Supplier Changed Bank Details? Stop

A first-30-minute response protocol for freezing, preserving, comparing, independently confirming, and escalating changed supplier bank instructions.

If a supplier sends different bank details, stop the payment and vendor-master update. Do this before asking for an explanation. A legitimate supplier may be changing banks or using a documented collection company; a criminal may have entered a real mailbox and waited for a real invoice. The same hold protects both situations while the buyer establishes what changed and who authorized it.

Do not confirm by replying to the same thread, calling a number printed on the revised invoice, or accepting a familiar signature. Retrieve the records and contact route your company trusted before the request arrived. Treat the change as a new approval event, even when the supplier is old and the shipment is urgent.

Accounts-payable manager using a corded office phone while a second reviewer compares old and new supplier payment instructions
An independent callback starts from a known pre-change contact record; the revised invoice is evidence to compare, not the source of the verification channel.

The first 30 minutes

This sequence is designed for the person who first notices a changed beneficiary, account, bank country, or payment route. It does not require a fraud conclusion. Its job is to keep an unresolved message from becoming an irreversible transfer.

0-5 minutes: freeze both actions

Place the payment on a visible system hold and block the corresponding vendor-master edit. If a transfer is prepared in online banking, identify its status: draft, approved but unreleased, submitted, or completed. Notify the final approver through the team's controlled channel. A chat message saying “please wait” is not enough if another reviewer can still release the wire.

Assign a short incident reference such as PAY-CHANGE-2026-0715-04. Record the purchase order, amount, currency, due date, person who noticed the change, and exact hold time. This gives finance, procurement, IT, and management one event to discuss without forwarding the suspect attachment repeatedly.

5-10 minutes: preserve what arrived

Save the original message and attachment, not only a screenshot or forwarded copy. Preserve the visible sender, envelope sender or available headers, reply-to, recipients, message time and timezone, attachment filename and file hash where appropriate, and the secure-portal or chat context if the instruction did not arrive by email. Keep the revised invoice exactly as received.

Do not edit the supplier's mailbox, delete forwarding rules, or ask the suspected sender to explain technical details before the relevant IT or security owner has considered evidence preservation. Limit unnecessary circulation of full account numbers and personal data. The finance copy can use masked fields while authorized responders retain the original.

10-15 minutes: retrieve the last known-good file

Open records created before the change: the supplier master, signed contract, purchase order, previous paid invoice, earlier beneficiary approval, known contact list, and onboarding or repeat-order review. Do not build the baseline from a phone number, letterhead, or contact card supplied in the changed message.

Copy the previous beneficiary and bank path into a comparison record. If the supplier has never been paid, use the approved contract and onboarding evidence, but label the absence of a payment history. The bank beneficiary field guide explains which party and bank fields are distinct; it does not validate the new instruction.

15-25 minutes: call outside the changed channel

Call a supplier contact on a number stored before the request. For a material payment, involve a second known contact or use a previously established video channel. State the exact beneficiary legal name, bank country, currency, and a masked account reference. Ask whether the company authorized each change, who authorized it, why it is needed, and when it takes effect.

The FBI's current Business Email Compromise guidance recommends using a secondary channel or two-factor method for account-information changes. That distinction matters because the altered instruction can come from a legitimate account. A Chinese public-security notice relaying the Ministry of Public Security's criminal-investigation warning likewise describes intruded mailboxes sending altered beneficiary names and accounts, and recommends confirmation by telephone, fax, or another route before remittance.

A callback is not independent if the new invoice supplied the number. Do not let the caller avoid the verification by confirming only the last four digits you read aloud; ask the known contact to identify the change in their own words and route the answer to the authorized finance person. Record the number source, caller, counterpart, time, questions, answers, and any second confirmation.

25-30 minutes: classify and assign owners

Do not release money merely because the callback sounded reassuring. Classify the request as proceed, hold, reject, or incident. Proceed requires independent confirmation, a resolved payee relationship, and dual approval. Hold means facts remain open. Reject means the supplier contradicts the instruction or controlled evidence does not reconcile it. Incident means money was sent, a communication channel may be compromised, or bank/security actions are active.

