What to Do If Supplier Bank Details Are Changed Before Payment

A sudden message saying your supplier changed its bank account details is a serious payment-risk warning. It may be legitimate, but it may also be a business email compromise, invoice redirection scam, hacked supplier email, fake Viber/WhatsApp instruction, or “money mule” account. In the Philippines, the safest approach is simple: do not pay the new account until the change is independently verified, documented, and approved by the correct authorized person. The reason is practical and legal: if you pay the wrong person, you may still owe the real supplier.

Why a Change in Supplier Bank Details Is Legally Sensitive

In ordinary sales and service contracts, the buyer’s obligation is not merely to “send money somewhere.” The obligation is to pay the creditor, meaning the person or company legally entitled to receive payment.

Under Article 1159 of the Civil Code of the Philippines, obligations arising from contracts have the force of law between the parties and must be complied with in good faith. Under Article 1233, a debt is not considered paid unless the thing or service due has been completely delivered or rendered, and under Article 1240, payment must be made to the creditor, the creditor’s successor, or a person authorized to receive it. (Lawphil)

This matters because a scammer who sends “updated bank details” is usually not authorized to receive payment. If you pay that account, the real supplier can argue that your obligation remains unpaid.

There are exceptions. Article 1241 says payment to a third person may be valid if it benefited the creditor, if the creditor later ratified it, or if the creditor’s own conduct led the debtor to believe the third person had authority. Article 1242 also releases a debtor who pays in good faith to a person in possession of the credit. (Lawphil)

In real life, however, those exceptions can be difficult to prove. A buyer who paid a scammer usually has to show clear evidence that the supplier authorized the new bank details, benefited from the payment, or caused the confusion.

The Main Legal Issue: Who Bears the Loss?

When supplier bank details are changed before payment, the key question is usually:

Was the new payment instruction genuinely authorized by the supplier?

If yes, payment to the new account can be valid.

If no, the loss may fall on the party whose act, omission, negligence, or poor controls caused the payment to go wrong. Article 1170 of the Civil Code makes a party liable for damages if, in performing obligations, that party is guilty of fraud, negligence, delay, or otherwise violates the obligation. Articles 1172 and 1173 also recognize liability for negligence, measured by the diligence required by the nature of the obligation and the circumstances. (Lawphil)

This is why evidence is critical. Courts and investigators will look at questions such as:

  • Did the buyer verify the bank change through a trusted channel?
  • Did the supplier send the instruction from an official, uncompromised channel?
  • Was the account name different from the supplier’s legal name?
  • Was the new account under an individual’s name instead of the company’s name?
  • Did either party ignore obvious red flags?
  • Was there a written contract specifying bank details or payment-change procedures?
  • Did the supplier’s email system, accounting staff, or representative cause the buyer to believe the instruction was valid?

Immediate Steps Before You Pay the New Bank Account

1. Stop the payment process temporarily

Pause the payment run, even if the invoice is due soon. A short verification delay is usually easier to explain than a lost payment.

Send a written note to the supplier using a known contact channel:

We received a request to change payment details for Invoice No. ____. For security, payment is on hold pending independent verification of the new bank account and authority of the signatory.

This helps show that you are ready to pay but are acting carefully because of conflicting or unusual instructions.

2. Do not reply only to the email that sent the new details

If the supplier’s email was hacked, replying to the same thread may only confirm details with the scammer.

Use a separate trusted channel, such as:

  • the telephone number in the signed contract;
  • the official company website, not the number in the suspicious email;
  • a previously used email address from an old invoice;
  • a verified company officer;
  • a video call with a known contact;
  • a physical office visit for large payments.

For high-value payments, require verbal confirmation from at least two known supplier representatives, ideally one from finance and one from management.

3. Ask for a formal bank-change instruction

A legitimate supplier should be able to give a signed document confirming the change. At minimum, ask for:

  • supplier’s legal name;
  • invoice number or contract reference;
  • old bank details;
  • new bank details;
  • effective date of the change;
  • reason for the change;
  • name, position, and signature of the authorized officer;
  • proof that the signatory is authorized.

For a Philippine corporation, stronger documents include a Secretary’s Certificate, board resolution, or written authorization from officers named in the contract. For a sole proprietor, ask for DTI registration, BIR registration, government ID of the proprietor, and proof that the bank account belongs to the proprietor or registered business.

4. Match the account name against the supplier’s legal identity

Be cautious when the account is under:

  • an individual instead of the supplier company;
  • a different corporation;
  • a newly opened account;
  • an e-wallet account for a large business payment;
  • a bank in a different province or country without explanation;
  • an account name that has spelling differences or extra words.

