Online Payment Fraud, Payment Diversion: Redirecting Payment Flows
Fraudsters redirect payments to their own accounts, using methods such as fake notifications or manipulated invoices. Learn how companies can protect themselves from payment diversion attacks.
Payment Diversion, At a glance
- Payment Diversion is a fraud tactic where payments are redirected to fraudsters’ accounts through altered bank account details.
- Attack methods vary widely, from forged invoices and QR codes to business email compromise (BEC).
- Deceptively genuine notifications sent via email, letter, fax or phone make this tactic particularly dangerous.
Definition, What is Payment Diversion?
Payment Diversion (also referred to as Payment Diversion Fraud) refers to a type of cybercrime where payments from companies are redirected to criminals' accounts. It typically begins with an apparently harmless communication to an accounting department, such as the alleged change of a supplier's bank details. If the modified details are adopted without verification, payments will be routed directly to the fraudsters’ accounts.
What makes this particularly dangerous is the ease with which letters, faxes, calls or even emails can be technically manipulated to appear as though they come from trustworthy senders. The fraud often goes unnoticed for some time—usually until the business partner sends a reminder for overdue payments. Due to the time elapsed, recovering the misdirected funds becomes unlikely.
What types of Payment Diversion exist?
The employed tactics are diverse: manipulated invoices, forged payment details in emails, or communications providing new account details. QR codes on invoices or links in emails might also contain different bank details.
Business Email Compromise (BEC) is particularly common, with fraud employed in instances such as CEO fraud. Fraudsters gain access to a company’s email communications or staff email accounts and send messages impersonating real contacts. Since the messages originate from valid email addresses, they appear especially credible.
Typical Procedure, How does a Payment Diversion Attack work?
Notification of a bank account change
A supplier, business partner or even an alleged employee notifies you of new banking details. Such notifications may come via email, letter, fax or phone call.
Updating master data
The new account details are saved in the accounting system or ERP system, often without further inquiries or verification.
Payment to the fraudulent account
All subsequent payments (e.g. invoice settlements, standing orders, salaries or bonuses) are automatically redirected to the fraudsters’ accounts.
Particularly risky is a scenario where these changes are communicated shortly before payment deadlines, creating time pressure and hindering verification processes.
Warning Signs, How can I recognise Payment Diversion?
Suspect sender
Unfamiliar email addresses, spelling errors, or differing contacts can indicate Payment Diversion.
Timing
The notification of changes appears shortly before an invoice is due.
Discrepancies with existing records
Provided bank details do not match the stored records.
Inconsistencies with country location
The bank details pertain to a country unrelated to the supplier's headquarters.
Forged QR codes or links
QR codes or links contain different bank details compared to those listed on the invoice. Failing to cross-check payment information before processing makes you vulnerable to Payment Diversion.
Manipulated employee bank details
Fraudsters impersonate employees and request changes to banking information to redirect salary payments to their accounts.
Notification without invoice reference
Notifications about alleged bank details changes occasionally lack invoice references, which is common for businesses operating under fixed contracts.
Prevention, How can Payment Diversion be prevented?
Payment diversion attacks can be effectively mitigated through technical safeguards, clearly defined verification processes, and heightened employee awareness of cyber risks. The following measures significantly reduce risk:
1. IT Security and protection against BEC attacks
Business Email Compromise (BEC) presents one of the greatest risks associated with Payment Diversion. Unlike traditional phishing, fraudsters use legitimate email accounts they have compromised previously.
- Protect email accounts using strong passwords and two-factor authentication. Implement security technologies to safeguard your email domains from misuse.
- Use encrypted email communication and monitor it for suspicious activities.
2. Careful verification of bank details
- Confirm new suppliers' banking information—ideally through direct conversations.
- Investigate anomalies such as discrepancies in amounts, last-minute changes to account details, or unusual phrasing. Attention: Master data itself might already have been manipulated in advance. Here, tracking modifications helps ensure accountability.
- In case of doubts, call the sender’s official contact number—avoid using contact details listed in the message itself.
3. Caution with QR Codes and Links
- Manipulated QR codes or embedded links are often used in Payment Diversion schemes. Ensure that the bank details in a QR code or link align with stored data before processing payments.
4. Unified procedures for master data changes
Because bank account details and delivery addresses rank among the most sensitive company data:
- Approve master data changes exclusively through defined processes and the four-eyes principle—no matter how urgent they may appear.
- Seek confirmation for every modification request via an independent channel (e.g. callback to a known contact).
- Review internal processes for altering customer or employee details.
- Transparently document each change to ensure traceability.
5. Timely submission of payments
- Avoid submitting payments shortly before cut-off times, enabling your bank to alert you promptly in case of suspected fraud.
- Employ additional protective measures like Verification of Payee, available from 9th October 2025.
6. Employee Awareness
Technical measures alone are insufficient. People form the critical line of defence:
- Staff—especially those in accounting, HR, and procurement—should be regularly trained to stay informed about fraud tactics like Payment Diversion.
- Encourage a corporate culture where employees feel encouraged to ask questions when uncertain without fear of repercussions.
Responding to Incidents, What can victims of Payment Diversion do?
- 1.Collect evidence
Gather and document all evidence of the fraud, including emails, letters, faxes and bank statements. These materials are essential for future investigations and possible legal actions. - 2.Inform your bank
Your company should immediately notify its bank to initiate appropriate measures. Contact your corporate client adviser or call our Commerzbank corporate clients hotline at +49 69 1368 0527 (English) or +49 69 1362 6360 (German) - Monday – Friday, 8:00 AM – 6:00 PM. - 3.Contact the police
Ensure you file a report—either with your local police station in Germany or the Cybercrime Contact Centre (ZAC) of your federal state. Submit all evidence alongside your report.
Commerzbank at your side, What we do for your security in the corporate client portal?
High-security standards
The corporate client portal and its various applications are regularly tested and reviewed by security teams during development.
Deactivating fraudulent phishing websites
Although we cannot prevent phishing emails from arriving in your inbox, we ensure that the fraudulent websites linked within such emails are deactivated promptly in most cases.
Two-factor authentication
Access to our online portal is secured by a two-factor authentication mechanism (2FA), an extra security measure. Although 2FA cannot completely prevent phishing, it significantly enhances the protection of your account.
Personal advice
If you have any questions or security concerns, please contact your dedicated corporate client adviser directly.