top of page

Validating Bank Details

The emailing of bank details is likely to remain standard business practice for some time to come. To validate these bank accounts, it is safest to work on the assumption that the sender's email account may have been compromised and that validation needs to take place 'out-of-band'.

'Out-of-band' in our context translates to 'not over email' and on this page we cover a couple of ways to perform this.

Have your bank validate the details

When creating a beneficiary for an electronic transfer, some banks will provide the option to verify the identify of the recipient account holder (contrary to popular belief, this is not default practice).

There is usually an additional fee required and it does require you to have some identifying information that you have obtained from a
reliable source, e.g. a company's registration number. The costs will differ between banks but it is most likely worth it for any significant transaction.

Validating the details directly

An alternative to having the bank perform the validation is to do it yourself. This is as 'simple' as contacting the organisation or individual directly. In the context of details received via email, the best way to do this is via a voice call over the public telephone network as this increases the challenge facing potential scammers.

As always, obtain the relevant contact details from a
reliable source, do not trust any details that have been emailed to you.


Sourcing reliable information

Sourcing reliable information

It is generally easier to source reliable information for organisations than it is for individuals, as many organisations will have some form of public online presence as well as appearing in some business directories. Their company registration details may even be publicly available.

With a scam such as an email account compromise, perpetrators will want to keep as low a profile as possible to avoid detection. The more things they interfere with, the greater the chance of detection and the lower the chance of a payout. This is why using public infrastructure is a good approach, but one should bear in mind that if the scam is a targeted attack and the perpetrators are expecting a particular good reward, they may be willing to incur additional expense and risk by tampering with publicly visible resources (e.g. the company's website).

When using a search engine to look up these details, be careful of search engines that intermingle paid-for ads with actual search results. Paid-for ads could be used to inject a scam website containing incorrect details.

A good backup resource for this activity is the
Wayback Machine. It keeps historical snapshots of websites, over  a period of years.

If the bank details are for an individual, this exercise is much more difficult. In the best of worlds, perhaps you have a mutual acquaintance who can validate their contact details or, if you know their employer, you can contact them via their place of employment. Failing that, social media may provide you with an out-of-band channel such as Facebook Messenger. The caveat here is that the scammer may have compromised the social media account as well but, again, this increases the risk of detection.

As mentioned above, an 'unannounced'  voice call  is the best option. It is possible to intercept a call on the public telephone network. It is also possible to use Artificial Intelligence to imitate a particular person's voice. However, this increases cost and risk of detection, especially if this must be available without warning. That being said, when you are making the call, pay attention to anything that seems off in the conversation.

bottom of page