Chinese Supplier Changed Bank Details? Stop Before You Pay

A practical response plan for buyers who receive changed bank instructions from a Chinese supplier before a deposit or balance payment.

If a Chinese supplier sends new bank details shortly before a deposit or balance payment, pause the transfer. Do not confirm the change by replying to the same email thread, calling a new number in the revised invoice, or accepting a familiar signature as proof. Retrieve the supplier contact and payment record your company already trusted, verify the request through a separate channel, and treat the new beneficiary as a fresh approval decision.

The supplier may be making a legitimate banking change. The message may also have been sent from a compromised mailbox after someone watched a real order develop. The first job is not to decide who is lying. It is to prevent an irreversible payment while the facts are still unclear.

A procurement manager independently confirming changed bank details before paying a Chinese supplier
A bank-detail change should create a new approval event, even when the supplier is familiar and the shipment is urgent.

The risk is bigger than a fake-looking email

Many payment teams look for obvious warning signs: poor grammar, a strange attachment, a new salesperson, or an email domain that is one letter off. Those checks are useful, but they do not cover the hardest case. In a business email compromise, an attacker may gain access to a genuine supplier or buyer mailbox, read months of correspondence, learn the order value and payment date, and wait until a real invoice is due.

The resulting request can arrive from the correct address, refer to the correct purchase order, use the usual tone, and include a convincing copy of the supplier's invoice. Only the beneficiary, bank country, SWIFT code, or account number may have changed.

The FBI's Internet Crime Complaint Center describes business email compromise as fraud involving legitimate business email accounts and transfers of funds. Its prevention guidance recommends confirming account-information changes through a secondary channel or two-factor verification. That is the right baseline for a China supplier payment as well: email can deliver the request, but email alone should not approve it.

Read the FBI IC3 guidance on business email compromise.

A 30-minute protocol when bank details change

The order may have taken three months to negotiate. The payment-control response can still be simple. The following sequence is designed for the first half hour after a buyer, purchasing manager, or accounts-payable reviewer notices changed instructions.

1. Stop the payment queue

Mark the transfer as held before asking the supplier for an explanation. If the payment has already been prepared in online banking, remove it from the approval queue or make sure the final approver knows not to release it. A verbal “please wait” in a busy team is not a control.

2. Preserve the request as received

Save the original email, attachment, sender address, reply-to address, time, and full payment instructions. Do not work only from a forwarded screenshot. If the request later proves fraudulent, the original message and headers may help the supplier's IT team, your bank, insurer, or investigators understand what happened.

3. Retrieve the last known-good record

Open the supplier master record, previous paid invoice, signed contract, purchase order, and earlier bank confirmation. Use records stored before the change request arrived. Do not use a phone number, contact card, or letterhead that appears only in the new message.

4. Compare every changed field

A request described as “we changed banks” may contain more than a new account number. Record the old and new values side by side.

Field What to compare Why it matters
Beneficiary name Exact company or personal name, including legal suffix A new name can mean a different legal recipient, not merely a different bank.
Bank country or region Mainland China, Hong Kong, Singapore, UAE, or elsewhere A jurisdiction change needs a commercial explanation and a documented relationship.
Bank and branch Institution name, branch address, and SWIFT/BIC These fields help identify whether the change is broader than the supplier described.
Account number Full value using a controlled comparison One changed digit is enough to redirect a payment.
Invoice issuer Company named on the current and previous PI or commercial invoice The request may quietly replace both the issuer and the payee.
Contract party Entity named in the signed agreement or purchase order The company receiving money should fit the contractual payment story.
Currency and payment route USD, EUR, CNY, HKD and any intermediary-bank instructions A new route can explain operational changes, but it can also hide a different recipient.

5. Make an out-of-band callback

Call a supplier contact on a number your company already had before the request. For a material payment, use a video call or involve a second known contact, such as the supplier's finance manager or owner. State the beneficiary name, bank, country, currency, and last four digits of the account, and ask the contact to confirm each item.

A callback is not independent if you call the new number printed on the revised invoice or use a phone number supplied in the same email. An attacker who controls the message can also control those details.

6. Verify the company relationship

Confirm the mainland Chinese supplier's registered legal name and Unified Social Credit Code, then compare them with the invoice issuer, contract party, and new beneficiary. If the payee is a Hong Kong affiliate, exporter, trading company, or other third party, ask who owns or controls it, what role it has in the transaction, and why payment to that entity discharges the buyer's obligation to the contracted supplier.

