Stop Payment Fraud: Callback Playbook

When money is about to move—especially after an email asking you to update bank details or pay a new account—you have one job: slow down and verify using a callback you control. This simple playbook turns a risky moment into a safe one.

Bottom line: Never trust payment-change instructions received by email alone. Call a known contact using a number from your records (not the email) and confirm, line by line.

The Growing Threat of Payment Fraud

Why Small Businesses Are Targets

Payment fraud is one of the fastest-growing cyber threats for small businesses because:

High Success Rate:

70% of businesses experience attempted payment fraud
Average loss: €35,000 per successful attack
Recovery rate: Only 30% of funds are recovered
Attack frequency: Increasing by 40% year-over-year

Why It Works So Well:

Trust exploitation: Attackers use familiar vendor names
Urgency tactics: Create pressure to act immediately
Email compromise: Business Email Compromise (BEC) is common
Low technical barriers: No malware required

Common Attack Vectors:

Compromised email accounts: Attackers access business emails
Vendor impersonation: Fake emails from known suppliers
Invoice manipulation: Altered PDFs and attachments
Domain spoofing: Similar-looking email addresses
Social engineering: Psychological manipulation tactics

The Callback Playbook (10 minutes)

Step 1: Pause & Document (60 seconds)

Before touching your finance system, take immediate action to preserve evidence.

What to Document:

Screenshot the email (including headers if possible)
Save the original message (don’t delete)
Note the timestamp of when you received it
Identify the sender (display name and email address)
Check for attachments (save them for analysis)

Why This Matters:

Evidence preservation: Helps banks and insurers investigate
Timeline documentation: Establishes when the attack occurred
Pattern recognition: Helps identify similar future attacks
Legal requirements: May be needed for fraud reports

Step 2: Find the Known Contact Information

Use trusted sources for contact information, not the potentially compromised email.

What if the vendor’s contact number is in the email we are verifying?

Never use a phone number from the suspicious email itself — it could be fake. Instead, use a number from a previous invoice, your CRM, the vendor’s official website, or a business card from a past meeting. The single most important rule in callback verification is: always verify using information you already trust, not information from the message you are checking.

Reliable Sources:

Vendor contracts: Official agreements with contact details
Previous invoices: Use contact information from past invoices
CRM system: Verified vendor contact records
Company website: Official contact pages
Business cards: Physical cards from in-person meetings

What to Avoid:

Phone numbers in the email: May be fraudulent
Links in the email: May lead to fake websites
Reply-to addresses: May be spoofed
Attachments: May contain malware or fake information

Step 3: Call Back and Verify

Make the verification call using the known contact information.

Verification Script:

"Hi [Contact Name], this is [Your Name] from [Your Company]. 
I received an email requesting a change to your banking details.
I want to verify this information with you directly.

The change request is:
- Beneficiary name: [Read from email]
- Bank name: [Read from email]
- Branch location: [Read from email]
- Sort code/ABA/BIC/SWIFT: [Read from email]
- Account/IBAN: [Read from email]
- Invoice number(s): [Read from email]
- Total amount: [Read from email]

Can you please confirm each of these details is correct?"

Verification Best Practices:

Read each item exactly from the email
Ask for verbal confirmation of each detail
Note any discrepancies immediately
Stop immediately if they hesitate or refuse to verify
Document the conversation (date, time, person spoken to)

Step 4: Dual-Control (Maker-Checker)

Implement two-person approval for all financial changes.

Dual-Control Requirements:

Maker: Person who initiates the payment
Checker: Person who reviews and approves
Different roles: Different people with different responsibilities
Documentation: Both parties sign off on the change

Implementation Options:

Owner + Bookkeeper: Most common for small businesses
Manager + Staff: For larger organizations
Two Trusted Advisors: For solo founders
Accountant + Owner: For financial oversight

Approval Process:

Maker prepares the payment
Checker reviews all details
Both parties confirm verification
Documentation is signed and dated
Payment is processed

Step 5: Update Safely with Audit Trail

If confirmed, update the vendor record with proper documentation.

