It is one of the most deceptive attacks in today’s B2B landscape—silent, precise, and often invisible until it’s too late. No malware. No system breach alerts. No obvious compromise. Just a perfectly normal invoice. A trusted sender. A familiar signature. And a single change that alters everything.
Welcome to Payment Redirect Fraud, also known as Invoice Manipulation 2.0.
The attack doesn’t begin with the invoice—it begins weeks or even months earlier. Attackers gain access to corporate email accounts, typically through phishing, compromised credentials, or session hijacking. But instead of acting immediately, they wait.
They observe.
Every email thread, every interaction, every detail is analyzed. Payment cycles, communication styles, signatures, invoice formats—everything is studied. The attacker becomes an invisible participant in the conversation, learning how the business operates from the inside.
And then comes the moment.
A payment is due. Perhaps a large invoice. Perhaps the final installment of a project. The perfect timing. The attacker intervenes—not by disrupting the process, but by subtly modifying it.
The IBAN is replaced.
The account details are changed.
Everything else remains untouched.
Company name, logo, formatting, tone—everything appears identical. In many cases, attackers now use AI-generated emails to perfectly mimic writing style and communication patterns. No spelling errors. No red flags. The message feels authentic—often more polished than the original.
For the recipient, there is no reason to question it.
The invoice is reviewed. It looks correct. The sender is known. The context matches. The payment is approved.
And in that exact moment, the money is gone.
Because the transfer doesn’t go to the intended business partner—it goes to an account controlled by the attacker. These are often mule accounts, created solely to receive and quickly move funds. Within hours or days, the money is fragmented, transferred across jurisdictions, or converted into other assets.
Recovery becomes nearly impossible.
How real and immediate this threat is becomes clear through a concrete case shared in conversation with the CTO of a well-established IT integrator—an organization responsible for managing highly sensitive enterprise environments. According to him, one of their clients was involved in an international business relationship with a partner based in Asia.
Communication had been ongoing for weeks. Everything appeared normal.
Then the invoice arrived.
Visually identical to previous documents. Structurally consistent. Linguistically precise. Nothing seemed out of place—except for one critical detail: the bank account information had been changed.
The payment—over €50,000—was executed.
Only days later did the issue surface, when the actual partner reported that no funds had been received. By then, the money had already been moved across multiple accounts. The loss was real, immediate, and irreversible.
What makes this attack particularly dangerous is that it doesn’t exploit a traditional technical vulnerability. There is no system breach in the conventional sense. Instead, it manipulates the process itself. Everything appears legitimate—and that is precisely the problem.
The attack exploits trust.
In established business relationships, transactions are rarely questioned in depth. Processes are routine. Invoices are processed efficiently. And that efficiency becomes the weakness.
The risk increases further in international scenarios. Different currencies, unfamiliar banking structures, evolving points of contact—all of these factors reduce friction for attackers. A new IBAN or updated payment details may not immediately raise suspicion.
And that is exactly where modern fraud operates.
The combination of email compromise, process intelligence, and AI-driven communication has elevated Payment Redirect Fraud to a new level. Attackers no longer need to break into systems—they operate within them, leveraging existing workflows against the organization itself.
The consequences are significant.
- Losses in the six- or even seven-figure range are not uncommon
- Business relationships are damaged
- Trust between partners erodes
- Internal processes come under scrutiny
- Legal disputes may arise
One of the most complex aspects is accountability. Who is responsible—the company that made the payment, or the one whose communication was compromised? This ambiguity adds an additional layer of risk beyond the financial loss.
Detection is often delayed. In many cases, the fraud is only discovered when the legitimate recipient follows up on the missing payment. By that time, the funds are already gone.
Defending against this type of attack requires more than traditional IT security. Since the attack occurs at the intersection of communication and process, the response must do the same.
Effective countermeasures include:
- Verifying payment details through a secondary channel (e.g., direct phone call)
- Never accepting changes to bank information without explicit confirmation
- Raising awareness for unusual timing or subtle inconsistencies
- Monitoring email accounts for abnormal behavior
- And most importantly: establishing strict internal approval processes for payments
But beyond controls and procedures, there is a cultural shift required.
Trust must no longer be automatic.
Every change in payment details—no matter how plausible—must be treated as a potential risk. Because it is within these small, almost invisible changes that the greatest threats exist.
Payment Redirect Fraud reflects a broader evolution in cyber threats. Attacks are no longer loud, obvious, or purely technical. They are subtle, patient, and deeply embedded in business operations.
Or put differently:
The attack does not happen within the system.
It happens between two people who believe they trust each other.
And that is exactly why it works.
The most dangerous threat today is not a hacker breaking in.
It is a perfectly written email, arriving at the perfect moment.
And a bank account no one questions.