Name owners for four separate questions: supplier identity and relationship, old-versus-new payment data, communication/security evidence, and release authority. One salesperson should not be allowed to answer all four.

Compare the entire payment path

“We changed banks” can hide several changes. Compare exact values and retain the source of each value. Mask account numbers in general working notes according to policy, but make the controlled reviewer compare the complete values.

Field Old record New instruction Question created by a change
Beneficiary legal name Exact approved recipient Exact proposed recipient Is this a different legal person and why can it collect?
Bank country/region Previous jurisdiction Proposed jurisdiction What commercial, currency, or group change explains the route?
Bank, branch, SWIFT/BIC Previous bank path Proposed bank path Is this more than an account-number update?
Account or IBAN Complete controlled value Complete controlled value Were all characters compared by a second reviewer?
Currency/intermediary Approved route Proposed route Does the new route alter fees, parties, or settlement?
Invoice issuer Previous PI/invoice entity Current PI/invoice entity Did the seller or invoicing party change quietly?
Contract seller Signed entity Entity said to remain liable Does payment discharge the buyer's obligation?
Sender/reply-to/contact Known channel Actual message route Is the channel itself new, altered, or compromised?

A matching beneficiary name is not enough. The Guangdong branch of China's State Administration of Foreign Exchange published a case in which a bank reviewer noticed that the account and address differed from the established record even though the recipient name appeared consistent. Independent confirmation showed that no change had been authorized, and the payment was stopped. Field-by-field comparison created the question that a name-only check would have missed.

Three structures require different evidence

Same legal entity, new account

This is the narrowest change. The exact registered supplier remains beneficiary while the bank, branch, currency account, or account number changes. Obtain independent confirmation, an authorized written instruction, effective date and reason, complete old/new comparison, and dual approval before updating the master. A matching registered name helps resolve identity; it does not prove account ownership.

Different related company or export collector

A Mainland supplier may propose a Hong Kong affiliate, trading company, exporter, or collection entity. Such a structure can be legitimate, but a shared English brand or “our group company” statement does not document it. Obtain the other entity's exact legal identity, its role on the invoice and shipment, relationship evidence, written collection authority, and a clear answer on who remains responsible for delivery, defects, refunds, and contract performance.

Review the structure through the beneficiary relationship workflow. When the invoice issuer also changes, the invoice/beneficiary mismatch analysis should show all transaction parties. Legal or compliance review may be needed; company data alone cannot decide whether payment to another entity satisfies the contract.

Unrelated company or personal account

A friend, employee, currency agent, temporary collector, or personal account is a material exception, not a clerical update. A small test payment only proves that the account can receive money. It does not prove entitlement to the order payment or give the buyer a clear recovery claim. Keep the transfer on hold and escalate under the buyer's finance, legal, tax, sanctions, and compliance rules.

A successful callback is not final payment approval

An independent callback answers a communication question: did the known supplier contact intend to request these instructions? It does not decide whether the buyer is permitted to follow them. A real supplier can propose an arrangement that conflicts with the signed contract, creates an unsupported third-party collection path, changes the invoice or tax treatment, or falls outside the buyer's internal policy.

Keep three conclusions separate in the file. Request authenticity records who confirmed the request and through which pre-change channel. Recipient authority records why the named beneficiary is entitled to collect this invoice and which documents establish the relationship. Payment acceptability records whether finance, legal, tax, sanctions, compliance, and contractual requirements applicable to the buyer are satisfied. The first conclusion cannot be copied into the other two.

If the callback confirms a new Hong Kong affiliate, ask the supplier's authorized finance or management contact to provide the relationship and collection documents through an established route. Compare the response with the contract, current invoice, shipment papers, and company records. If the caller says “just pay it; we will explain later,” record the answer and leave the hold in place. Urgency changes the escalation time, not the evidence threshold.

When the known contact cannot be reached, do not substitute a newly supplied number, a social-media account, or a second email from the same mailbox. Escalate internally, try another pre-established contact, and let the supplier resolve the communication gap. A missed sailing can be commercially painful; an unverified transfer can remove both the money and the leverage needed to solve the shipment.

