Fake Bank Details Fraud: FBI/FinCEN Detection Guide
Learn how AP teams spot AI-generated fake bank details before paying vendors, using BEC red flags, FBI IC3 data, FinCEN SAR rules, and UCC Article 4A.

Summarize this article with
Fraudsters do not need to breach a bank's systems to steal a vendor payment. They only need one convincing email and one convincing document. The FBI calls this pattern business email compromise (BEC), sometimes narrowed to "vendor email compromise" or "payment redirection fraud": a criminal impersonates a trusted supplier or executive and persuades a finance team to update the bank account on file, so the next legitimate payment lands in an account the criminal controls. The FBI's Internet Crime Complaint Center (IC3) tracks all of these under BEC. Generative AI has made the supporting paperwork markedly harder to spot: a fabricated remittance letter, a cloned signature, and a plausible routing number now take minutes to produce, not days.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
What Business Email Compromise Is and Why It Targets Accounts Payable
The FBI defines business email compromise as a scam in which criminals send an email appearing to come from a known source with a legitimate request โ most often a fraudulent invoice or a bank detail change, tracked by IC3 as a distinct crime category.
BEC generated close to $2.8 billion in reported losses across 21,442 complaints in 2024, the second-costliest crime category the FBI tracked that year (FBI 2024 Internet Crime Report). Total IC3 losses across all crime types reached $16.6 billion in 2024, up 33% over 2023, and IC3 attributed nearly $8.5 billion to BEC alone across 2022-2024. Accounts payable is targeted because it routinely processes legitimate requests to update vendor bank details, giving a fraudulent request cover to hide inside normal workflow.
How Fraudsters Build a Convincing Fake Bank Details Document
Most BEC schemes begin with reconnaissance, not forgery. A criminal identifies a real supplier relationship โ often from a compromised mailbox or a leaked invoice โ before producing a document engineered to pass a quick visual check.
Compromised or spoofed email as the delivery channel
The fraudulent bank details rarely arrive out of nowhere. They usually arrive attached to an email that appears to come from a trusted contact, either because the criminal compromised the supplier's real mailbox or registered a look-alike domain. The request looks routine: same tone, same signature block, same invoice template the AP team already recognizes โ what FinCEN calls "targeting vulnerable business processes" rather than a technical flaw.
AI-generated letters, remittance forms, and cloned signatures
Generative tools let a fraudster take a genuine letterhead or invoice as a reference and reproduce it with substituted account and routing numbers in seconds, matching fonts and logos almost exactly. Inpainting tools can alter just the account and routing numbers on a scanned original, leaving the rest untouched โ the hardest variant to catch by eye. Voice cloning is an emerging companion technique: short samples of an executive's public speech can fabricate a call authorizing the change, defeating the "call to confirm" step many teams rely on.
FinCEN's analysis of Bank Secrecy Act data found that monthly SAR filings describing BEC activity more than doubled between 2016 and 2018, from roughly 500 to more than 1,100, with reported monthly losses exceeding $300 million by 2018 (FinCEN Updated Advisory on Email Compromise Fraud Schemes). A 2023 FinCEN trend analysis found the same pattern recurring in real estate closings, a document-heavy workflow much like vendor payment approval in accounts payable (FinCEN, BEC in the Real Estate Sector).
Red Flags That Reveal a Fake Bank Details Document
A fake bank details document rarely fails on one obvious point. It usually fails several quieter checks at once, which is why a structured review catches what a glance misses.
| Signal | What to check | Why it matters |
|---|---|---|
| Unsolicited change request | Requested by the vendor, or only confirmed after you called first? | Fraudsters initiate; genuine vendors rarely chase a bank detail change |
| Routing number / bank mismatch | Does the 9-digit ABA routing number resolve to the bank named on the letter? | AI-generated documents often pair a real-looking account number with the wrong institution |
| Document metadata | Does creation software match how this vendor normally sends documents? | Generic editors or stripped metadata are inconsistent with routine correspondence |
| Contact channel | Confirmed using contact details supplied in the same message? | A closed loop controlled by the fraudster defeats callback checks |
| Cross-border redirect | Does the new account sit outside the US or route through an intermediary bank abroad? | Raises OFAC sanctions-screening exposure alongside the fraud risk |
| Urgency and pressure | Deadline, penalty, or threat to disrupt future deliveries? | Designed to bypass dual-authorization workflows |
| Formatting drift | Fonts, logo resolution, or layout differ from recent communications? | AI-cloned templates are close but rarely pixel-identical |
Federal guidance to financial institutions consistently identifies verifying any bank detail change through contact details already held on file โ never those supplied in the request โ as the primary defense against BEC-driven payment redirection (FinCEN Advisory on E-mail Compromise Fraud Schemes). No document-level check replaces that step.
Does the routing number belong to the named bank, and does the metadata match
An ABA routing number can pass its own check-digit algorithm and still belong to the wrong institution. Only an account-verification method โ a positive-pay match, a Nacha-participant lookup, or an instant ownership check โ confirms the name on the account matches the vendor you intend to pay; our guide to validating US bank account numbers covers this in detail. Separately, genuine documents carry metadata trails โ creation software, timestamps, revision history โ that are difficult to fake at scale. A letter claiming to come from a vendor's finance department but generated in a generic editor, with metadata stripped, is a stronger signal than the letter's visual quality.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotWhy Standard Accounts Payable Controls Miss This Fraud
Segregation of duties, three-way matching, and approval thresholds catch quantity and pricing errors, not a plausible change to vendor bank details buried in a routine email. Manual fraud detection catches roughly 37% of cases, with an average detection delay of 87 days, according to the ACFE 2024 Report to the Nations. By the time a delayed review surfaces a diverted payment, the funds are usually gone โ and harder still to recover if the account sits offshore.
