Share Banking Info

Securely share IBAN, SWIFT, or routing numbers for wire transfers without email logs.

Why secure share banking info matters

Bank receiving details are an unusual category of secret because half the bundle is meant to be public. An IBAN (ISO 13616) is printed on every invoice a European business issues. A SWIFT/BIC is published in directories. None of these strings opens a fraud path on its own — the high-value bundle is the account number, the matching routing or IBAN, the beneficiary name, and a plausible reason to redirect a payment.

The dominant threat is Business Email Compromise wire fraud: an attacker hijacks a vendor's mailbox and sends fresh instructions identical to the originals except for a swapped account number. The FBI IC3 attributes over 21,000 BEC complaints and $2.9 billion in losses to this pattern in a recent year. Substitution happens during an email round-trip: a PDF is intercepted, the digits are edited, and accounts-payable has no signal anything changed.

PasteOnce moves the digits off the email thread. The vendor pastes routing, account, IBAN, BIC, and beneficiary reference into a one-shot link. The payer reads it once, types values into the corporate-banking wire screen, and the encrypted blob is destroyed. Routable digits never sit in a forwarded mailbox where an attacker can mutate them. Pair every transfer with an out-of-band voice confirmation.

What goes wrong when share banking info is shared insecurely

Payment-redirect during invoice round-trip. An attacker with mailbox access waits for an invoice carrying payment details, replies from a lookalike domain, and supplies a corrected IBAN. Mid-six-figure wires settle to mule accounts in Hong Kong or Romania before either side notices.
ACH-debit pulls from leaked routing-and-account. In the US, the pair printed on the bottom of a check is enough to originate an ACH debit under NACHA rules. Subscription mills pull recurring debits; recovery falls under the 60-day Regulation E dispute window.
Voice-cloned callback to the CFO's number. Attackers answer the verification callback in a deepfaked voice trained on conference-call audio. Calling the inbound number from the wire email defeats the purpose; the only safe callback is one obtained independently from a signed contract.
Forwarded-PDF tampering inside the mail server. Microsoft 365 and Google Workspace mailbox-rule abuse lets an attacker silently auto-forward attachments through a relay and re-inject modified copies. Static digits in a PDF carry no integrity guarantee; the recipient cannot tell the IBAN was edited.

Share Banking Info

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share banking info work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share banking info

Mandate a callback to a pre-recorded number

Before any new vendor enters the payments master, the AP clerk calls the number drawn from the signed master service agreement — not the one on the invoice. Record the call into the vendor record. This single control kills most BEC variants outright.

Turn on instant push notifications at the receiving bank

Wise, Revolut Business, Mercury, and Brex push within seconds of any inbound credit. Chase, Bank of America, and Wells Fargo require enabling alerts manually and often delay by hours. Confirm settlement via the push, not a screenshot.

Use beneficiary-name-match where the rail supports it

UK Faster Payments has Confirmation of Payee, checking the beneficiary name against sort code and account before payment leaves. SEPA Instant is rolling out Verification of Payee under EU Regulation 2024/886, mandatory October 2025. Never dismiss a name-mismatch warning.

Treat treasury changes as a two-person process

Any update to a vendor's banking record in NetSuite, Ramp, or Bill.com should require initiator-plus-approver, with the approver independently confirming new digits by callback. Single-approver workflows are the structural weakness BEC playbooks target.

Related Secure Sharing Tools

Share API Key Securely Share SSH Private Key Share .env Variables Share Database Credentials Send Password Securely Share Password Securely Share Credit Card Details Send Confidential HR Note

Real situations this is built for

First payment to a new EU supplier

Procurement signs with a Berlin vendor. Rather than emailing a wire-instruction PDF, the controller drops IBAN, BIC, and beneficiary name into a PasteOnce link. AP runs the SEPA name-match, calls the controller on the contract number, and submits an MT103.

US vendor switching banks after a collapse

A vendor moves from Silicon Valley Bank to Mercury after 2023. They paste the new ABA routing and account number through PasteOnce; treasury updates Bill.com, requires a second approver, and runs a $1 ACH penny-test before the next scheduled run.

Cross-border emergency payroll

A UK-based contractor needs same-day payment after a delayed invoice. They send sort code, account number, and IBAN through PasteOnce. Finance verifies via Confirmation of Payee on Faster Payments and pays within the hour.

Frequently Asked Questions

Is my IBAN actually a secret if it is on every invoice I send?

No, and treating it as one will frustrate customers. The IBAN is broadcast information by design. The risk is the bundle of digits, beneficiary name, and apparent insider authorization to redirect. Protect the change-of-payee process; the IBAN can stay on your letterhead.

How do I verify wire instructions without falling for a spoofed callback?

Call a number you had on file before this conversation — from a signed master agreement or a vendor master entry predating the thread. Never use a number printed on the wire-instruction email, and treat any updated phone number in the same thread as automatically suspect.

Can I recover a wire that landed in a fraudster's account?

Sometimes, if you act within hours. SWIFT supports recall messages (MT192/MT292) and the FBI Financial Fraud Kill Chain can intervene on domestic wires above $50,000 reported within 72 hours. After that window funds become crypto. ACH credits reverse under NACHA rules.

What about transfers on Zelle, Venmo, or Cash App?

Those rails do not pass raw routing-and-account between users — they use a phone number or handle. The threat model is impersonation rather than instruction tampering. Zelle treats authorized-but-deceived transfers as final. PasteOnce is most useful for business and cross-border wires.

Why secure share banking info matters

What goes wrong when share banking info is shared insecurely

Payment-redirect during invoice round-trip. An attacker with mailbox access waits for an invoice carrying payment details, replies from a lookalike domain, and supplies a corrected IBAN. Mid-six-figure wires settle to mule accounts in Hong Kong or Romania before either side notices.

ACH-debit pulls from leaked routing-and-account. In the US, the pair printed on the bottom of a check is enough to originate an ACH debit under NACHA rules. Subscription mills pull recurring debits; recovery falls under the 60-day Regulation E dispute window.

Voice-cloned callback to the CFO's number. Attackers answer the verification callback in a deepfaked voice trained on conference-call audio. Calling the inbound number from the wire email defeats the purpose; the only safe callback is one obtained independently from a signed contract.

Forwarded-PDF tampering inside the mail server. Microsoft 365 and Google Workspace mailbox-rule abuse lets an attacker silently auto-forward attachments through a relay and re-inject modified copies. Static digits in a PDF carry no integrity guarantee; the recipient cannot tell the IBAN was edited.

How does share banking info work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share banking info

Mandate a callback to a pre-recorded number

Turn on instant push notifications at the receiving bank

Use beneficiary-name-match where the rail supports it

Treat treasury changes as a two-person process

Real situations this is built for

First payment to a new EU supplier

US vendor switching banks after a collapse

Cross-border emergency payroll

Frequently Asked Questions

Is my IBAN actually a secret if it is on every invoice I send?

How do I verify wire instructions without falling for a spoofed callback?

Can I recover a wire that landed in a fraudster's account?

What about transfers on Zelle, Venmo, or Cash App?