A Philippine company named “ABC Industrial Supply Corporation” should normally not ask payment to “Juan Dela Cruz” without a very clear written authority.

5. Review the contract, purchase order, and invoice terms

Check whether the contract states:

  • the approved bank account;
  • how payment instructions may be changed;
  • who may sign notices;
  • whether email instructions are binding;
  • whether amendments must be signed;
  • whether payment is due only upon valid invoice;
  • who bears bank charges and transfer risks.

If the contract names a specific bank account, treat any change as a contract amendment or payment-instruction amendment, not a casual email update.

6. Keep a complete evidence file

Save everything before anyone deletes or edits messages:

  • original emails with full headers, if available;
  • screenshots of messages, but do not rely on screenshots alone;
  • invoices, purchase orders, contracts, delivery receipts;
  • supplier account-change letter;
  • call logs and meeting notes;
  • names of people who confirmed the change;
  • bank transfer forms or approval trails;
  • internal payment approval records.

Electronic records can be important in Philippine proceedings. The Electronic Commerce Act, Republic Act No. 8792, recognizes electronic documents and electronic signatures when legal requirements are met, and the Rules on Electronic Evidence govern authentication of electronic evidence in court. (Lawphil)

If You Are Pressured to Pay Immediately

Scammers often create urgency:

  • “Our old bank account is closed.”
  • “Payment must be sent today.”
  • “Please disregard the previous invoice.”
  • “Do not call the old number because finance is unavailable.”
  • “Use this personal account temporarily.”
  • “We will cancel your order if payment is delayed.”

A legitimate supplier should understand payment verification. If the supplier insists that payment is urgent, consider safer payment options:

Situation Safer Option
Bank details changed by email only Do not pay until independently verified
Supplier cannot provide authority documents Pay only to the previously verified account or withhold payment pending clarification
Supplier says old account is closed Ask for a bank certificate or formal signed notice
Account is under another person/company Ask for proof of authority and consider paying by manager’s check payable to the supplier’s legal name
Two people claim different payment accounts Send written notice that payment is ready but suspended pending resolution
Large cross-border payment Require signed corporate authorization, compliance review, and bank callback verification

If there is a serious dispute over who may receive payment, the Civil Code allows consignation in proper cases, such as when two or more persons claim the same right to collect, but consignation is a formal court process and must follow strict requirements. (Lawphil)

If You Already Paid the New Account

If payment has already been sent and you suspect fraud, act within minutes, not days.

1. Call your bank immediately

Use the bank’s official fraud hotline or branch relationship manager. Ask for:

  • transaction recall;
  • fraud report reference number;
  • request to contact the receiving bank;
  • request to preserve or temporarily hold funds, if available;
  • written confirmation of your report.

Do not wait for email support if the amount is significant. Call, visit the branch, and send a written report.

2. Notify the receiving bank if known

If you know the receiving bank and account number, report that the account may be receiving fraud proceeds. The receiving bank may not disclose account owner information because of privacy and bank secrecy rules, but it can internally flag the transaction and coordinate with your bank or authorities.

3. Tell the real supplier immediately

Ask the supplier to confirm whether:

  • it really sent the bank-change instruction;
  • its email or messaging account was compromised;
  • any employee sent or approved the instruction;
  • other customers received similar instructions;
  • it will cooperate with your bank, NBI, PNP, or BSP-related verification.

This matters for both recovery and later civil liability.

4. File a cybercrime or fraud complaint

Invoice redirection scams may involve estafa under Article 315 of the Revised Penal Code, especially where a person uses false pretenses or fraudulent acts to induce another to part with money. (Lawphil)

They may also involve cybercrime if electronic communications, hacked accounts, identity misuse, or computer-related fraud were used. Republic Act No. 10175, the Cybercrime Prevention Act of 2012, covers cybercrime offenses, and the Supreme Court has discussed Section 4 offenses including illegal access, data interference, and computer-related offenses in Disini v. Secretary of Justice. (Supreme Court E-Library)

You may report to the NBI Cybercrime Division or appropriate cybercrime unit. The NBI Citizen’s Charter for investigative assistance to victims of computer crimes refers to complaint forms, sworn statements or affidavits, supporting documents, and device examination when relevant. (National Bureau of Investigation)

