Skip to main content

    April 2026: New National Minimum Wage rates now in effect. Check your pay →

    SiteKiln — Your rights on site. In plain English.
    SiteKiln

    SiteKiln gives you plain-English information, not legal advice. If you need advice specific to your situation, talk to a qualified professional.

    Invoice Redirect Fraud: The Scam That's Costing Builders Thousands

    10 min read·Reviewed April 2026
    By SiteKiln Editorial TeamFirst published 6 Apr 2026Updated 21 Apr 2026
    Tool Theft & Security
    UK-wide

    How this site is funded →

    SiteKiln gives you plain-English information, not legal or financial advice. If you've lost money to fraud, contact your bank immediately and report it.

    ‍‌​‌‌​‌‌​‌​‌​‌‌​‌​​‌‌‌‌​​‌​​‌​​‌‌‍# Invoice Redirect Fraud, The Scam That's Costing Builders Thousands

    Invoice redirect fraud (also called mandate fraud or payment diversion fraud) is when someone tricks you or your client into sending a genuine payment to the wrong bank account, the fraudster's.

    In construction it usually looks like:

    • A fake or hacked email pretending to be you, your client, or a supplier, saying "our bank details have changed · use this new account"
    • A real invoice is intercepted, the sort code and account number are swapped, then it's sent on so the payment lands in the scammer's account
    • An "urgent" email from a director or QS (spoofed) telling accounts to pay a specific invoice to "new details" today

    The work is real. The invoice is often real. The bank details are not.

    How common is it in UK construction?

    Construction is a prime target. Complex supply chains, multiple subcontractors, and high-value payments sent by email.

    • The National Crime Agency (NCA) and the National Federation of Builders launched a joint campaign in 2025 warning that construction is especially vulnerable to invoice fraud
    • NCA figures show invoice fraud cost victims almost £4 million in a single month (September 2025) across 83 reported cases
    • Construction and manufacturing together made up around a quarter of all invoice fraud cases in 2024/25 · more than any other sectors
    • UK Finance reports over £570 million stolen in payment fraud in the first half of 2024 alone · invoice redirect sits inside that "authorised push payment" fraud bucket

    This isn't theoretical. It's hitting builders, subcontractors and suppliers right now, not just big corporates.

    How the scam usually plays out

    Step 1: They learn how you pay and get paid

    Scammers get into someone's email, yours, your client's, or a main contractor's, or they spoof the address convincingly. Then they watch: who invoices who, for how much, on what dates, with what wording.

    Step 2: They copy your invoices and style

    They recreate your logo and invoice template, or literally edit a genuine PDF and change only the bank details. Sometimes they leave your invoice alone but send a separate "we've changed bank" email that looks spot-on.

    Step 3: They send a "change of bank details" message

    "We've changed banks, please update your records" or "For this invoice only, please pay to this new account." They often add pressure: "Urgent", "to avoid late fees", "our auditors required the switch."

    Step 4: The client pays the fraudster

    Accounts type in the new sort code and account number and send the payment by bank transfer. The fraudster moves the money through other accounts or abroad within hours.

    Step 5: You chase for payment

    Your client says "we've paid you", sends proof, and you see the money went to an account that isn't yours. Now both of you have a problem: money gone, you still unpaid, and an argument about who takes the loss.

    How to protect yourself

    You're not going to build a corporate IT department. You can build a few simple habits that stop most of this.

    1. Treat any bank detail change as dangerous

    Make a rule: no bank change is accepted by email alone: ever.

    If a client says your details have changed, or you're telling them yours have changed, pick up the phone and confirm. Use a number you already have saved or one from the original contract, not the number in the suspicious email.

    Same if a supplier invoice arrives with different details. Stop and verify before paying.

    2. Build a quick call-back check

    If you've got a small office or it's just you:

    • One person keys in the payment
    • Another person does a quick phone check if anything has changed: new bank details, new payee name, unusual amount, unusual urgency

    If you're on your own, that "second person" is a five-minute pause: walk away from the email, pull up the number you already had for the client, and ring to confirm.

    This doesn't need a policy document. Just a simple rule you stick to.

    3. Lock down your email

    You're not an IT admin, but you can make it harder for scammers:

    • Turn on two-factor authentication (2FA) on your main email account · this is the single most effective thing you can do
    • Use a strong, unique password and don't reuse it anywhere else
    • Never send bank details in a Word doc that's easy to edit · use a read-only PDF and keep the details on file so clients don't need to keep asking
    • Check your sent items and email forwarding rules periodically · if you see rules you didn't create (like "forward everything to X"), your account has been compromised. Change your password and get help immediately

    4. Put a warning on every invoice

    Add this line to your invoices and email signature:

    "We will never change our bank details by email. If you receive any communication asking you to pay to a different account, please call us on [your number] before making any payment."

    Tell your main contractors and QSs about this rule. Encourage them to do the same.

    That one line has stopped a lot of frauds.

    If it's already happened: what to do now

    Time matters. The sooner you move, the better the chance any money is still in the system.

    1. Contact your bank immediately

    If you sent money to a fraudster (you paid a "supplier" to the wrong details), call your bank's fraud team and explain you've been a victim of invoice redirect fraud. Ask them to start a bank transfer recall / fraud recovery · they contact the receiving bank to try to freeze the funds.

