bank account verification risk

By Shai Gabay, Co-Founder & CEO, Trustmi

When I speak with businesses about B2B payment fraud, most people I talk with are confident their organization is safe. A large part of their confidence stems from the strong bank account validation processes these companies have in place, which confirm the accuracy and legitimacy of a vendor’s bank account by checking on crucial details.

It wasn’t that long ago that a strong bank validation process was sufficient to halt fraudulent activity in its tracks. However, as we’ve seen across many industries, the rules of the game have changed as the world has increasingly digitized, and the traditional account validation processes that prevented countless fraudulent scenarios are no longer sufficient. That’s why many companies are looking for new alternatives. But before we go there, let’s delve more into why traditional bank account validation methods are no longer enough. 

Traditional bank account validation only scratches the surface

surface level security

As I touched on at the top, businesses and financial institutions employ bank account validation processes to verify accounts. More specifically, to confirm that an account exists and is active. This process confirms accounts by checking several critical pieces of information—the name on the account, the account number, and the bank’s routing number. Through these steps, businesses can do the following:

  •  Secure assurance that the account checks all the boxes, which preserves the integrity of financial transactions while streamlining the flow of funds and mitigating the risk of errors, fraud, and financial losses that can occur. 
  •  Uncovers a bad actor who is looking to steal funds. This occurs when the information provided doesn’t match up between the actual vendor and the fraudster. When the details don’t match those of the real vendor, the validation process will flag it. End of story.  

On the surface, that sounds easy enough, and common sense dictates that companies with strong and reliable bank account validation processes should be confident that funds are being sent to a legitimate bank and the account owner is confirmed and verified. The same goes for any transactions coming in. 

But just like a business can no longer protect itself with traditional cybersecurity solutions, it cannot verify accounts using outdated validation methods.  That’s because this verification process is far more complex in today’s digital era, and here’s why.

Verification risks

Bank account validation methods can prove an account exists. It can also show that it is linked to the business or person whose name is on the account. A great example is Call Back procedures, which many organizations use to verify accounts. In this case, the organization calls the vendor to verify it’s really them and to confirm the bank account change request. But here’s the catch. How do they know who they’re talking to? The person on the other end of the line could easily be the fraudster who hacked the account.

new fraud detection solutions

This demonstrates the limitations of these traditional approaches, which cannot dig below the surface to determine if the account was created by fraudsters who have the skills to steal critical pieces of personal information and create and operate accounts that are 100% legitimate. 

Here’s how this could happen. 

A cybercriminal launches a business email compromise (BEC) attack to access an employee’s email account. Once inside, they access emails with the vendor and locate those containing critical company assets, for example, key financial information. Next, using this data, they open a bank account at the same bank as the vendor using the vendor’s name.

The new account doesn’t raise any red flags with the bank because the fraudster used factual business information lifted from emails. As for the vendor, they are entirely in the dark, unaware of the new account that is intercepting payments meant for them. Next thing you know, millions of dollars are lost.

But this is just the beginning. They can expand their efforts with a bank account that has been thoroughly verified and is completely under the attacker’s control. For example, 

they can connect with vendor clients, submit fraudulent invoices, or even ask clients to begin sending funds to a new mule account at the same bank or a different one altogether. Once the payments are sent with this new account, we can officially consider it stolen.

At this point, let me remind you that the traditional validation process would not flag any of this activity since all the information used to open the mule account is legitimate. Adding insult to injury, no resources are dedicated to tracking this activity across different financial institutions, making it that much harder to get spotted.

A new approach to detecting fraud

account verification

Businesses need a more robust approach to fraud detection that can connect all the dots across the payment process and see what’s going on. Even if the fraudster can create a bank account that passes validation, there are other points where they can be stopped as they execute their attack.  

Before I give the wrong impression, these innovations do not mean the end of traditional bank account validation, but rather the beginning of what we will call bank account validation 2.0, where penny drop verification and other current capabilities merge with newer innovations, including artificial intelligence (AI) allowing businesses to detect anomalies and suspicious signals within a fraud scheme to stop payments from going to the wrong place.

AI-powered solutions can also identify other factors, such as fake vendor invoices, and analyze email communications to flag BEC attacks, social engineering, or executive impersonation, among other fraud detection capabilities. 


Additional verification controls and information-sharing systems include penny-drop verification and entrance into more extensive networks where financial institutions share unusual activity, which can accelerate the process of identifying and stopping fraudulent activity.

The game’s rules have changed, and fraudsters have secured the upper hand. To regain control, businesses must shift from old-school approaches to those more capable of digging below that surface to find unusual patterns and ultimately stop fraudulent payment activity faster, even before the verification process.

About the Author

Shai Gabay CEO Trustmi

Shai Gabay, A visionary entrepreneur, has always held a deep passion for cybersecurity and fintech; throughout his career, he developed his expertise in both areas. Shai is a co-founder and CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Prior to Trustmi, he was General Manager at Opera, VP of Product and Services at Cynet, CIO at Cyberbit, and CISO at Discount Bank.

Shai holds a Bachelor’s Degree from Shenkar College in software engineering and a Master’s in Business Administration and Management from Tel Aviv University.  Additionally, Shai was selected for the prestigious one-year full scholarship for executive excellence program at the Hoffman Kofman Foundation, a program tailored to outstanding alumni of IDF’s Elite Units. Through this program, he had the opportunity to study with prominent co-founders and leaders at renowned global tech companies and professors at elite universities. 

Recent PaymentsNEXT news:

Low fintech investment could be just what we need