5. Ask about AFASA remedies for disputed funds

Republic Act No. 12010, the Anti-Financial Account Scamming Act, specifically addresses financial account scamming, money muling, social engineering, and misuse of bank or e-wallet accounts. It defines financial accounts broadly to include bank accounts, transaction accounts, and e-wallets, and penalizes money muling activities such as using, borrowing, lending, renting, buying, or selling financial accounts for proceeds from crimes or social engineering schemes. (Lawphil)

AFASA also requires covered financial institutions to maintain adequate risk management systems and controls, including multi-factor authentication, fraud management systems, and account-owner verification processes. The law states that institutions may be liable for restitution where they fail to employ adequate controls or fail to exercise the highest degree of diligence in preventing loss or damage from covered offenses. (Lawphil)

BSP Circular No. 1215, Series of 2025, implements rules on temporary holding of disputed funds and coordinated verification. It provides for tracing, prompt notifications, coordinated verification, and temporary holding of disputed funds for up to 30 calendar days, subject to the rules and possible court extension.

Government Offices and Practical Reporting Channels

Concern Where to Go What to Prepare Practical Timeline
Stop or recall bank transfer Your originating bank Transaction receipt, account details, invoice, proof of fraud report Immediately; best within minutes or hours
Receiving account is suspected mule account Originating bank and receiving bank Beneficiary bank, account number, transfer reference Immediate internal bank review; no guaranteed recovery
Bank does not properly handle your complaint BSP Consumer Assistance Mechanism Bank complaint reference, proof you reported first to the bank, supporting documents BSP treats this as second-level recourse after the bank’s own consumer assistance process
Cybercrime investigation NBI Cybercrime Division or cybercrime authorities Affidavit, IDs, screenshots, original emails, headers, bank records, contracts Initial intake may be quick, but investigation and subpoenas take longer (National Bureau of Investigation)
Criminal prosecution Prosecutor’s Office after investigation/referral Complaint-affidavit, evidence, witness statements Timelines vary by city/province and case complexity
Civil recovery against supplier, scammer, or negligent party MTC/MeTC or RTC, depending on amount and relief Demand letter, contract, invoices, payment proof, expert/digital evidence Court timelines vary; small claims for qualifying money claims up to ₱1,000,000 use expedited procedures (Supreme Court of the Philippines)
Larger civil claims First-level court or RTC depending on amount Complaint, verification/certification, evidence, filing fees RA 11576 generally places civil actions up to ₱2,000,000 within first-level court jurisdiction, exclusive of specified add-ons (Supreme Court E-Library)

Documents to Secure Before Paying Changed Supplier Bank Details

For ordinary payments:

  • signed supplier bank-change letter;
  • updated invoice reflecting the new account;
  • written confirmation from known supplier email and separate phone call;
  • proof that the account name matches the supplier;
  • internal approval memo or payment verification checklist.

For larger payments:

  • Secretary’s Certificate or board resolution;
  • notarized payment-instruction letter;
  • specimen signature or ID of authorized signatory;
  • supplier’s SEC or DTI registration;
  • BIR Certificate of Registration, if relevant;
  • bank certificate or account ownership confirmation, where available;
  • video-call confirmation with known officers;
  • amended contract or addendum.

For foreign parties dealing with Philippine suppliers:

  • verify the supplier’s Philippine registration and business address;
  • do not rely only on messaging apps;
  • require signed documents from authorized officers;
  • for documents executed abroad and intended for formal use in the Philippines, consider whether apostille or consular authentication is needed. The DFA Authentication Division handles apostille-related concerns for documents intended for cross-border use. (Apostille Authority)

Common Scenarios

The supplier email is genuine, but the supplier’s mailbox was hacked

This is common. The email may come from the real supplier domain, but the instruction may still be fraudulent.

Do not assume that a real email address equals valid authority. Ask the supplier to investigate its mailbox, check forwarding rules, and confirm whether the instruction was actually sent by an authorized person.

The new bank account is under the supplier’s employee

This is a major red flag. A company supplier should not casually direct business payments to an employee’s personal account.

If there is a legitimate reason, require written authority from the company, not merely from the employee.

The supplier claims you still owe them after you paid the scammer

The supplier may be legally correct if the scammer was not authorized and the payment did not benefit the supplier. Your defense will depend on proof that the supplier authorized the change, ratified it, benefited from it, or negligently caused you to believe the new account was valid.

Your own accounting staff approved the change without verification

The company may still be liable to the supplier, and the internal issue becomes one of employee error, negligence, insurance coverage, or possible disciplinary action. Preserve records and review payment controls immediately.

