In recent months, there has been an increase in invoice fraud, where attackers alter the banking details on an invoice (IBAN/SWIFT/BIC and/or beneficiary name) while keeping the document visually almost identical to the original. In most cases, the bank itself is not compromised—rather, the communication channel (email) or the device (Windows computer) used to receive, process, and approve invoices and payments is compromised.
This policy establishes mandatory rules and procedures to reduce risk, with a specific focus on SWIFT payments.
1) Mandatory rules when receiving an invoice
An invoice is considered valid only if the banking details (IBAN/SWIFT/BIC, bank, country, and beneficiary name) fully match the contract and/or previously verified invoices from the same partner.
Any request to change IBAN/SWIFT/bank/country must be treated as high risk, and processing must be stopped until formal verification is completed.
A change of banking details must never be accepted based on email alone, without additional, independent confirmation.
2) Verification procedure for IBAN/SWIFT changes (mandatory call-back)
If an invoice contains new banking details, or an email is received claiming “the bank details have changed,” the following steps are mandatory:
-
Immediately stop invoice processing.
-
Perform a call-back to a previously known phone number:
-
a number from the contract, prior official communication, or the company’s official website;
-
not a number listed in a suspicious email or a signature that appears for the first time.
-
-
Request written confirmation via an official channel, such as:
-
a contract addendum, official letter, or confirmation stamped/signed.
-
-
If there is no clear and verifiable confirmation → do not execute the payment.
3) Dual control for SWIFT payments (“four-eyes principle”)
Every SWIFT payment must pass two independent checks:
-
Initiator (prepares the payment), and
-
Approver (reviews and gives final approval).
The Approver must verify:
-
whether IBAN/SWIFT/bank/country matches the contract and payment history;
-
whether the invoice was sent from the correct email address and correct domain;
-
whether any warning signs exist (urgency, bank change, unusual explanations).
For the first transfer to a new beneficiary, an additional verification is required:
-
extra verification of the company and contacts, and if practical, a test transfer.
4) Red flags (process must be stopped)
Stop the process and initiate verification if any of the following occur:
-
urgent pressure (“pay today,” “urgent,” “final deadline”);
-
change of IBAN/SWIFT, bank, or country without a formal document;
-
email from a look-alike domain (e.g., company-pay.com instead of company.com);
-
small spelling differences in the sender address/signature;
-
an invoice that looks identical, but the banking details are new;
-
a request to pay to another country/bank without prior official notice.
5) Windows device security (where payments are performed)
SWIFT payments and invoice processing are allowed only from a trusted device under these conditions:
-
Windows and Microsoft Office must be regularly updated (automatic updates enabled).
-
Microsoft Defender or a corporate EDR must be active, with cloud protection enabled.
-
Use of cracked software and unverified add-ons/extensions is prohibited.
-
Passwords must not be stored in Notes, Excel, or text files—use a password manager.
-
Remote access (AnyDesk/TeamViewer/RDP) is allowed only with approval and supervision; if not necessary, it must be disabled.
6) Email and cPanel security (mandatory)
To reduce the risk of intercepting and manipulating invoices:
-
Where available, 2FA/MFA is mandatory for:
-
email accounts (Microsoft 365/Gmail/other providers), and
-
cPanel (and other business systems, where applicable).
-
-
Regularly review:
-
forwarding rules and filters,
-
unknown logins and active sessions,
-
password changes and new users/access.
-
-
Email domains must have SPF/DKIM/DMARC configured and active where applicable.
7) Procedure in case of suspected fraud or compromise
If suspicion exists (or if a payment has already been executed), act immediately:
-
Stop further payments and approvals related to the case.
-
If payment was executed: urgently contact the bank for recall/trace and file a fraud report.
-
Reset passwords immediately and enable 2FA wherever possible.
-
Review email forwarding/filter rules and active sessions.
-
Perform an IT security check of the device (malware scan/EDR) and isolate it if needed.
Practical rule (for everyone)
“If banking details have changed, do not pay until the change is confirmed by phone using a previously known number and supported by formal written confirmation.”
Appendix: Quick cPanel check for forwarding and filters related to “invoice/payment/swift”
1) Check forwarding (Forwarders)
cPanel → Email → Forwarders
-
Check for unknown forwards (e.g., business mailbox forwarding to a private Gmail/Outlook address).
-
Check for a Domain Forwarder (forwarding for the entire domain). If it was not intentionally set and verified, treat it as an alert.
-
If suspicious: delete the forward immediately and reset the password of the affected mailbox (and if needed, the cPanel user).
2) Check email filters (Email Filters)
cPanel → Email → Email Filters
Check:
-
domain-level filters (if present), and
-
mailbox-specific filters (billing/finance/accounting).
Search for rules containing: invoice, payment, swift, iban, bank.
High-risk actions include: Redirect, Discard/Fail/Delete, Pipe to a program, or moving messages into a hidden folder.
3) Check webmail filters (Roundcube/Horde)
cPanel → Email Accounts → Check Email (Webmail)
-
Roundcube: Settings → Filters
-
Horde: Mail → Filters / Filter Rules
Look for rules that move/hide emails or process messages containing invoice/payment/swift keywords.
4) Check critical mailboxes
For billing@, finance@, accounting@, verify:
-
whether there is a forwarder,
-
whether there are filters in cPanel,
-
whether there are filters in webmail.