A Verification Protocol Before You Change Any Bank Detail
A short, enforced sequence closes most of the gap that AI-generated documents exploit.
Step 1 โ Freeze the change. Do not update the vendor master file or process any payment against new bank details until the request has passed independent verification, regardless of stated urgency.
Step 2 โ Call back on a known number. Contact the vendor using a phone number already on file โ never one provided in the change request. This single control defeats most BEC-driven payment redirection because the fraudster does not control the callback channel.
Step 3 โ Validate the routing and account details independently. Run the ABA routing number through a check-digit validator, confirm it resolves to the named bank, and check the registered account name against your vendor records.
Step 4 โ Screen cross-border redirects and require dual sign-off. If the new account sits outside the US or routes through an intermediary bank abroad, run OFAC sanctions screening before releasing funds โ facilitating a payment to a sanctioned party is a separate liability from the fraud itself. A second, independent approver should then confirm the change before it goes live, with the outcome logged โ the audit trail examiners and insurers expect if the fraud is disputed later.
Will Your Bank Cover a Fraudulent Vendor Payment
The United States has no equivalent of a mandatory reimbursement scheme for commercial payment fraud. Regulation E covers consumer wire and ACH transfers but explicitly excludes business accounts; liability for the wires and ACH payments that move vendor funds falls instead under Article 4A of the Uniform Commercial Code, adopted by every state.
Under UCC Article 4A, a bank is generally entitled to enforce a payment order, even a fraudulent one, if it followed a commercially reasonable security procedure both parties agreed to (Cornell Law School, UCC Article 4A). A business avoids liability only by showing the fraud did not originate inside its own organization or through someone who obtained access via its systems. The law also gives banks no duty to check that a beneficiary's name and account number match: if a payment reaches the right account number but the wrong name, the loss typically falls on the business that supplied the number, unless the receiving bank had actual knowledge of the mismatch โ the exact standard a federal appeals court applied to a misdirected BEC wire in early 2025 (Fourth Circuit ruling, Consumer Financial Services Law Monitor).
The practical consequence: a mid-sized company that pays a fraudulent vendor invoice has no guaranteed statutory refund, and outcomes depend on the security procedures both banks had in place. Recovery options include an IC3 complaint filed within 72 hours, routed to the FBI's Recovery Asset Team (over $1.3 billion frozen for US victims since 2014), a bank recall request, and commercial crime insurance. Institutions themselves carry a separate BSA duty to file a SAR with FinCEN on suspected BEC, regardless of recovery.
How CheckFile Complements Manual and Procedural Controls
Callback verification and dual sign-off remain essential, but both depend on staff catching a well-made forgery first. Our approach applies multi-layer analysis โ structural checks, metadata forensics, and cross-document consistency validation โ to the bank detail documents finance teams receive, alongside AI-generated content detection deployed as a complementary layer to existing structural controls. This does not replace callback verification or account-ownership checks; it gives the reviewer a structured signal before either step happens. The CheckFile banking KYC solution applies this pipeline to onboarding and payment documents, and the CheckFile security infrastructure provides the audit logging examiners expect. Teams evaluating deployment can review pricing or the platform directly.
For a broader view of verification obligations across sectors, see our industry verification guide. Finance teams focused on invoice-borne fraud may also find our guide to detecting AI-generated fake invoices useful.
To place fake bank details detection within a dedicated approach, see AI-generated and forged document detection. CheckFile analyses your files and surfaces signs of AI-generated content as a complement to your existing controls.
Frequently Asked Questions
What is the difference between business email compromise and invoice fraud?
Business email compromise describes the delivery method: a compromised or spoofed email account used to send a fraudulent instruction, most often a bank detail change or an urgent wire request. Invoice fraud is broader and covers any fabricated invoice, whether or not bank details change. The two overlap heavily in practice.
Can AI-generated bank detail documents be detected by eye?
Reliable visual detection is increasingly difficult, since current tools reproduce fonts and layout with high fidelity. Metadata checks, routing number cross-checks, and callback verification remain more reliable than appearance-based review.
Is our company covered if we pay a fraudulent vendor invoice?
There is no federal reimbursement guarantee comparable to consumer wire fraud protections. Liability is governed by UCC Article 4A, which generally holds the sending business responsible unless it can show the fraud originated outside its own systems, or that the bank's security procedure was not commercially reasonable. Commercial crime insurance and a prompt recall request are usually more reliable than a statutory refund.
Are financial institutions required to report suspected BEC activity to FinCEN?
Yes. Institutions subject to the Bank Secrecy Act must file a Suspicious Activity Report with FinCEN on transactions connected to suspected BEC, generally within 30 days, regardless of whether the victim recovers funds. This SAR data is what FinCEN uses for its BEC trend analyses.
Who should we notify if we suspect a bank detail change was fraudulent
File a complaint with the FBI's IC3 as soon as possible, ideally within 72 hours, giving the Recovery Asset Team the best chance of freezing the funds. Contact your bank to request a recall, and notify the genuine vendor separately, since their email may also be compromised.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.