The most reliable way to prevent mistaken B2B bank transfers is to confirm that a payee's bank account actually belongs to your intended supplier before money leaves your account, and to re-verify whenever those details change.
A mistaken transfer is any payment that lands in the wrong account. Sometimes that happens because a criminal has redirected it, but sometimes it's just old-fashioned human error: it might happen because a digit was transposed, an old account was never deactivated, or a supplier's details were updated from a request no one checked.
While one starts in good faith, both end the same way: funds sitting in an account you didn't intend to pay, and a recovery process that rarely returns the full amount.
This article explains how supplier bank account verification closes that gap, what good practice looks like in 2026, and the specific controls finance teams can put in place this quarter.
What counts as a mistaken B2B bank transfer?
A mistaken B2B bank transfer falls into two categories, and finance teams need controls for both.
The first is fraud-driven. A criminal compromises or impersonates a supplier's email, sends a "we've changed banks" request or a doctored invoice, and your payment is redirected to an account they control. This is payment redirection, also known as business email compromise (BEC), and it is one of the most damaging scams impacting Australian businesses. It cost them $166.8 million in 2025, up 9.3% on the prior year and part of $2.18 billion in total reported scam losses, as tracked in Eftsure's Payment Fraud Index and reported by the ACCC's National Anti-Scam Centre.
The second is error-driven, and it gets far less attention. An accounts payable officer keys an account number incorrectly. A supplier's banking details change legitimately but the master file is never updated, so a payment goes to a closed account. A duplicate supplier record carries stale details, which often happens when inconsistent naming sets the same supplier up twice in the master file. No criminal is involved, but the money still goes to the wrong place, and once a payment settles it is just as hard to claw back.
The reason to treat them together is simple: the control that stops one stops the other. If you confirm the account belongs to the right supplier before you pay, it does not matter whether the wrong details came from a fraudster or a typo.
Why mistaken transfers are getting harder to catch in 2026
Two forces are widening the gap between the threat and the controls most teams rely on.
AI has removed the friction that used to make redirection attempts easy to spot. Convincing invoices, cloned email threads, and voice that sounds like a known contact can now be generated in minutes, which means the old tells (poor grammar, an odd tone) no longer hold. Eftsure's 2026 AU payment security survey found that 90% of Australians believe AI-generated scams are harder to detect than traditional ones, and that confidence gap matters because the request to change bank details now looks exactly like a routine one.
At the same time, payment volume and supplier counts keep climbing, and error scales with both. Every new supplier, every bank change, and every rushed pay run is another chance for a wrong number to slip through. When staff feel pressured to process payments quickly, controls that depend on someone slowing down to make a phone call are the first thing to get skipped.
Why most existing controls fall short
Most teams already do something to check payee details. The problem is that the common approaches each protect one moment, not the whole payment.
Email confirmation is the weakest link, because email is the same channel the fraud travels through. Replying to a change request to "confirm" only confirms it with whoever controls that inbox.
Manual callbacks are better, but they rely on calling a number from the file (which a fraudster may have changed) and on a person having time to do it every time. They also do nothing for honest data-entry errors, because the caller is verifying the change, not the keystroke.
Bank-provided checks confirm an account is valid and, in some cases, that the name roughly matches. They do not confirm that the account belongs to the specific, legitimate business you onboarded, and they do not monitor that relationship over time.
The shortfall is structural, not a failure of effort. Fraud and error both exploit the gaps between disconnected checks. This is why even finance teams with mature controls and fraud prevention software still watch money leave for the wrong account: most payment protection software validates the transaction, not whether the destination account belongs to the intended supplier.
How supplier bank account verification works
Supplier bank account verification (also called payee verification) confirms three things before a payment is released: that the supplier is a legitimate, registered business, that the bank account is real and active, and that the account actually belongs to that supplier rather than to someone impersonating them.
Done well, it has four characteristics:
- It happens before payment, not after. Verification is a pre-payment control, applied at onboarding and again at every bank-detail change, so a wrong account is caught before funds move.
- It validates ownership, not just validity. The check answers "does this account belong to this supplier?" rather than only "is this a working account?"
- It works outside email. Confirmation is independent of the channel the request arrived through, which is what defeats redirection attempts.
- It is continuous. Supplier details are monitored over time and re-checked when they change, so a record that was correct last year is not trusted blindly today.
This is what turns verification from a one-off onboarding step into an ongoing control across the full payment lifecycle.
Steps to prevent mistaken B2B transfers
Finance teams can put the following controls in place without waiting for a system overhaul:
- Verify bank details through a second, independent channel every time they are set up or changed, never by replying to the email that requested the change.
- Treat any "urgent" bank-change request as higher risk, not higher priority, and route it through the same verification regardless of who appears to have sent it.
- Make verification a required step before a supplier can be paid, not an optional check an officer can skip under time pressure.
- Keep one source of truth for supplier banking data, and remove duplicate or dormant records that carry stale details.
- Re-verify existing suppliers periodically, because details that were accurate at onboarding drift over time.
- Give the person approving the payment the verification result at the moment of approval, so the decision is made with context rather than assumption.
How Eftsure helps finance teams prevent errors and fraud
Eftsure applies these controls automatically, which matters because manual verification is exactly the step that gets skipped when teams are busy. Eftsure is an end-to-end payment assurance solution that cross-checks supplier and bank account details against multiple independent, authoritative sources before a payment is released, and flags risk to the person approving the pay run in real time. It safeguarded more than $288b in B2B payments last year.
The point worth stressing for any finance leader is that this catches honest mistakes as well as fraud. A transposed account number, a payment set up against a closed account, or a duplicate supplier record with outdated details is surfaced before the money moves, the same way an impersonation attempt is. Verified payments are also backed by a guarantee of up to $1 million per customer, subject to Eftsure's standard terms and conditions.
If you want to see how verification fits your existing AP workflow, you can request a demo.
The question for 2026 is not whether your team is careful. It is whether a single careful person, on a busy day, is the only thing standing between a payment and the wrong account.