A China company search can help confirm the mainland entity's identity and current public-record profile. It cannot prove that a bank account belongs to that company, and it cannot by itself establish an offshore affiliate relationship. Keep those two questions separate.

7. Require a second approver

The person who receives and enters new payment details should not be the only person who approves the change. A second reviewer should see the old and new records, the independent callback result, the company match, and any relationship documents before the vendor master is updated.

Three payment structures that should not be treated the same

“Different bank details” is not one situation. The legal recipient and the commercial explanation determine how much evidence is needed.

The same Chinese legal entity opens a new account

This is the simplest case. The beneficiary name remains the registered Chinese company, while the bank, branch, currency account, or account number changes. Confirm through an existing contact, request the new instruction on company letterhead or another controlled document, and record who approved the update. A matching company name is helpful but does not replace the callback.

A mainland supplier asks you to pay a Hong Kong affiliate or exporter

This can be a genuine trade structure, but “our Hong Kong company” is not evidence. The buyer needs the Hong Kong entity's exact legal name, registration details, invoice role, and a written explanation connecting it to the mainland supplier and the order. The contract, PI, and payment authorization should tell one coherent story about who sells the goods, who receives the funds, and who remains responsible for delivery and defects.

If the Hong Kong company appears for the first time on the final invoice, treat the change as a hold until the relationship and payment effect are reviewed. Do not assume that a shared English brand name proves common ownership.

An unrelated company or personal account receives the money

This is a material exception. The supplier may describe the account as a friend, manager, currency agent, collection partner, or temporary workaround. None of those labels gives the buyer a clear claim against the recipient. Pause the transfer and escalate it under your company's legal, finance, and compliance rules. A small “test transfer” only proves that the account can receive money; it does not prove the recipient is entitled to the full payment.

Evidence that improves the file, and evidence that does not settle it

Evidence Useful for Important limitation
Independent callback to a known contact Confirming that the supplier intended to request the change The caller must use contact data held before the request.
Chinese business license and USCC Identifying the mainland legal entity They do not prove ownership of a bank account.
Previous paid invoice and bank record Establishing the last known-good beneficiary They show history, not whether the new request is valid.
Stamped or signed bank-change letter Creating a written supplier representation A document sent through a compromised mailbox can also be altered.
Affiliate registration and ownership documents Explaining a different group or export entity Shared ownership does not automatically amend the contract.
Supplier website or marketplace profile Supporting contact and brand context Marketing pages are not proof of legal identity or payment authority.
Matching email signature Very limited consistency check Signatures are easy to copy and may be visible inside a compromised mailbox.

A worked example: the urgent balance payment

A buyer has paid a 30% deposit to a Shenzhen manufacturer and is preparing the 70% balance after inspection. Two days before shipment, the usual salesperson emails a revised PI. The message says the old USD account is under review and asks the buyer to pay a Hong Kong company so the container will not miss its sailing date.

The message comes from the correct email address and quotes the real purchase order. The buyer still holds the payment because four facts changed at once: beneficiary name, jurisdiction, account number, and invoice issuer.

  1. Accounts payable removes the transfer from the approval queue and saves the original email and attachment.
  2. Procurement opens the earlier contract, deposit record, verified Chinese company profile, and supplier contact stored during onboarding.
  3. The buyer calls the factory's known office number. The finance manager says no account change was requested.
  4. The supplier checks its mailbox and discovers an unauthorized forwarding rule. The shipment is delayed while both sides secure their accounts and issue clean documents.

In this example, a company registry check does not catch the email compromise. Its value is different: it keeps the buyer anchored to the legal entity originally reviewed while the communication and payment evidence are revalidated. The independent callback is what prevents the transfer.

Use a written decision, not a reassuring conversation

After the checks, record one of four outcomes. The labels matter less than making the reason reviewable.

Outcome Typical evidence Action
Proceed Known contact confirms the change; beneficiary and entity relationship are documented; two reviewers approve. Update the vendor master and retain the evidence with the payment.
Watch The beneficiary is unchanged but a bank or branch field needs clarification. Resolve the field before release and document the answer.
Hold New beneficiary, new jurisdiction, inconsistent invoice, or confirmation relies only on the same email channel. Do not pay until independent evidence closes the gap.
Escalate Personal or unrelated payee, disputed instructions, high-value urgency, suspected mailbox compromise, or unclear contract effect. Involve management, the bank, IT/security, legal counsel, or other professional advisers as appropriate.

Practical wording your team can use

Callback script

We received a request to change the bank details for purchase order [number]. I am calling the contact number already held in our supplier file, not a number from the new instruction. Please confirm whether your company authorized the change, the exact beneficiary legal name, bank country, currency, and the last four digits of the new account. We will keep payment on hold until a second reviewer completes our change process.