Case file: the real mailbox and the real purchase order

The fictional buyer Westmere Controls owes a 70% balance to Shenzhen Taoyun Motion Equipment Co., Ltd. Inspection has passed and the sailing date is close. The familiar salesperson's real mailbox sends a revised invoice naming Taoyun Global Trading Limited in Hong Kong. The message cites the correct PO, amount, inspection date, and shipping pressure.

  1. Accounts payable freezes the pending wire and vendor-master change at 09:12, then saves the original message and PDF.
  2. The previous file shows the Mainland manufacturer as contract seller, invoice issuer, and beneficiary. No Hong Kong collector appears in the contract.
  3. The comparison record shows four simultaneous changes: beneficiary, bank country, account, and invoice issuer. This is not described internally as a simple bank update.
  4. Procurement calls the factory finance manager using the office number retained at onboarding. The manager says no change was requested and asks IT to inspect the mailbox.
  5. IT finds a forwarding rule. Finance labels the instruction rejected, keeps the payment held, and accepts clean documents only through known channels after the parties secure access.

The company search did not detect the mailbox compromise. Its role was to keep Westmere anchored to the legal seller while communication and payment evidence were revalidated. The independent callback prevented the transfer. This is why the wire-transfer evidence file must preserve both entity records and the source of payment instructions.

Write the release or rejection decision

A closeout should state the event ID, old and proposed recipient, changed fields, source of the pre-change contact route, callback participants and time, entity/relationship conclusion, unresolved exceptions, decision, and two approvers. Avoid a green “verified” label that hides the path.

A release note can read: “Request received 15 July; exact account, branch and SWIFT changed while beneficiary remained the registered seller; finance manager confirmed the change on a call placed to the number stored 3 March; signed instruction received through the established portal; second reviewer compared complete values; no open exception; vendor master effective 16 July.”

A rejection note should be equally explicit: “Supplier finance manager denied the Hong Kong instruction on an outgoing call to the onboarding number; payment remains held; suspect attachment preserved; vendor master unchanged; IT and bank contacts opened under incident PAY-CHANGE-2026-0715-04.”

If the wire was already sent

Contact the originating bank immediately through its official fraud or wire-transfer channel. Provide the transaction reference, amount, currency, send time, beneficiary, receiving bank, and reason for suspected fraud. Ask what recall, reversal, indemnity, receiving-bank contact, or freeze process is available. IC3 similarly advises victims to contact the originating financial institution as soon as fraud is recognized. Recovery is not guaranteed.

Preserve emails, headers, attachments, invoices, banking records, callback notes, access logs, and the old/new comparison. Notify the supplier through a known channel so both sides can secure affected accounts without destroying evidence. Follow applicable bank, insurer, law-enforcement, regulator, counsel, and privacy requirements in the relevant jurisdictions.

China's Ministry of Commerce overseas office has also warned about mailboxes being entered and contract collection accounts being changed, and recommends fax, telephone, or another route in addition to email for material fund or account changes. Do not keep negotiating in the suspect thread while bank and security teams are trying to contain the event.

Build the control before the next change

  • Store the registered seller, contract party, invoice issuer, approved beneficiary, bank path, and known contact sources in one controlled supplier record.
  • Block email-only edits to beneficiary or account data.
  • Require an outgoing callback to a pre-change number and second approval for every payment-path change.
  • Make the system preserve old and new values, requester, verifier, approver, timestamp, and effective date.
  • Recheck the full company and transaction relationship when a legal entity changes, not merely the bank fields.
  • Include any normal offshore collector or exporter in the contract and onboarding file before an urgent invoice appears.
  • Run a repeat-order review when contacts, ownership, invoice entities, or payment routes change.

ChinaValidate can help resolve a Mainland company's registered identity, status, Chinese legal name, USCC, and public-record profile through the company search. It cannot authenticate an email, confirm a telephone speaker, prove ownership of a bank account, or decide whether a collector is authorized under a contract. The payment can move only when those separate evidence chains close.