Mandate Fraud UK: How Scammers Steal Direct Debit Access
Criminals are impersonating your trusted suppliers to hijack your direct debit payments—here's how to protect your business.
What is this scam?
Mandate fraud is a targeted scam where criminals impersonate a legitimate supplier, contractor, or service provider your business already pays by direct debit. The fraudster contacts you claiming there has been a change—perhaps a bank account change, system upgrade, or billing restructure—and asks you to authorise a new direct debit mandate or update your existing one. The new instructions point to the scammer's bank account instead of your genuine supplier's account. Once approved, your regular payments flow straight to the criminal, who disappears with the money.
This scam works because it exploits trust: you already have an established payment relationship with the supplier, so the request seems routine. The fraud often goes undetected for weeks or months because invoices and statements may not trigger immediate alarm. Common targets include small and medium-sized businesses that process multiple supplier payments and may not reconcile direct debits line-by-line.
Warning signs to look for
- The request comes via email, phone, or text from an unfamiliar sender, even if they cite your supplier's name—legitimate providers rarely contact you to change payment methods without warning.
- Urgent language or a tight deadline ('update needed by Friday' or 'system maintenance window closing') designed to bypass your normal approval process.
- The sender asks you to click a link or download a form to update your details, rather than directing you to your supplier's official online portal or asking you to call their main number.
- Bank account details include a different sort code or account holder name than your existing records, or the name is vague (e.g. 'XYZ Services Ltd' instead of the full registered company name).
- The request arrives outside normal business hours or during a quiet period when senior staff who would normally verify it are absent.
- The email address looks almost correct but has a subtle difference—for example, 'suppplier.com' instead of 'supplier.com', or a domain from a free email service rather than the company's official domain.
- Your supplier's official website or recent invoice shows a completely different payment address or bank account to the one in the request.
How this scam works step by step
The scammer begins by researching your business and identifying which suppliers you pay regularly—they may find this from leaked invoices, public procurement records, LinkedIn, or simply by making educated guesses based on your industry. They then craft a message impersonating that supplier, often using a spoofed email address or a lookalike domain. The message is carefully designed to feel routine: it might mention a 'bank account migration', 'system consolidation', or 'payment processing update'. The fraudster provides new direct debit details and asks you to sign a mandate form (or authorise the change through a link).
Because the request seems to come from a trusted, established supplier, and because mandate changes do occasionally happen in real business, many businesses approve it without deep verification. Within days, your next scheduled payment leaves your account and goes to the scammer's bank instead. This might be a weekly, monthly, or quarterly payment—sometimes thousands of pounds.
The fraud often remains hidden for one, two, or even three payment cycles because your supplier doesn't immediately chase for payment (they assume the new bank details are correct), and your finance team doesn't spot the discrepancy if they're not carefully matching invoices to payments. By the time the real supplier notices non-payment and contacts you, the scammer has already emptied the account and closed it.
How to verify if it is genuine
Stop and verify before actioning any mandate change request. First, do not use contact details from the email or message itself—instead, look up your supplier's phone number from a recent invoice, their official website, or your existing records, and ring them directly. Ask explicitly: 'Have you requested a mandate change, and if so, what are the new bank details?' A genuine supplier will confirm or deny instantly. Second, log into your own direct debit management system (your bank's online portal or your accounting software) and check your current active mandates against your records.
If you spot a pending change you don't recognise, cancel it immediately and contact your bank. Third, ask your supplier to confirm the change through your established communication channel—if you normally email your contact person, email them (using an address from your records), don't reply to a suspicious email. Fourth, if the request mentions a link or form, open your bank's or your supplier's official website directly (by typing the address in, not clicking the link) and see if a legitimate mandate change process is running. Genuine mandate changes are usually handled through secure, authenticated portals, not via email links.
If anything feels rushed or off, delay the approval and verify independently.
What to do if you have already interacted
Act immediately if you suspect you have approved a fraudulent mandate. First, log into your bank account right now and check your recent and scheduled payments. If a fraudulent direct debit has already been processed, contact your bank's fraud team without delay—they can often freeze the payment or initiate a recall if caught within one or two days. Second, cancel the fraudulent mandate in your bank's system yourself (most online banking portals allow you to cancel direct debits instantly).
Third, if money has left your account, ask your bank to raise a chargeback claim—direct debit fraud often qualifies for full recovery under the Direct Debit Guarantee if reported quickly. Fourth, contact your real supplier immediately and explain what happened. Let them know their name was impersonated and that a fraudulent mandate was set up; they may need to notify their bank and potentially flag the fraud to their own systems. Fifth, report the fraud to Action Fraud and your bank's fraud reporting team.
Sixth, check whether the fraudster gained access to any other sensitive business information—if they phoned you, they may have noted other supplier payment details. Finally, review your internal approval process: implement a rule that all mandate changes must be verified by calling the supplier's main number and must be approved by at least two staff members.
Reporting this scam in the UK
Report mandate fraud to Action Fraud immediately by calling 0300 123 2040 or visiting their online reporting portal at actionfraud.police.uk. Provide them with copies of the fraudulent email, the new bank details you were asked to approve, and any timeline of when money was diverted. Also report the fraud directly to your bank's fraud team—they will investigate the receiving bank account and may be able to freeze or recover funds before the scammer withdraws them.
If you received a fraudulent email, forward it to the National Cyber Security Centre's Suspicious Email Reporting Service at report@phishing.gov.uk; this helps track phishing and impersonation campaigns. If the scam arrived via text message, forward it to 7726 (Spam). Inform your supplier's security team or fraud department that their name has been impersonated, so they can alert their other customers and their bank. Consider also alerting Citizens Advice consumer helpline on 0808 223 1133 if you need support or guidance on recovery options.
Keep detailed records of all correspondence, timelines, and evidence—your bank will need this for any chargeback or recall claim, and Action Fraud will use it to build a picture of the scam network.
Frequently asked questions
Is the supplier who's name was used in the scam illegitimate, or is this always a separate fraud?
The supplier whose name appears in the scam is almost always legitimate—that's the whole point. Criminals choose real suppliers your business already pays because it lowers suspicion. The fraud is committed by a third party impersonating that supplier, not by the supplier themselves. However, always verify directly with the supplier to be absolutely certain.
What should I do if money has already been transferred to the scammer's account?
Contact your bank's fraud team immediately—most banks can freeze or recall payments within 24–48 hours if you report quickly. Ask your bank to raise a Direct Debit Indemnity claim (you are usually protected under the Direct Debit Guarantee). Also contact your own bank to attempt a chargeback. Report the fraud to Action Fraud and provide your bank with the fraudulent bank account details so they can trace and potentially recover funds before the scammer empties the account.
If I've approved a mandate change, how do I know if the payment has actually gone to a scammer's account or if it was a false alarm?
Check your bank statement and look for any payment to the new bank account you authorised. Cross-reference the new account details against your supplier's official invoice or website. Call your supplier directly and ask them to confirm their correct bank account details. If the account you were given doesn't match, or if your supplier denies requesting a change, the mandate is fraudulent—cancel it immediately and report it.
How do I report mandate fraud and what should I tell the police?
Report to Action Fraud on 0300 123 2040 or at actionfraud.police.uk. Provide your case number, the date you became aware of the fraud, the supplier's name, the fraudulent bank details you were given, any money transferred, copies of the fraudulent email or message, and your supplier's correct bank details. Also report directly to your bank and to the National Cyber Security Centre's Suspicious Email Reporting Service at report@phishing.gov.uk if the contact was by email.