Document request

Please provide the new payment instruction on company letterhead, the reason for the change, the effective date, and the name and title of the person authorizing it. If the beneficiary is a different company, also provide its registration details, its relationship to the contracted supplier, and written confirmation that payment to that entity satisfies the amount due under this order.

Approval note

Bank details changed on [date]. Previous beneficiary: [name]. New beneficiary: [name]. The request was independently confirmed on [date/time] by calling [known contact and role] using the number stored on [source/date]. Legal-entity and invoice checks completed: [summary]. Remaining exceptions: [none/list]. Entered by [name]; approved by [name].

If the wire has already been sent

Act immediately. Contact the sending bank through its official fraud or wire-transfer channel and ask about a recall, hold, or contact with the receiving institution. Speed matters, but recovery is not guaranteed. Give the bank the transaction reference, beneficiary, amount, time, receiving bank, and the reason you believe the instruction may have been fraudulent.

At the same time, preserve the original emails, attachments, headers, invoices, callback notes, banking records, and supplier communications. Notify the supplier through a known channel so both sides can secure affected email accounts and preserve logs. Follow your insurer's notice requirements and report the incident to the appropriate law-enforcement or cybercrime authority in your jurisdiction. US victims can use the FBI IC3 reporting process referenced above.

Do not keep negotiating with the suspected sender from the compromised thread while your bank and security team are trying to contain the incident. Also avoid deleting mailbox rules or other evidence before your IT team captures what it needs.

Build the control before the next invoice arrives

The best time to agree on bank-change verification is during supplier onboarding, not when a container is waiting at port. A workable control does not require expensive software.

  • Store the supplier's Chinese legal name, USCC, contract entity, invoice entity, approved beneficiary, and known contact details in one supplier record.
  • Require an independent callback and two-person approval for every beneficiary or account change.
  • Prevent email alone from updating vendor master data.
  • Compare the current PI with the last paid invoice, not only with the latest email.
  • Recheck the company profile when the legal entity changes, not merely when the bank changes.
  • Write the approved payment structure into the contract or supplier-onboarding file, including any export or Hong Kong affiliate.
  • Keep a dated decision note with the transfer so an auditor or manager can reconstruct why the change was accepted.

For a broader pre-payment review, use the supplier verification checklist, read how to check a China supplier bank beneficiary, or review a sample company report.

Where ChinaValidate fits, and where it does not

ChinaValidate can help identify the mainland Chinese company, match the registered name and USCC, review its public status, and create a dated company record for the supplier file. That evidence is useful when a payment request starts introducing new names.

It does not authenticate an email, verify ownership of a bank account, confirm that a caller is genuine, or decide whether an affiliate-payment arrangement is legally effective. Those controls belong to the buyer's bank-change process, contract review, and independent communication with the supplier. Use company verification as one layer, not as permission to skip the others.

FAQ

What if the bank-change email came from the supplier's real address?

Still verify it through a separate channel. A real mailbox can be compromised, and an attacker may know the correct order details and writing style.

Is a Hong Kong beneficiary normal for a mainland Chinese supplier?

It can be part of a legitimate trading or group structure, but the exact Hong Kong entity, its relationship to the supplier, its invoice role, and the effect of payment should be documented before approval.

Should we send a small test payment to verify the new account?

A test confirms only that the account can receive money. It does not prove the recipient is the supplier or is entitled to the order payment. Complete the identity, callback, and approval checks first.

What if the supplier says the old account is frozen or under review?

Treat the explanation as a reason to gather evidence, not as a reason to bypass controls. Confirm through an existing contact and document the new recipient and its relationship to the contract.

Do repeat suppliers need the same checks?

Yes when the beneficiary changes. A long trading history can make the request feel safe, but it also gives an attacker a richer email history to imitate.

Can an urgent shipment justify paying before confirmation?

No. Shipment pressure is exactly when teams are most likely to bypass a normal approval. Hold the transfer until the change is independently confirmed.

Should we run a new company check?

Run a fresh check if the invoice issuer, contract entity, or claimed affiliate changes. If only the bank account changes under the same legal entity, the main controls are independent confirmation and bank-change approval.

Before you release the payment

Make sure your file answers four questions in plain language: Who did we contract with? Who issued the invoice? Who will receive the money? How did we independently confirm any change? If one answer depends only on the email that requested the new account, the payment is not ready.

Check the Chinese company identity before approving a new payment entity, or view the sample report to see the fields that can support your supplier record.