I can also do that with DirectDebit (ACH for you yanks) transactions in the UK for example; brute force branch sort code and account numbers and when you "transfer money" (you can do 1p, or even cancel the transaction once the TUN code has been generated iirc) you get the name associated with the account.
There isn't much you can do about it, detecting an abuse of an invoicing system and locally blocking it is much preferable to the other potential outcome of not knowing or being able to confirm where the hell did that invoice actually went.
There isn't much you can do about it, detecting an abuse of an invoicing system and locally blocking it is much preferable to the other potential outcome of not knowing or being able to confirm where the hell did that invoice actually went.