trust it. So, a vendor emailed new bank details — is it fraud?
The honest answer: maybe, and you cannot tell by looking. Most bank-change requests are genuine. But the fraudulent ones are built to look identical to the real thing, and a faked “we changed our bank” email is the single most common way businesses lose money to wire and ACH fraud. The only safe assumption is that the request is unverified until you have confirmed it by phone — which takes about two minutes and is the whole point of this page.
Why you can’t judge it from the email
If the request is a scam, the attacker has usually been reading a real email mailbox — the vendor’s or a colleague’s — for weeks. They know your payment schedule, they copy the vendor’s signature and invoice format, and they send the request at exactly the moment a payment is due. The email “looking right” is evidence of effort, not of legitimacy.
That is why looking harder at the email is not the answer. The account number is the only thing that is wrong, and nothing in the message itself will tell you that.
For scale: the FBI’s IC3 reported $2.77 billion in business email compromise losses in 2024 (2024 Internet Crime Report). A large share of those start with precisely this email.
Is this request suspicious? Quick red-flag check
None of these proves fraud, and a request with none of them can still be fake — but each one means slow down:
- Urgency or a deadline. “Before Friday’s payment run,” “the old account is closed,” “this is holding up payroll.” Manufactured pressure is the most common tell.
- A new phone number or contact in the same email. New bank details and a new “call us to confirm” number means the number is there to route your verification call to the fraudster.
- A lookalike sender address.
vendor-inc.comvsvendorinc.com,.coinstead of.com, anrnposing asm. Compare it character by character to an older genuine email. - A switch in method or account name — check to wire, a company vendor moving to a personal-name account, or an out-of-state bank with no link to the vendor.
- “Email only, please.” Any resistance to a phone call — “our phones are down,” “just confirm by email” — is itself a flag.
What to do right now (before you pay)
Whether or not it looks suspicious, the response is the same:
- Don’t reply to the email. If it is fraudulent, you would be replying to the fraudster — and a reassuring “yes, it’s really us” reply means nothing.
- Don’t update the account or send payment yet. Keep paying the old details, or hold the payment, until the change is confirmed.
- Verify by phone — to a number you already had. Call the vendor on a number from your own records (the vendor file, a past invoice, or their official website found by searching their name), never a number from the request. Ask them to read you the new details; they should match exactly. The full step-by-step is here: how to verify a vendor bank account change.
- Tell the client or owner. If you handle AP for a client, loop them in — especially if anything looked off.
What if you already paid?
If you have already sent money to the new account and now suspect fraud, act fast — recovery is possible but time-sensitive:
- Call your bank immediately and ask them to attempt a recall or freeze on the transfer. The first 24–72 hours matter most.
- Report it to the FBI’s IC3 at ic3.gov — they coordinate the Financial Fraud Kill Chain that has clawed back funds in many cases.
- Contact the real vendor on a known number — not the one from the request. Their email may be compromised, and they will want to warn others.
- Save everything: the original email with full headers, the invoice, and any replies. Do not delete the message.
Frequently asked questions
How can I tell if a vendor email asking to change bank details is fake?
You often cannot tell from the email itself — convincing fakes copy the real vendor’s branding and timing. The reliable test is calling the vendor on a number you already trusted to confirm the change before paying.
Should I just reply to the email to ask if it’s really them?
No. A reply goes to whoever sent the request. If it’s a fraudster, they’ll happily confirm it’s “really them.” Confirmation only counts by phone to an independently sourced number.
The email looks exactly right — is it still risky?
Yes. “Looks right” is what a successful scam looks like. Treat a perfect-looking request the same as a suspicious one: verify by phone before you pay.
The vendor is pressuring me to pay today. What does that mean?
Treat urgency as a red flag, not a reason to skip verification. Real vendors will wait for a 60-second confirmation call; manufactured deadlines are a hallmark of fraud.
Who do I report a fraudulent vendor email to?
Your bank first (to try to stop or recall the payment), then the FBI’s IC3 at ic3.gov, and the real vendor on a known number so they can alert their own contacts.
The bottom line
A vendor emailing new bank details is not automatically fraud — but it’s the exact moment fraud happens, and you can’t sort the real from the fake by inspection. The fix is fast and free: don’t reply, don’t pay yet, and confirm by phone to a number you already had.
If you’d like the full procedure your team can adopt — the callback script, the dual-approval step, and a one-page log — we’ve published a free vendor bank-change verification template, no software required. And if you want every change request run through that same checklist automatically with a record you can hand to an insurer, that’s what CallbackProof does: documentation of a verification workflow, nothing more.