Your bank routing info feels boring. That’s the problem.
In France, cybersecurity specialists are now logging more than15,000 cases a monthtied to stolen IBAN data, the European cousin of the account-and-routing numbers Americans toss onto checks without thinking. And French consumer-fraud authorities say reports tied to fraudulent direct debits jumped34%in 2025.
The dirty secret: a simple bank-details sheet (the French call it aRIB) can be enough for criminals to pull money, impersonate you with your bank, or tailor a scam that sounds uncomfortably real.
The direct-debit loophole: 280,000 accounts hit a year
Europe’s SEPA direct-debit system was built to make payments easy across borders. It also bakes in a structural weakness: in many cases, having anIBAN plus a namecan be enough to initiate a debit.
Fraudsters exploit that by dressing up like legitimate businesses. The playbook is blunt: set up a shell company, get a SEPA “creditor ID” through a bank, then start pulling funds from targeted accounts.
TheBanque de Francecounts about280,000 accountsvictimized by fraudulent direct debits each year, with an average loss of€450per case, about$490at current exchange rates.
And the crooks’ best friend is time. People often spot the bogus debit weeks later, after the money has already been routed onward, sometimes offshore. Yes, victims can get reimbursed, but the process drags:8 to 12 weekson average.
The most commonly impersonated sectors? Telecom, energy, and insurance, industries where autopay is normal, and a “reasonable-looking” charge doesn’t trigger panic until the second or third time it hits.
Bank details supercharge social engineering
Direct debits are only the appetizer. A RIB/IBAN also feeds smarter scams, because it’s a piece of verified truth criminals can stitch into a lie.
Fraud rings combine bank details with other personal data, addresses, phone numbers, job history, to build a profile. Then they call or email pretending to be your bank rep, casually dropping specifics: your bank name, the branch location, even the first digits of the account. That little sprinkle of accuracy is how people get hooked.
Businesses get hit especially hard. Criminals intercept a vendor’s bank details, then contact accounting pretending to be that vendor and request “updated” payment instructions for future transfers. France’s cybercrime-fighting center says40%of so-called “CEO fraud” cases involve this kind of bank-detail switch.
And modern office life makes it easier: bank details now fly around via email, chat apps, and shared work platforms, exactly the places attackers love to compromise.
Organized groups are automating the theft
The pros don’t rely on gullible humans alone. They build tools.
Malware designed to hunt and exfiltrate bank documents is spreading on underground forums. These programs target PDFs containing bank details, banking screenshots, and online direct-debit forms. Once a machine is infected, it can quietly forward those files to servers controlled by the thieves.
France’s national cyber-monitoring center says it identified127 malware familiesspecialized in this kind of bank-data theft in 2025.
Phishing is still a workhorse, too: fake sites mimicking bank or government portals, pushed via targeted ads or booby-trapped email links. Some groups go further, pushing bogus mobile “banking helper” apps on alternative app stores, apps that exist mainly to vacuum up whatever you type, scan, or photograph.
What banks (and you) can do to fight back
Banks are trying to catch up. France’sSociété Générale, for example, has rolled out AI-driven monitoring that flags suspicious direct debits in real time by analyzing frequency, amounts, and a creditor’s history.
For regular people, the unglamorous fix works best: watch your account like a hawk. If you spot an unauthorized direct debit, French rules generally require you to dispute it within8 weeksto qualify for automatic reimbursement.
Another simple move: stop spraying your bank details everywhere. Share them only with organizations that truly need them, and use secure channels, not a random email thread that’s been forwarded 12 times.
For small-business owners, compartmentalizing helps: use a dedicated account for incoming payments so a compromise doesn’t expose everything.
Some banks are also offering “virtual” bank identifiers, unique details generated per merchant that can be shut off anytime. That’s the kind of control consumers should’ve had years ago, and it can’t spread fast enough.