The supplier is also partly at fault

If the supplier’s compromised systems, poor email controls, careless staff, or confusing instructions caused the loss, there may be a basis to negotiate shared loss or pursue damages. Civil Code rules on fraud, negligence, and breach of obligations may become relevant. (Lawphil)

Internal Controls That Prevent This Problem

Businesses in the Philippines should adopt a written vendor bank-change policy. A practical policy includes:

  1. No bank-detail change by email alone.
  2. Callback verification using old, trusted contact details.
  3. Account-name matching against supplier legal name.
  4. Two-person approval for vendor master-file changes.
  5. Mandatory waiting period for first payment to a new account.
  6. Written officer approval above a set amount.
  7. Separate confirmation for foreign or individual accounts.
  8. Email-header preservation when fraud is suspected.
  9. Periodic supplier revalidation.
  10. Staff training on invoice redirection scams.

These controls are not just “IT best practices.” They help prove diligence if a dispute reaches a bank, insurer, prosecutor, or court.

Frequently Asked Questions

Can I refuse to pay until the supplier verifies the new bank account?

Yes. If the payment details changed unexpectedly, it is reasonable to pause payment long enough to verify authority. Put the reason in writing and state that payment is ready once valid payment instructions are confirmed.

If I pay the wrong bank account, is my debt automatically paid?

Usually no. Under the Civil Code, payment should be made to the creditor, successor, or authorized person. Payment to a third person is valid only in specific situations, such as when it benefited the creditor, was ratified, or the creditor’s conduct made you believe the third person was authorized. (Lawphil)

What if the supplier’s real email sent the new bank details?

A real email address is not always enough. The account may have been compromised. Verify through a separate trusted channel, especially for large payments.

Can I ask the bank to reverse the transfer?

You can ask immediately, but reversal is not guaranteed. Banks can try to recall, hold, or coordinate, but recovery depends on how fast you report, whether funds remain in the receiving account, and whether legal or regulatory grounds exist for holding the funds.

Should I file with the NBI or the police?

For hacked emails, fake payment instructions, online deception, or mule accounts, a cybercrime or fraud complaint may be appropriate. Prepare affidavits, transaction records, original emails, message screenshots, IDs, and all supplier documents. The NBI cybercrime process refers to complaint forms, sworn statements or affidavits, supporting documents, and relevant device examination. (National Bureau of Investigation)

Can the receiving bank give me the scammer’s identity?

Usually not directly. Bank secrecy and privacy rules may restrict disclosure to private persons. However, banks can coordinate internally, and authorities may obtain information through proper legal or regulatory processes. Under AFASA-related BSP rules, financial account inquiry and information sharing may be available to competent authorities in covered cases.

Is an email instruction legally valid in the Philippines?

It can be, depending on proof of authenticity, authority, and the parties’ agreement. The Electronic Commerce Act recognizes electronic documents and electronic signatures, but the party relying on them must still be able to prove that the electronic record is genuine and attributable to the proper person. (Lawphil)

What if the supplier is threatening penalties for late payment?

Send a written notice explaining that payment is ready but temporarily held because of an unverified change in bank details. Offer to pay the previously verified account, issue a manager’s check payable to the supplier’s legal name, or complete payment once authority is confirmed.

Can I sue to recover money lost to a fake supplier bank account?

Possible defendants may include the scammer, account holder or money mule, negligent parties, or, in some cases, a supplier whose conduct contributed to the loss. The correct case depends on evidence, amount, parties, and whether the claim is civil, criminal, or both.

What is the safest way to handle supplier bank changes?

Use a “trust but verify” rule: written signed instruction, independent callback, account-name matching, authority documents, internal dual approval, and complete records before payment.

Key Takeaways

  • A sudden change in supplier bank details should be treated as a fraud risk until verified.
  • Under Philippine civil law, paying the wrong person may not extinguish your obligation to the real supplier.
  • Do not rely on email alone, even if the email address looks genuine.
  • Verify through a separate known channel and require signed authority documents.
  • Preserve original emails, headers, invoices, contracts, call logs, and bank records.
  • If payment was already sent, report to your bank immediately and ask for recall, hold, and coordinated verification.
  • AFASA, RA 12010, strengthens rules against financial account scamming, money muling, and social engineering involving bank and e-wallet accounts.
  • For unresolved bank handling issues, the BSP Consumer Assistance Mechanism is a second-level recourse after reporting first to the bank.
  • For suspected cybercrime or fraud, prepare a complaint-affidavit and supporting evidence for cybercrime authorities.
  • Strong internal payment controls are often the difference between a recoverable mistake and a costly legal dispute.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login