    If it's your client who paid the wrong account (a spoofed email in your name), advise them to contact their bank's fraud team immediately and explain it was authorised push payment fraud.

    There's no guarantee, but reporting within hours gives the best chance of recovery.

    2. Report to Report Fraud (formerly Action Fraud)

    In England, Wales and Northern Ireland, report the crime:

    • Online: reportfraud.police.uk
    • Phone: 0300 123 2040

    You'll get a crime reference number. Keep it, you'll need it for your bank, insurer, and HMRC.

    In Scotland, report directly to Police Scotland on 101.

    3. Collect your evidence

    Pull together:

    • Emails showing the fake change of bank details or altered invoices
    • Your genuine invoices and real bank details
    • Bank statements showing where the money actually went
    • Any information suggesting how the email was compromised (unusual logins, forwarding rules you didn't create, hacked accounts)

    Keep this organised. It's what banks, police, insurers and lawyers will ask for.

    4. Tell your insurer

    Check your business insurance. Some policies include cyber or crime extensions that may cover certain fraud losses or provide specialist recovery support.

    Notify them promptly with the crime reference number and your evidence.

    Most standard trade policies do NOT cover fraud losses, but check the wording. If you have a cyber add-on, this is when it earns its premium.

    5. Talk to your client

    Painful but necessary.

    • Be open about what you know and what you're doing (bank contacted, police report filed)
    • Share the fraudster email so they can check their own systems
    • Keep it collaborative · both of you are victims, even though only one payment has gone astray

    Can you get the money back?

    Honest answer: sometimes, and speed is everything.

    If the payment is spotted fast, the receiving bank may be able to freeze the funds before they're moved. In that case, some or all of the money can sometimes be returned.

    If the fraudster has already bounced it through multiple accounts or sent it abroad, recovery chances drop sharply.

    Under the Contingent Reimbursement Model (CRM) Code and the Payment Systems Regulator's mandatory reimbursement rules (from October 2024), banks must reimburse victims of authorised push payment (APP) fraud up to £85,000 · unless the victim was grossly negligent. This applies to payments between UK bank accounts. The sending bank reimburses and then seeks recovery from the receiving bank.

    If your bank refuses to reimburse or you believe they've handled it badly, you can complain formally and escalate to the Financial Ombudsman Service.

    Plan on recovery being a bonus, not a certainty. The real win is not sending the money in the first place.

    Who's liable if your client paid the wrong account?

    This is where people fall out.

    If the client typed in and approved the wrong bank details after receiving a fake email, the banking system generally treats them as having authorised the payment, even though they were tricked. The APP fraud reimbursement rules may help them recover from their bank.

    If your email was hacked and you effectively sent the fake details (because the scammer used your compromised account), the client may argue you were negligent with your email security and should bear some responsibility.

    If the fraud came through a main contractor's compromised system, things get messier still.

    There's no one-size answer. It depends on the facts, the contracts, and how each party handled verification. In practice:

    • Some clients pay again (to keep the relationship) and chase recovery with their bank
    • Others refuse and say "we paid the account we were told to" · which can become a legal dispute
    • If the sums are significant, both sides should get legal advice

    The best protection is prevention: the call-back rule and the invoice warning line cost nothing and prevent the argument from ever starting.

    What to do next

    1. Add the warning line to your invoices today: "We will never change our bank details by email"
    2. Turn on 2FA on your email account · takes 2 minutes
    3. Check your email forwarding rules right now for anything you didn't set up
    4. Tell your regular clients and main contractors about your verification rule
    5. If money has already gone: bank first, then Report Fraud (0300 123 2040), then insurer

    Sources

    • UK Finance, Half Year Fraud Report 2024 · ukfinance.org.uk
    • National Crime Agency / National Federation of Builders, Invoice Fraud Campaign 2025 · nationalcrimeagency.gov.uk
    • Payment Systems Regulator, Mandatory APP Fraud Reimbursement (October 2024) · psr.org.uk
    • Contingent Reimbursement Model Code · lendingstandardsboard.org.uk
    • Computer Misuse Act 1990 · legislation.gov.uk/ukpga/1990/18
    • Fraud Act 2006 · legislation.gov.uk/ukpga/2006/35
    • National Cyber Security Centre, Email Security Guidance · ncsc.gov.uk

    Know someone who needs this?

    How this site is funded →

    Was this guide useful?

    Didn't find what you were looking for?

    Spotted something wrong or out of date? Email us at hello@kilnguides.co.uk.

    In crisis? Samaritans 116 123 ·

    How this site is funded →

    What to do next

    Found this useful?

    Get updates when we add new guides. Once or twice a month. No spam. Unsubscribe anytime.

    We don't ask for your name, age or gender. Just your email and trade. Region is optional but helps us write better guides for your area.

    Important disclaimer

    SiteKiln provides general guidance only. Nothing on this site — including our guides, tools, templates and document hub — is legal, tax, financial or professional advice.

    Every situation is different. Laws, regulations and industry standards change. You should always check with a qualified professional before making decisions based on what you read here.

    We do our best to keep information accurate and up to date, but we cannot guarantee it is complete, correct or current. SiteKiln accepts no liability for actions taken based on the content of this site.