Update Procedures:

Update vendor record in accounting system
Add audit note: “Verified by phone with [Name] on [Date]”
Include verification details: Who you spoke to, when, what was confirmed
Store screenshots: In finance folder with date stamps
Update payment methods: Only after verification complete

Audit Trail Elements:

Verification method: Phone callback
Contact person: Name and title
Verification date and time
Approver name and signature
Screenshot evidence
Change details: Before and after comparison

Step 6: First-Payment Micro-Check (Optional)

For large or sensitive payments, implement additional verification.

Micro-Payment Process:

Small test payment: Send €10-€50 first
Confirm receipt: Call vendor to confirm receipt
Verify amount: Confirm exact amount received
Release balance: Send remaining payment after confirmation

When to Use Micro-Payments:

Large payments: Over €5,000
New vendors: First-time payments
International payments: Cross-border transactions
Sensitive industries: Healthcare, legal, financial services

Step 7: Post-Change Monitoring

Implement ongoing monitoring to detect future issues.

Monitoring Activities:

Alert system: Set up notifications for bank detail changes
Regular reviews: Check vendor records monthly
Anomaly detection: Flag unusual patterns
Audit trails: Review verification documentation

Alert Configuration:

Bank detail changes: Immediate notification
New vendor additions: Review required
Payment method changes: Verification needed
Unusual amounts: Flag for review

Red Flags to Treat as “Stop Signs”

Communication Red Flags

Urgent tone: “Must act immediately,” “Time-sensitive”
Confidential requests: “Do not discuss with anyone”
Authority pressure: “CFO approved,” “Management approved”
Unusual timing: Outside normal business hours
Emotional manipulation: “We’ll lose the client if delayed”

Technical Red Flags

Email domain changes: company.co vs. company.com
Reply-to addresses: Different from sender address
Attachment only: No text in email body
Poor formatting: Grammar errors, inconsistent branding
Unusual requests: Changes to established payment methods

Business Process Red Flags

New banking country: Different from previous invoices
Slightly changed details: Minor variations in names or addresses
PDF-only invoices: No email body, just attachment
Last-minute changes: Urgent payment requests
Multiple changes: Several changes in short time

Psychological Red Flags

Fear tactics: “Account will be suspended”
Greed appeals: “Special discount if paid immediately”
Helpfulness requests: “Help us update our systems”
Authority exploitation: “CEO requires immediate action”
Confidentiality demands: “Keep this confidential”

Advanced Fraud Detection

Email Header Analysis

Learn to read email headers to identify potential fraud.

What to Check:

Return-Path: Where the email actually came from
Authentication-Results: SPF, DKIM, DMARC results
IP Address: Geographic location of sender
Message-ID: Unique identifier for the email

Header Analysis Tools:

MXToolbox: Email header analysis
Google Admin Console: Gmail header analysis
Microsoft 365: Message header analysis
Email Header Analyzer: Third-party tools

Domain Verification

Check if the sender domain is legitimate.

Domain Verification Steps:

WHOIS lookup: Check domain registration details
Website verification: Visit official website
Social media: Check official social media profiles
Business directories: Verify business registration

Red Flags in Domains:

Recently registered: Domain created in last 30 days
Hidden registration: Privacy protection enabled
Misspellings: Common typos in legitimate domains
Unusual TLDs: Uncommon top-level domains

Incident Response for Payment Fraud

What do I do if we already sent money to a fraudster?

Contact your bank immediately — within the first hour if possible. Banks can sometimes freeze or recall transfers before they clear. Also report to local police and your cyber insurance provider. Document everything (emails, screenshots, timestamps) because your bank and insurer will need evidence for the investigation. Speed is the single biggest factor in recovery.

