CIVRA Get Started
Guides

How to Verify a Payment Request Before You Pay

May 5, 2026 4 min read The CIVRA Team
The short answer

To verify a payment request, confirm it through a second channel you already trust, like a phone number you have on file, before sending any money. Never rely on contact details inside the email itself, and treat any change to bank details or any rush as a reason to slow down and check.

The safest way to verify a payment request is to confirm it out loud, through a channel you already trust, before any money moves. Call the person on a number you already have, not one written in the email, and ask them to confirm the amount and the account.

Why payment requests are a favorite target

Money that leaves by wire transfer or vendor payment is hard to claw back. Attackers know this, so they spend time crafting a request that looks routine.

These attacks often arrive as business email compromise (BEC), where a criminal poses as your CEO, a supplier, or a finance contact. The email is usually plain text, polite, and specific. There is no malware to catch, which is exactly why it slips past ordinary spam filters that miss targeted attacks.

The signals that should make you pause

Most fraudulent requests share a few traits. Treat any of these as a reason to verify before acting:

  • A change in bank details. A vendor you have paid for years suddenly has a new account number.
  • Urgency or secrecy. You are asked to act today, keep it quiet, or skip the usual approval.
  • A request that bypasses process. The message asks you to handle it personally instead of using the normal system.
  • A slightly wrong sender. The display name is right but the address is off, or the reply goes to a look-alike domain.

A simple verification checklist

Use the same steps every time so verification becomes a habit, not a judgment call.

  1. Stop before you pay. No legitimate payment is ruined by a ten-minute delay.
  2. Find your own contact details. Use a phone number, contract, or directory you already had, not anything in the email.
  3. Call and confirm. Read back the amount, the account number, and the reason out loud.
  4. Confirm any changed bank details twice. A new account number is the single biggest red flag in payment fraud.
  5. Get a second person to approve. A two-person rule on payments above a set amount stops most losses.
  6. Document what you verified. Note who you spoke to and when, in case anyone asks later.

What "a second channel" really means

The point of verification is to leave the channel the request arrived on. If the request came by email, do not reply to it and do not trust a phone number printed inside it. Attackers happily answer that number.

Instead, call the cell phone you already had saved, walk to the person's desk, or message them on a separate app. You are checking the request against something the attacker does not control.

Build the habit into your process

Verification works best when nobody has to feel awkward about it. Make it policy so staff feel safe slowing down.

  • Set a dollar threshold above which a second approver is required.
  • Require a phone confirmation for any new or changed bank details.
  • Tell your team that "let me confirm this first" is always the right answer, even with the boss.

It also helps to train people to recognize the lure in the first place. Our guide on how to spot a phishing email covers the language and sender tricks these messages rely on.

Where a security layer helps

Process catches a lot, but people are busy and attackers are convincing. A dedicated email layer adds a backstop your spam filter does not provide.

CIVRA analyzes sender identity and behavior, flags look-alike domains, and reads the language and intent of a message, so an impersonated finance request or fake invoice gets caught before it lands in someone's inbox. That gives your team a warning instead of relying on memory alone. You can see the full feature list here.

FAQ

What is the single most important step to verify a payment request?

Confirm it through a separate channel you already trust, such as a phone number you had on file before the email arrived. That one step defeats almost every payment scam.

A vendor changed their bank account by email. Is that normal?

It can be legitimate, but it is also the most common sign of fraud. Always call the vendor on a known number and confirm the new details verbally before sending anything.

Can my spam filter stop fake payment requests?

Not reliably. These emails often contain no links or attachments and read like normal business messages, so they pass standard filters. A dedicated layer that analyzes sender behavior and intent is what catches them.

What if the request seems to come from my CEO?

Verify it anyway. Attackers impersonate executives precisely because staff are reluctant to question them. A quick confirmation is always appropriate.

Want a backstop that flags impersonation and fake invoices before your team ever sees them? See CIVRA pricing or start with the app.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts