Payment fraud targets your workflow, not your bank.
The Two-Person Rule prevents beneficiary change fraud by requiring two people to verify and approve any change to the distribution of funds.
One person proposes (maker), another verifies out of band (checker).
This simple control stops Business Email Compromise attacks that cost small businesses 6% of annual revenue.
What You Need to Know
- No single person should be able to change where your money goes.
- 79% of organizations were hit by payment fraud in 2024, with Business Email Compromise being the top method
- Recovery is unlikely: only 22% of organizations recovered 75% or more of lost funds in 2024
- The control requires maker and checker roles, with out-of-band verification (phone call to confirm email requests)
- Even one-person companies need a second control channel, such as an accountant, dual authorization with a bank, or delayed verification.
Remember: most payment fraud does not hack your bank.
It hacks your workflow.
The attacker doesn’t need to break encryption or defeat your bank’s security system if they convince a human to change an IBAN. They exploit the oldest vulnerabilities in business operations: speed, distraction, trust, and the desire to be helpful.
They wait for the moment when your company is tired, busy, or under time pressure. Then they introduce a small change that redirects a major outcome.
A beneficiary change is the highest leverage move in a small company.
One wrong IBAN change drains weeks or months of cash flow. Recovery is often close to zero, not because nobody cares, but because once the money’s gone, it moves through accounts designed to disappear quickly.
This control isn’t optional. It isn’t polite.
What Is the Two-Person Rule?
No single person can change where money goes.
If one person controls IBAN changes alone, you have exposure, not control.
And hope is not a business strategy.
Why the Two-Person Rule Matters Now
In 2024, 79% of organizations were victims of payment fraud attacks. Business Email Compromise (BEC) was cited as the number one fraud avenue by 63% of respondents.
This is social engineering targeting your payment workflow, not sophisticated hacking.
Small businesses lose approximately 6% of their annual revenue to fraud. For a company generating €200,000 annually, that’s €12,000 walking out the door because someone changed a supplier’s bank details, lacking verification.
The recovery outlook is getting worse. Only 22% of organizations recovered 75% or more of the funds they lost in 2024, down from 41% in 2023. Once the money leaves, it’s gone.
Prevention is your only realistic defense.
How Business Email Compromise Attacks Work
An attacker sends an email that appears to come from your supplier. The message is civil, professional, and urgent: “We’ve updated our bank details. Please use this IBAN for all future payments.”
The email address looks almost identical to the real one. Maybe one letter is different. Maybe it’s a lookalike domain.
Your finance person is busy. They’re processing multiple invoices. They trust the relationship with this supplier. They update the IBAN in your accounting system.
The next payment goes out. €15,000 for inventory. €8,000 for services. The money lands in the attacker’s account and vanishes within hours.
You discover the problem when your real supplier contacts you about the unpaid invoice. By then, the money is gone.
This isn’t a technical failure. This is a workflow failure.
Many BEC incidents occur at quarter-end, during tax season, or while executives are traveling. Attackers use social events, public travel plans, or industry-wide reporting deadlines to time their fraud.
They target you when you’re distracted.
What Does the Two-Person Rule Protect Against?
This Standard Operating Procedure (SOP) creates a barrier against the most common entry points into payment loss:
The supplier emailed with “new bank details.”
Someone receives a message claiming to be from a vendor. Without verification, they update the payment system. The Two-Person Rule requires a second person to verify the change through a different communication channel before implementation.
The urgent payment request is pressuring you to bypass the process
Attackers create artificial urgency to force mistakes. “We need payment today, or your shipment will be delayed.” The Two-Person Rule removes the ability of one person to act alone under pressure. The compromised inbox where attackers watch and wait
An attacker gains access to an email account and silently monitors its communication. When they see a legitimate payment discussion, they insert themselves by changing the bank details. The Two-Person Rule requires out-of-band verification, which breaks this attack pattern.
The internal mistake where someone mistypes an IBAN
Not all losses come from hostile parties. Sometimes your team member enters the wrong number. The Two-Person Rule catches human error before money leaves.
When Should You Apply the Two-Person Rule?
This control must be broad. Attackers ignore your categories.
Apply the Two-Person Rule to:
- New suppliers and new payees – Every first-time beneficiary requires dual verification
- Any change to an existing supplier bank account – This is the primary attack vector
- One-time payees for large transfers – Define “large” for your company (€5,000? €10,000?)