Immediate Actions (First 5 Minutes)

Stop the payment: Do not process the payment
Document everything: Save emails, screenshots, headers
Notify management: Inform leadership immediately
Contact bank: Report suspected fraud
Secure systems: Lock email accounts if compromised

Short-Term Response (First 24 Hours)

Freeze accounts: Bank accounts and email accounts
Investigate breach: Determine scope of compromise
Report to authorities: File police report if needed
Contact insurer: Report potential claim
Review security: Identify vulnerabilities

Long-Term Response (First Week)

Implement stronger controls: Add additional verification steps
Train staff: Use incident as learning opportunity
Update procedures: Strengthen payment processes
Monitor for related attacks: Watch for follow-up attempts
Document lessons learned: Improve future prevention

Comprehensive Defense Checklist

Pre-Payment Verification

Pause before processing any payment changes
Screenshot the request for evidence
Find known contact information
Call back using known phone number
Verify all details verbally
Implement dual-control approval
Document verification process

Red Flag Detection

Check for urgency in email tone
Verify email domain authenticity
Review sender details for consistency
Check for unusual payment methods
Look for psychological manipulation tactics
Verify attachment authenticity
Assess timing of request

Post-Payment Security

Update vendor records with audit notes
Store evidence in secure location
Monitor for unusual activity
Review payment patterns
Alert stakeholders of changes
Conduct regular security reviews
Update procedures based on lessons learned

Advanced Protection Strategies

Technical Controls

Implement technology to prevent payment fraud.

Email Security:

Advanced filtering: Block suspicious emails
Domain verification: Check sender authenticity
Attachment scanning: Scan for malware
Link analysis: Check link destinations

Financial System Security:

Multi-factor authentication: Require MFA for financial systems
Access controls: Limit who can make payments
Audit logging: Track all financial changes
Transaction monitoring: Flag unusual transactions

Vendor Management:

Vendor verification: Verify new vendors thoroughly
Regular reviews: Periodic vendor security assessments
Standardized processes: Consistent verification procedures
Risk assessment: Classify vendors by risk level

Process Controls

Implement robust business processes for financial security.

Segregation of Duties:

Maker-checker model: Two-person approval required
Role-based access: Limit access based on job function
Approval workflows: Multiple approval levels for different amounts
Exception handling: Clear process for unusual requests

Documentation Requirements:

Audit trails: Complete documentation for all changes
Verification records: Keep records of all verifications
Policy documentation: Written procedures for all processes
Training records: Document all security training

Key Takeaways

Remember These Rules

Always verify payment changes by phone on known numbers
Never trust email alone for financial changes
Use dual-control for all payment changes
Document everything for audit and investigation
Train staff regularly on fraud prevention

Your Action Plan

Our cybersecurity compliance kits include payment security procedures, staff training on fraud prevention, and audit-ready policy templates for your team.

Implement callback playbook for all payment changes
Train all staff on payment fraud awareness
Set up dual-control approval processes
Configure email security filtering and monitoring
Implement vendor verification procedures
Regular security reviews and updates

Success Metrics

Zero successful payment fraud attempts
All payment changes verified by phone
Dual-control compliance for all sensitive payments
Staff awareness of fraud techniques
Documentation complete for all payment changes
Financial losses from fraud eliminated

Compliance and Legal Considerations

Financial Regulations

PCI DSS: Payment Card Industry Data Security Standard
SOX: Sarbanes-Oxley Act for financial reporting
AML: Anti-Money Laundering regulations
KYC: Know Your Customer requirements

Data Protection

GDPR: Article 32 - Security of processing
Data breach notification: 72-hour reporting requirement
Documentation: Maintain records of security measures
Staff training: Regular security awareness training

Insurance Requirements

Cyber insurance: May require specific fraud prevention measures
Documentation: Evidence of security procedures
Reporting: Timely reporting of security incidents
Claims process: Proper documentation for claims

Download Your Free Cyber Security Training Kit

Need ready-to-use checklists and simple team training?
👉 Download the Free Cyber Security Training Kit

Internal Links:

External Resources:

UK Action Fraud: Invoice fraud guidance
FBI Business Email Compromise: BEC prevention
Federal Trade Commission: Business email compromise
National Cyber Security Centre: Payment fraud prevention

Estimated Reading Time: 20 minutes
Aligned With: PCI DSS, SOX, GDPR Article 32
Target Audience: Small business owners, office managers, financial staff
Learning Objectives: Prevent payment fraud, implement callback verification, protect business finances