Payment Fraud Is Now An Operational Risk

13 March 2026

Security Everywhere warns of the rapidly growing cyber-enabled crime of Payment Fraud and advises how to protect your company.

When cyber risk is discussed in the boardroom, the conversation usually revolves around the "big bangs": catastrophic ransomware attacks, massive data breaches, or shadowy state-sponsored hacking groups. These are the threats that shut down networks.

Yet, for many UK organisations, the most financially devastating incidents don’t begin with a system failure or a high-priority security alert. They begin in the quiet, mundane corners of routine financial processes. This is payment redirection fraud - often called mandate fraud - and it has become one of the most successful forms of cyber-enabled crime.

Unlike a traditional hack, payment redirection fraud doesn’t aim to break into a network; it aims to slip into a workflow. The methodology is simple: criminals either compromise a supplier’s email account or register a "lookalike" domain that is nearly indistinguishable from the real thing.

They monitor correspondence for an invoice cycle and when the time is right, they send a polite, professional request to update bank details. The branding is perfect. The timing is logical. The tone is routine.

As the request sits within a normal business workflow, it often bypasses the scrutiny applied to "technical" threats. It seems to be an administrative task rather than a security event. The theft is only discovered weeks later when the genuine supplier calls to ask why their invoice remains unpaid. By then, the funds have been laundered through multiple accounts and are long gone.

The discomforting reality of mandate fraud is its invisibility. Systems remain online, emails continue to flow, and nothing appears broken. This highlights a critical shift in the threat landscape: the primary weakness is rarely technical; it is procedural.

In fast-paced corporate environments, efficiency is the gold standard. Friction is removed to speed up payments, and verification becomes assumed rather than enforced. This means you don't need to defeat sophisticated firewalls if you can exploit professional trust and human psychology.

Financial cyber risk no longer sits solely within the remit of the IT department. It now intersects with procurement, finance, and leadership oversight. To combat it, organisations must treat supplier bank updates as high-stakes control points rather than simple admin tasks.

The safeguard is not dramatic, but it must be disciplined. Experts recommend three essential controls:

Independent Verification: Never process a bank detail change based solely on an email. Always verify the request using a known, pre-existing contact number for the supplier - never use the phone number provided in the email itself.
Dual Authorisation: Changes to supplier payment data should require at least two separate approvals. This creates "healthy friction," ensuring no single point of failure can lead to a total loss.
Authentication & Monitoring: While technology cannot replace process, implementing robust email authentication (such as DMARC) and layered monitoring can stop spoofed domains from ever reaching the inbox.

Trust is the engine of business, but in the modern digital landscape, it should never replace verification. The most damaging cyber incidents aren't always the most disruptive - sometimes, they are simply the best-written.

Picture: A person using a laptop with digital icons representing cybersecurity overlay the scene.

Article written by Dave Mapps | Published 13 March 2026