- Changes in payment instructions for payroll and taxes – These are high-value, predictable targets
If money moves to a new destination, two people verify it.
How Does the Maker and Checker Model Work?
One person proposes the change.
This is the “maker.” They receive the request, document it, and submit it for approval. They don’t implement.
A different person verifies and approves.
This is the “checker.” They confirm the change is legitimate before it goes live in your payment system.
Verification must be out of band.
This is critical. Out-of-band means you don’t use the same channel for verification.
If the bank detail change came via email, you verify it by phone. If by phone, verify using a known email address or by calling the supplier back using a number from your records, not the one provided in the message. Otherwise, you’re not verifying. You’re confirming what’s compromised.
How Do One-Person Companies Implement This Rule?
Solo entrepreneurs face the same logic. You need a second control channel.
Here are your options:
Use an external accountant as a checker.
Your accountant reviews and approves beneficiary changes before you implement them. This adds an expert verification layer.
Enable bank dual authorization.
Many Dutch banks (ABN AMRO, ING, Rabobank) offer dual authorization features for business accounts. You initiate the payment. A second authorized person (your accountant, a trusted advisor, or a business partner) must approve before execution.
Implement a delayed payment window with out-of-band verification
When you receive a beneficiary change request, wait 24 hours and verify the change via a different channel (e.g., call the supplier using a known number) before making the change. Document this verification in writing.
If you have no way to implement any second-person control at all, you must accept, explicitly, that your risk is structurally higher.
Because it is.
What Does Successful Implementation Look Like?
The Two-Person Rule works when:
No single person does both the request and implementation of a beneficiary change
These functions are separated by role and documented in your procedures.
Every beneficiary change has written verification from a second source
You maintain a log with the following fields: date, requester, checker, verification method, and approval. Your team knows the rule and follows it under pressure
When someone tries to rush a change, your team defaults to control rather than haste.
You prove your verification process during an audit or investigation
If fraud occurs, you demonstrate that you followed a documented control procedure.
Common Objections to the Two-Person Rule
“This will slow us down.”
A phone call takes three minutes. Recovering €10,000 takes months and often fails entirely. Speed is not the priority. Control is.
“We trust our suppliers.”
Trust isn’t the issue. Compromise is. Your supplier’s email account gets hacked. Their employees’ credentials get stolen. Trust without verification is exposure.
“We’re too small to be targeted.”
Small businesses are preferred targets. You have money moving but lack controls. Attackers know this.
“We’ll implement this when we grow.”
You implement this before you lose money. Once the loss occurs, the control becomes obvious. Install it now.
What Does It Cost to Skip This Control?
I’ve seen what happens when companies skip the Two-Person Rule.
A small consultancy in Amsterdam paid €18,000 to what it believed was its regular IT supplier. The email looked legitimate. The invoice matched previous ones. The only difference was the IBAN.
They discovered the fraud three weeks later when the real supplier asked about the unpaid invoice. The money was gone. The bank couldn’t reverse it. The police filed a report but offered little hope of recovery.
The company had to pay the supplier again. €18,000 became €36,000 in total cost, plus the time spent dealing with police, banks, and internal process reviews.
One verification call would have prevented it.
Wire transfers reclaimed the top spot as the most vulnerable payment type targeted by BEC. The FBI reports BEC scams have resulted in over $50 billion in losses since 2013, with the average financial loss per successful wire fraud reaching $286,000.
You don’t need to become another statistic.
How to Install the Two-Person Rule Today
Here’s what you do:
Step 1: Document the rule
Write a simple procedure: “No beneficiary changes without two-person verification. Maker proposes. Checker verifies out of band and approves.”
Step 2: Assign roles
Identify who’s a maker and who’s a checker. These must be different people.
Step 3: Create a verification log
Use a simple spreadsheet: Date | Supplier Name | Old IBAN | New IBAN | Requested By | Verified By | Verification Method | Approval Date
Step 4: Train your team
Explain the rule. Show them examples of BEC emails. Make it clear that speed doesn’t override verification.
Step 5: Test the control
Run a simulation. Have someone submit a fake beneficiary change request. See if your team follows the procedure.
This takes less than two hours to set up.
Why This Control Creates Time, Not Friction
The purpose of this control isn’t to create friction. It creates time.
