IBAN fraud: how to prevent it?

IBAN fraud is one of the methods used by hackers to scam individuals and businesses. Knowing how these fraudsters can operate allows you to avoid falling into the traps they set for their victims. We will also look at the most effective software solutions for verifying the authenticity of bank details transmitted by a third party.

What is the purpose of an IBAN?

A combination of several series of numbers and letters is used to identify a bank account. These are the elements that allow the account holder to perform various transactions. These are generally the IBAN (International Banking Account Number) and the BIC (Bank Identifier Code), also known as SWIFT (Society for Worldwide Interbank Financial Telecommunication).

The IBAN is governed by the international standard ISO 13616. In France, this bank account identifier is composed of 27 characters, including the letters FR followed by two characters and then the components of your BIC which are:

  • The bank code
  • The counter code
  • The account number
  • The BIC key

Now let’s look at the risks of disclosing your IBAN.

Is it dangerous to give your IBAN?

Is it dangerous to give your IBAN?

Giving only your IBAN is not really dangerous, since banks need it when a transfer or a direct debit has to be set up. The use of this code by a bank is completely secure.

Before a debit can be made from your account to a third party, you must authorize the transaction by signing a slip (called a mandate) offered by the concerned party in paper or electronic format. To receive a transfer, all you need to do is send your BIC/IBAN so that the bank transfer can be made. Similarly, when issuing a transfer, you will need the BIC/IBAN of the beneficiary. This is an operation you can do from your secure online customer area.

However, it is important to be cautious when transmitting your IBAN. When a fraudster has your IBAN in addition to other personal information such as an identity document and a sample of your signature, he or she may be able to create a false direct debit authorization. Fraudsters also fraudulently change bank accounts. Hence the need to verify the bank identity of the beneficiary of each payment.

What can I do with an IBAN and BIC?

When you need to receive money, you give your IBAN code to the person who has to handle the payment. If you have just been hired for a job for example, you will be asked for your BIC (which contains your IBAN) for the payment of your salary. It’s the same principle for anyone who wants to deposit money with you. When you want to send money, you must also have the IBAN of the person you owe money to. These operations can be carried out easily from the bank’s online personal space.

The IBAN is also useful for setting up a one-time or automatic debit. This allows you to pay your telephone subscription or other bill automatically, without you having to worry about it.

The BIC represents the international identifier of your bank. Sometimes called SWIFT (an acronym of the name of the international organization that manages the BIC), this code meets the international standard ISO 9362 used as a reference for cross-border financial communications.

Ultimately, the IBAN is used to withdraw money from your account, but it requires your authorization beforehand. So is it safe to give out your IBAN? Not really. The risk is rare, but very real. There are cases where malicious individuals have copied the signature of the IBAN holder. And in recent years, scams involving impersonation of a wire transfer recipient have emerged.

How to prevent IBAN fraud?

How to prevent IBAN fraud?

The IBAN scam is very formidable, as it exploits the normal payment processes of companies. To combat IBAN fraud, you need to adopt the right practices and use the right tools. According to the Euler Hermes DFCG 2021 study, two out of three companies have experienced at least one fraud attempt.

Educate your teams about the BIC/IBAN scam

Prevention is the best way to avoid the IBAN scam. Educating your teams on the methods used by fraudsters greatly reduces the risk of being among their victims.

Most of the time, the scammer will pretend to be a regular supplier of the company by making a fraudulent change of the payment details to his benefit. For this purpose, false e-mail addresses, a bank account number and basic knowledge of social engineering are enough to deceive the vigilance of companies that are not sufficiently protected against financial fraud.

Scammers can find the information they need on the Internet to set up their scheme. The business relationships maintained by the company are their primary target for impersonating a wire transfer recipient. They will also need the contact of a manager within the company capable of administering the IBAN file of suppliers, which is identifiable through professional social networks. When an invoice is issued by the real supplier, the payment will be made to the new bank details that are the object of the scam.

Depending on the method used, the fraudulent IBAN is accompanied by one or more false invoices. This is called false supplier fraud. This type of scam takes place in two stages. The scammer will first pretend to be a manager of the client company and ask the supplier for information about outstanding invoices. He will then contact the company to carry out an IBAN scam by attaching the corresponding invoices. They may even discount the invoice in order to get the company to pay quickly.

It is therefore important to check the bank details given before proceeding with any payment. When one of your suppliers informs you that they have just changed their IBAN, ask them for an IBAN. You should also call him via his usual number to confirm that he is the author of the email in question.

All of your teams must be made aware of the different types of scams. A training session is also interesting to transmit to your employees the right reflexes to face scam attempts. You will also be able to implement IT solutions to fight against bank transfer fraud and fake supplier fraud.

Tools to detect fake IBAN fraud

Several tools are designed to help companies fight bank account change fraud. SEPAmail Diamond and the KYC LUCY application are among the most efficient on the market. The SEPA (Single Euro Payments Area) credit transfer and direct debit are the exchange formats using the IBAN for all banking transactions.

SEPAmail Diamond is an application that allows you to verify bank details, which is useful to counter bank fraud attempts and identity theft. Easy to install (used as a web interface or as an API), it is a fast, simple and efficient way to analyze the contact information of anyone who comes in contact with your organization.

Compatible with SEPA, KYC LUCY is used to avoid errors in financial transactions. This tool allows you to set up a KYC (Know Your Customer) and KYS (Know Your Supplier) procedure. You can use it as a mobile application, as a custom web interface, as an API on a server or as a website.