Invoice Fraud & Vendor Email Compromise: How to Stop It

The email comes from a supplier your accounts-payable team has paid a dozen times. The branding is right, the invoice number matches an open order, and the message is polite and routine — with one small addition: “Please note we have updated our banking details.” The payment goes out on schedule. Weeks later, the real supplier calls asking why their invoice is overdue. The money is already gone.
This is invoice fraud driven by vendor email compromise (VEC), and it is one of the most costly variants of business email compromise. The FBI's Internet Crime Complaint Center has tracked BEC as one of the most damaging cybercrimes by dollar loss, reporting billions in losses year after year. Unlike a clumsy phishing blast, these attacks are quiet, patient, and built on trust your team has already extended.
What Makes Vendor Email Compromise So Effective
Most awareness training warns employees about the “CEO” demanding an urgent wire transfer. Vendor fraud is the subtler, more dangerous cousin. It does not impersonate someone you barely know — it impersonates a relationship you trust, inside a transaction you were already expecting to pay.
As the FBI describes business email compromise, the scam frequently arrives as a message that appears to come from a known source making a legitimate request — such as a vendor your company regularly deals with sending an invoice with updated payment details. Two ingredients make it work:
- Context, not urgency. The request fits an existing workflow. There is a real purchase order, a real invoice cycle, and a real relationship — so the fraudulent change blends in.
- Trust transfer. Your controls are built to scrutinize new payees. A bank-detail change on an established vendor often slips through with far less scrutiny.
How the Attack Unfolds
Vendor fraud reaches the same destination — a fraudulent bank account — by two main routes.
Route 1: The Compromised Supplier Mailbox
The attacker gains access to a real mailbox inside the supplier's organization, often through earlier credential phishing. From there they watch genuine invoice threads, learn the cadence and tone, and at the right moment reply from the real account with new banking details. Because the email is authentic, it passes every technical check — SPF, DKIM, and DMARC all align.
Route 2: The Lookalike Domain
When the attacker cannot get inside the supplier's mailbox, they register a domain that closely resembles it. The FBI has noted tactics as subtle as a domain missing a single letter, or .co in place of .com. The display name reads correctly, the signature looks familiar, and a busy clerk rarely inspects the full address.
Some operators even hijack a real reply thread and change the bank details by a single digit — a change small enough to evade a quick glance but enough to reroute the entire payment.
The decisive moment is not when the email arrives — it is when someone in accounts payable decides whether to update a payee's bank details on the strength of an email alone. That is where the loss is prevented or guaranteed.
Warning Signs in an Invoice or Bank-Change Request
Because a fraudulent message can be technically flawless, the tells are usually in the content and the context rather than the headers. Train accounts-payable staff to slow down when a payment-related message shows any of these characteristics:
- An unexpected change to banking details. This is the single highest-risk signal. Any message announcing a new account number, a switch to a different bank, or a move to a new payment provider should trigger verification, no matter how routine it appears.
- A nudge toward speed or secrecy. Requests to “process this quickly,” keep the change quiet, or pay ahead of the usual cycle are designed to bypass your controls.
- A subtle shift in tone or detail. A reply that reads slightly differently from the supplier's usual style, or a thread where the contact suddenly avoids a phone call, can indicate a compromised mailbox or an impostor.
- A reply-to that differs from the sender. Watch for messages where responses are quietly redirected to a different or near-miss address.
- An invoice that does not quite reconcile. Amounts, purchase-order numbers, or formatting that do not match the open order deserve a second look before any payment moves.
None of these is proof of fraud on its own. Together they form a pattern, and any one of them touching a bank-detail change is reason enough to pick up the phone before money moves.
The Verification Controls That Stop It
Because the fraudulent message can be technically perfect, the defense cannot rely on spotting a fake email. It has to rely on process — specifically, out-of-band verification of any change to where money goes.
- Verify every bank-detail change out-of-band. Before changing a supplier's payment details, call them back on a number you already have on file — never the number in the email requesting the change. This single control defeats both the compromised-mailbox and lookalike-domain routes.
- Treat bank-detail changes as high-risk events. Require a documented second approval and a callback for any change to vendor banking information, regardless of how routine the request looks.
- Maintain a trusted vendor record. Keep verified contact and banking details in your finance system, and make that record — not an inbound email — the source of truth.
- Slow down large or first-time payments. Build a deliberate verification step into the workflow for high-value transfers so speed never overrides scrutiny.
- Inspect the full sender domain. Train AP staff to read the entire address, not just the display name, and to be alert to near-miss domains.
If a fraudulent payment does go out, time is everything. The FBI advises contacting your bank immediately to request a recall and filing a report — regardless of amount — with the IC3 at ic3.gov. Fast reporting meaningfully improves the odds of recovering funds.
Training the People Who Press "Pay"
Technical filters will never catch an email sent from a genuinely compromised supplier account, which is why the accounts-payable team is the real control point. Awareness training should put VEC scenarios directly in front of finance staff — not generic phishing examples, but the specific “our bank details have changed” pretext they will actually face.
With empowsec, you can run targeted phishing simulations modeled on vendor and invoice fraud, then measure how AP teams respond and reinforce the out-of-band verification habit with role-relevant training. The goal is simple: make a verification callback the automatic, expected response to any payment-detail change — not an awkward exception.
Key Takeaways
Vendor email compromise turns a routine invoice into a major loss by exploiting an existing, trusted relationship. The defense is process discipline, not just better filters:
- Vendor fraud impersonates suppliers you already trust, inside transactions you already expect — making it harder to spot than CEO-impersonation scams.
- Attacks arrive via compromised supplier mailboxes or lookalike domains, and a genuine compromised account passes every technical check.
- Always verify bank-detail changes out-of-band using a known contact number, never the details in the email.
- Treat payment-detail changes as high-risk, requiring a second approval and a callback.
- If fraud occurs, act fast — contact your bank for a recall and report to the FBI's IC3 at ic3.gov immediately.