Fraud depends on speed. Attackers need you to act quickly, without thinking, without verifying. They need you to trust the email, trust the immediacy, trust what seems legitimate.
Controls create time. Time to verify. Time to think. Time to catch the mismatch between what appears to be true and what’s true.
The Two-Person Rule inserts a pause into your payment workflow. That pause is where fraud fails.
What Happens Without This Control?
If you don’t install the Two-Person Rule, you’re operating on hope.
You’re hoping your team catches the fake email. You’re hoping the attacker picks someone else. You’re hoping your supplier never gets compromised.
Hope is not a control.
When the fraud happens (and the statistics show the odds are against you), you’ll spend weeks trying to recover money you’ll never see again. You’ll explain to your real supplier why you still owe them. You’ll file police reports. You’ll rebuild trust with your team and your vendors.
Or you install the control now. You separate the functions. You verify out of band. You document the process.
Structure is cheaper than recovery.
Your Decision
You now understand the mechanism. You know the cost. You know the control.
The Two-Person Rule isn’t complicated. It doesn’t require technology. It requires discipline.
Discipline to separate duties. Discipline to verify before acting. Discipline to maintain control when someone pressures you to move faster.
Most founders confuse trust with control. They think trusting their team or their suppliers is enough. It isn’t.
Trust is human. Control is structural. You need both.
Install the Two-Person Rule today. Document it. Assign roles. Train your team. Test it.
Because the system doesn’t read intentions. It reads proof.
And if you don’t prove you verified the change, you don’t control where your money goes.
Frequently Asked Questions
What is the Two-Person Rule for payment controls?
The Two-Person Rule requires two different people to verify and approve any change to payment beneficiaries. One person (maker) proposes the change. A different person (checker) verifies through an independent channel before implementation. This prevents fraud and human error.
How does out-of-band verification work?
Out-of-band verification means using a different communication channel than the one used to deliver the change request. If a beneficiary change arrives by email, verify it by phone using a known number from your records, not the one in the message. This prevents attackers who control one channel from confirming their own fraud.
What if I’m a solo entrepreneur with no employees?
Solo entrepreneurs need a second control channel. Options include using an external accountant as a checker, enabling bank dual authorization features (offered by ABN AMRO, ING, Rabobank), or implementing a 24-hour delayed payment window with out-of-band verification before making changes.
How long does it take to implement the Two-Person Rule?
Implementation takes less than two hours. Document the procedure, assign maker and checker roles, create a verification log spreadsheet, train your team on the rule, and test it with a simulated beneficiary change request.
Will this slow down our payment process?
A verification phone call takes three minutes. Recovering lost funds takes months and usually fails. Only 22% of organizations recovered 75% or more of the funds they had lost in 2024. The small time investment prevents massive losses.
Why target small businesses if they have less money?
Small businesses are preferred targets because they have money moving but commonly lack controls. Attackers know small companies generally depend on single-person workflows and trust-based processes, making them easier to exploit than larger organizations with established controls.
What should be in the verification log?
Your verification log should document: date, supplier name, old IBAN, new IBAN, who requested the change, who verified it, the verification method used (phone call or email to a known address), and the approval date. This creates audit-ready proof of your control process.
When exactly should the Two-Person Rule apply?
Apply the rule to: all new suppliers and payees; any change to existing supplier bank accounts (the primary attack vector); one-time payees for large transfers (define your threshold); and modifications to payment instructions for payroll and taxes. If money moves to a new destination, two people verify it.
Key Takeaways
- Payment fraud exploits workflow vulnerabilities, not bank security systems. The Two-Person Rule prevents single-point-of-failure exposure in beneficiary changes.
- 79% of organizations experienced payment fraud in 2024, with Business Email Compromise as the top method. Recovery rates are falling: only 22% recovered most funds.
- The maker-and-checker model separates duties. One person proposes changes, and another verifies them through a different channel (out-of-band) before implementation.
- Out-of-band verification is critical. Verify email requests by phone, using numbers from your records, not from the message. Same-channel confirmation validates what might be compromised.
- Only entrepreneurs need secondary control channels, such as external accountants, dual authorization with a bank, or delayed payment windows with independent verification.
- Implementation takes less than two hours and requires no expensive software. Document the rule, assign roles, create a log, train your team, and test using simulations.
- The control creates time, not friction. Fraud depends on speed. The pause for verification is where fraud fails. Structure is cheaper than recovery.
