I "accidentally" paid an invoice. To a scammer.

I run a small business and pay invoices from email every week, so when a message arrived from a supplier’s name with an invoice and new bank details, I queued it for payment like any other.

The layout matched past threads; the note said their account had changed after a merger.

I wired thousands the same afternoon because the due date was tight and I did not want to hold up their cash flow.

Business email compromise and fake invoice scams impersonate real vendors; the money landed in a criminal account.

The real supplier never changed banks—they had not sent the email.

While I authorised the transfer I told myself calling would slow the month-end close; verifying by phone felt old-fashioned compared to the familiar signature block.

The supplier’s accounts team replied to my “payment sent” note with confusion; when we compared headers, the sender domain was one character off.

Recovering the funds through the bank was uncertain; I had to tell my accountant and absorb the hit to cash flow while disputes ran.

Any change of bank details gets a callback on a number I look up myself—never the phone line in the email.

• Confirm payment changes out of band with known contacts.
• Report to your bank and law enforcement fraud units; tighten email authentication for your domain.

For more help, see our Report a scam page and Spot and avoid scams guide.