When money is about to move—especially after an email asking you to update bank details or pay a new account—you have one job: slow down and verify using a callback you control. This simple playbook turns a risky moment into a safe one.

Bottom line: Never trust payment-change instructions received by email alone. Call a known contact using a number from your records (not the email) and confirm, line by line.

✅ The Callback Playbook (10 minutes)

1) Pause & snapshot

Before touching your finance system, take 60 seconds to screenshot the request (headers if possible). If it turns out to be fraud, those details help your bank and insurer act fast.

2) Find the known number

Use the number already in your vendor file, contract, previous invoice, or your CRM. Do not use any phone number in the new email or attached PDF.

3) Call back & read back

On the call, read back the exact change request:

Beneficiary name
Bank & branch
Sort code/ABA/BIC/SWIFT
Account/IBAN
Invoice number(s) & total amount
Ask the contact to confirm each item verbally. If they hesitate or ask to “email it instead,” stop and escalate.

4) Dual-control (maker–checker)

Require a second person to review and approve any change to vendor bank details or high-value payments. Even in a tiny team, pair the owner and bookkeeper.

5) Update safely (with notes)

If confirmed, update the vendor record and add an audit note: who you spoke to, date/time, and the internal approver. Store your screenshots in the finance folder.

6) First-payment micro-check (optional, high assurance)

For large or sensitive payments, send a small test payment first and confirm receipt by phone before releasing the balance.

7) Post-change alert

Turn on a quick alert in your accounting tool: “Bank details changed for Vendor X on .” It creates visibility if something changes again unexpectedly.

🚩 Red flags to treat as “stop signs”

“Urgent” or “confidential” tone (e.g., “Do not call; CFO approved”)
New banking country vs previous invoices
Slightly changed domains (invoices@vend0r.com) or reply-to addresses
PDFs where the phone number differs from past invoices

Why this works: Most invoice fraud stems from Business Email Compromise. Attackers rely on you not calling back on a known number. A controlled callback breaks the scam’s only link: unverified email. (External reference: UK Action Fraud’s invoice-fraud guidance on verifying supplier bank-detail changes.)
External reference: https://www.actionfraud.police.uk/news/upsurge-in-fraudsters-targeting-businesses-with-invoice-and-phone-scams

If you suspect fraud (do these now)

Call your bank’s fraud line immediately and request a recall/freeze.
Lock your email accounts involved (force sign-out + reset passwords + check forwarding rules).
Preserve evidence (emails, headers, logs, screenshots).
Report it (bank reference + local authority). Your insurer may require a case number.

Quick FAQs

Is email confirmation enough?
No. Email alone can be spoofed or compromised. Always verify by phone on a known number.

What if I’m a solo founder?
Use a checklist, a callback, and—when possible—a micro-payment first. Dual-control can be a second trusted advisor or your accountant.

🎁 Download Your Free Cyber Security Training Kit

Need ready-to-use checklists and simple team training?
👉 Download the Free Cyber Security Training Kit

Related post:
Read How to Spot Social Engineering in Messages and Meetings next.

Stop Payment Fraud: A Simple Callback Playbook for Invoice & Bank-Detail Changes