Why You Must Stop Sending Bank Details via Email Immediately

Why should builders and founders care about email security?

If your business handles high-value transactions or manages client funds, your current communication workflow is likely a liability. A recent case involving a notary who diverted nearly 100,000 euros highlights a systemic flaw: we trust email far more than we should. When you send or receive bank details—often called a RIB or wire instructions—via standard SMTP, you are operating in the clear.

Interception isn't just a theoretical risk from external hackers. It is a tool for internal bad actors and sophisticated phishing campaigns. Once a PDF containing bank details is intercepted and modified, the recipient has almost no way to verify the change until the money is gone. In the world of real estate and B2B settlements, these losses are often unrecoverable.

How does the 'False RIB' attack actually work?

The mechanics are simple but effective. Attackers monitor email traffic for keywords like 'invoice', 'payment', or 'bank details'. Once they identify a pending transaction, they intervene using one of two methods:

• External Spoofing: The attacker compromises an email account and sends a follow-up message claiming the bank details have changed due to an 'audit' or 'technical issue'.
• Internal Manipulation: As seen in recent legal cases, an insider with access to the document flow replaces the legitimate bank account number with their own before the client sees it.

Because the email appears to come from a trusted source—your firm or a partner—the victim rarely double-checks the numbers. They see the correct branding, the correct tone, and a legitimate-looking PDF. The fraud is only discovered days later when the intended recipient asks why the funds haven't arrived.

What are the practical steps to secure your transaction flow?

Relying on user intuition is a failed security strategy. You need to implement protocols that move sensitive data out of the inbox. Email was never designed to be a secure transport layer for financial credentials.

• Out-of-Band Verification: Never transfer funds based on an email alone. Establish a mandatory policy to verify bank details via a phone call to a known, trusted number.
• Client Portals: Move all document exchanges to a secure, authenticated platform. If a client needs your bank details, they should log into a portal with multi-factor authentication (MFA) to retrieve them.
• Digital Signatures: Use tools like DocuSign or Adobe Sign that provide an audit trail and prevent unauthorized tampering with the document content after it has been issued.
• Email Encryption: If you must use email, implement S/MIME or PGP to ensure the message hasn't been altered in transit, though this requires setup on both ends.

What should you watch for in your own stack?

Audit your current billing and onboarding processes. If your team is still sending unencrypted PDFs with wire instructions, you are one compromised password away from a major financial loss. The cost of implementing a secure client portal is negligible compared to the legal and reputational fallout of a diverted six-figure payment. Start by banning the distribution of bank details via standard email attachments today. Move toward a 'zero trust' model where every financial instruction requires a secondary, non-email confirmation.