top of page

Payment Diversion Fraud and how it can impact you and your business

This week, we're dedicating time to Payment Diversion Fraud (PDF) or Business Email Compromise (BEC), using information produced by the National Economic Crime Centre in partnership with the City of London Police, UK Finance and Cifas.

Payment Diversion Fraud (PDF), also commonly referred to as Business Email Compromise (BEC) or Invoice and Mandate Fraud, causes significant harm to the UK economy and victims.

It is the third highest high-harm fraud type by value; between June 2020 to July 2021, the National Fraud Intelligence Bureau (NFIB) reported total related losses of £143.4m. Losses from PDF are also predicted to rise because of increased business activity associated with relaxing Covid-19 restrictions and with increasingly sophisticated forms of PDF being perpetrated.

PDF is an underreported crime type, with victims often feeling too foolish or ashamed to talk about what has happened to them for fear of the risks to their personal and/or businesses’ reputation. Therefore, it is hard to know the true scale of the problem.

This is the reason Operation FERRARA, a National Economic Crime Centre (NECC)-led multi-agency campaign to step up the response to PDF nationally, exists. But before we talk about Op FERRARA, let us take a detailed look at what exactly PDF is.

PDF: The Background

Payment Diversion Fraud (PDF) involves fraudsters creating false invoices or false requests for payments, or the diversion of payments. PDF is usually committed against businesses and organisations via email or phone. This fraud is also referred to as payment fraud, mandate fraud or invoice fraud.

A typical PDF involves fraudsters contacting employees who can authorise payments, or fraudsters pretending to be a supplier or another organisation who would legitimately request payments. The fraudsters will often advise that bank details have changed and ask the employee to update the records or use fake invoices to make direct payment requests.

Types of PDF Fraud

Invoice and mandate fraud involves a company’s supplier emails being compromised. It was the most commonly observed type of PDF in the UK based on Action Fraud reporting in the financial year 2018/19. A typical invoice fraud entails the victim company being contacted by fraudsters purporting to be the supplier and requesting payment for an invoice into an account the fraudsters control.

There is a specific sub-category of this fraud, where tradespeople are impersonated; the fraudsters identify customers having work done and demand payments from them by impersonating the company doing the work.

CEO fraud involves fraudsters impersonating a senior executive in an organisation and contacting employees in finance to make payments to the fraudster. Senior management are targeted through spear-phishing to obtain access to their email accounts and gain information to enable impersonations. Fraudsters also research company information from Companies House and company websites.

Conveyancing fraud targets individuals who are in the process of purchasing a property. Fraudsters impersonate the victim’s solicitor, convincing the purchaser to redirect their payments to an account the fraudster controls.

Salary diversion fraud involves fraudsters impersonating an employee and contacting the company payroll department to change the account details the salary is paid into. In 2018/19, Action Fraud reported this type of PDF as an emerging trend. National Anti-Fraud Network Data and Intelligence Services have also noted incidents of senior Local Authority staff salaries being diverted.

Hang on, what’s Spear-fishing?

Oh yeah, we just mentioned that didn’t we? Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons.

This is achieved by acquiring personal details on the victim such as their friends, employer or locations they frequent. The attackers then disguise themselves as a trustworthy friend or entity to acquire sensitive information, typically through email or other online messaging.

Victims of PDF

Based on Action Fraud reporting, it is highly likely that businesses, the public sector and individuals (involved in specific high value transactions) are the most common victims of PDF with small and medium sized enterprise (SME) appearing more prone to fall victim.

Lack of IT knowledge and training, and failure to apply appropriate email security protocols, may leave businesses open to receipt of phishing emails, increasing the risk of subsequent monetary and reputational loss.

As well as SMEs, PDF can also affect international businesses and individuals involved in the following transactions:

  • House purchases;

  • High value purchases from tradespeople or businesses;

  • Payment of Private School fees.

Business Sectors

While many business sectors and organisations are at risk of PDF, the following sectors are most heavily impacted:

  • Legal and Financial services;

  • Construction Industry;

  • Educational Institutions;

  • Health Services;

  • Local Government.

Enablers used in PDF

Hacking and spoofing are two enablers of PDF. Hacking enabled PDF involves phishing, malware and illicit credential purchasing. Spoofing enabled PDF involves email spoofing and Homoglyphs, which involves replacing one character with a similar character in an email address.

So what’s the Op FERRARA Campaign?

In December 2019, the National Crime Agency used voluntary tasking powers to request Chief Officers in policing prioritise initiatives aimed at improving the policing response to fraud. These initiatives are delivered through Project OTELLO.

Under the banner of Project OTELLO, the NECC is coordinating Op FERRARA; a national multi-agency 4P response campaign focused on PDF, with support from a wide-range of partners across both the public and private sectors.

Op FERRARA plans to deliver an uplift in the response to PDF with communications, supported by targeted enforcement action and public/private engagement to identify protect/prevent initiatives to align with the annual November increase.

During Op FERRARA, we will publicise the initiatives being conducted by police forces, financial institutions and industry to protect, educate and support people, whilst working with law enforcement partners to identify PDF investigations and coordinate activity to identify issues arising in ongoing PDF investigations.

Key Messages and Protect Advice

Take Five messages include:

Protect yourself and your business against PDF, when:

  • You’re asked to urgently process an out of the ordinary payment.

  • The language used in the email isn’t consistent with that of the genuine sender

  • You’re asked to change the bank details of an existing supplier on your system

Advice against PDF

Criminals are experts at impersonating people, organisations and the police. They spend hours researching you for their scams, hoping you’ll let your guard down for just a moment. Stop and think. It could protect you and your money.


Taking a moment to stop and think before parting with your money or information could keep you safe. If you receive a request to make an urgent payment, change supplier bank details or provide financial information, take a moment to stop and think.


Could it be fake? It’s ok to reject, refuse or ignore any requests for your financial or personal details. Only criminals will try to rush or panic you.

Verify all payments and supplier details directly with the company on a known phone number or in person first.


Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud on 0300 123 2040 or via their website: If you’re in Scotland, you can report to Police Scotland by calling 101 (See additional Protect advice below). For businesses, contact your bank immediately if you think you’ve been scammed and report it to Action Fraud.

Advice can be found on the Take Five website addresses here:

Improve your cyber security with NCSC Cyber Aware

Use the 6 NCSC Cyber Aware actions to keep yourself safe. Further details of these are available at, these are:

1. Use a strong and separate password for your email.

2. Create strong passwords using 3 random words.

3. Save your passwords in your browser.

4. Turn on two-factor authentication (2FA).

5. Update your devices.

6. Back up your data.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page