Invoice & Payment Scam Controls Pack

A simple policy + callback script + approval workflow to reduce invoice fraud.

Goal

Stop “bank detail change” fraud and urgent-payment social engineering with a small, auditable process that suits SMEs.

1) Minimum policy (1 page)

Policy statement: Any supplier bank detail change must be verified by a call-back to a known number before payment.

Scope: all suppliers, contractors, and one-off invoices.
Rule 1: No bank changes accepted via email alone.
Rule 2: Two-person approval required for payments above $____ (or any and all payments).
Rule 3: Urgent requests must be verified using an alternate channel (phone, in-person, known portal).

2) Call-back script (copy/paste)

Use a phone number you already have on file (previous invoice, website, contract). Do not use the number in the email.

Script:

“Hi, it’s [Name] from [Company]. We received a message saying your bank details have changed. Before we update anything, can you confirm: (1) your legal entity name, (2) last invoice number we paid, and (3) the new bank account details - and can you also confirm the request was authorised by [Contact Name]?”

If they hesitate or can’t confirm: “No worries - we’ll hold payment until we confirm via your account manager / another verified contact.”

3) Bank detail change form (internal record)

Field	Value
Supplier name	________________________________
Old account (last 4 digits)	________________________________
New account	________________________________
Request received via	Email / Portal / Phone / Other
Call-back verified by	________________________________
Verification number source	Previous invoice / Contract / Website / Other
Date & time verified	________________________________
Approver #1	________________________________
Approver #2 (if required)	________________________________

4) “Red flags” cheat sheet

“We’re changing banks today / urgent payment due now.”
Any pressure to bypass normal approval steps.
Different tone/grammar from the usual contact.
Reply-to address differs from sender.
Attachment requires enabling macros or entering a password.

5) Optional controls (strongly recommended)

DMARC/SPF/DKIM for your domain to reduce spoofing.
Mailbox rules monitoring in M365 (forwarding + suspicious inbox rules).
Finance mailbox separation (limited access, hardened MFA, no shared accounts).

Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.

👉 Free 30-minute consultation

No hard sell - just clarity and practical next steps.

hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)

Book now