Vendor impersonation scams are no longer just an accounts payable problem. In the age of AI, they’re a board-level risk.
A single fraudulent banking-change request can quietly divert six-figure payments. Mid-sized organizations with lean finance teams, trust-based vendor relationships, and processes never designed for sophisticated impersonation are especially exposed.
This isn’t about bad spelling or obvious scams anymore. It’s about process integrity, identity, and verification.
What Vendor Fraud Looks Like Now
Vendor fraud is the diversion of legitimate payments into fraudulent accounts. In practice, it typically shows up in two ways:
- External fraud: Attackers impersonate a real vendor (or compromise their inbox) and request banking changes or push fake invoices.
- Internal fraud: An employee manipulates vendor records, invoices, or payment details for personal gain.
On paper, that sounds straightforward. In reality, a few modern twists make it far more complex:
- Emails look and read exactly like your real vendors.
- Invoices are cloned with perfect logos, formatting, and language.
- Voice calls can convincingly mimic vendor reps or even your own executives.
The usual “does this email look suspicious?” test no longer works. The weak link isn’t your team’s intuition. It’s any workflow that still assumes email identity can be trusted by default.
How Modern Vendor Impersonation Actually Happens
You don’t need deep technical expertise, but you do need to understand the playbook:
- Look-alike domains and thread hijacking: Domains that differ by a single character, or attackers replying inside real email threads after compromising a vendor account. Here’s an example:
- AI-written emails
Attackers train AI on real vendor emails. The result: flawless language, accurate references, and familiar sign-offs. - Deepfake voice calls
Calls that appear to come from a vendor or executive, pushing urgent banking changes or off-cycle payments. - Cloned invoices
Genuine invoices are copied and lightly edited. It’s usually just the bank account or the amount that is changed. - Paired phone + email attacks
An email requests a change, followed by a “confirmation” call. Both are scripted using AI.
None of this will look obviously fake to a busy AP team trying to close the month-end.
What Your Finance and AP Teams Should Watch For
Instead of only looking for obvious typos or sloppy emails, train your teams to spot pattern breaks:
- Banking changes tied to large or upcoming payments.
A request to update account details right before a big invoice is paid should always be treated as high-risk. - Invoices that “look right” but include new bank details or odd amounts.
Same logo, same layout, but different account info, currency, or totals than usual. - New “contacts” at a known vendor requesting banking changes.
Especially when there’s no warm handoff from your existing, trusted contact. - Requests wrapped in urgency or secrecy.
Phrases like “just this once, skip the process” or “don’t loop others in, this is sensitive” are classic red flags. - Email domains that are almost right.
One extra letter, swapped characters, or a different top-level domain (e.g., .co instead of .com). - Unusual login behaviour tied to vendor communications.
If you’re using identity/security tools, IT should watch for new devices, new locations, or “impossible travel” patterns on accounts involved in vendor email threads.
Practical Safeguards You Can Implement Now
Here are controls leadership can mandate and measure.
1. Treat vendor banking changes as high-risk events
Make this a non-negotiable policy:
- No banking updates are approved via email alone.
- All changes are verified using a known phone number or pre-approved contact method stored in your ERP/AP system.
- The verification step is logged in the system (who verified, when, and how).
You’re deliberately adding friction at a high-risk point in the process.
2. Enforce dual control on vendor and payment changes
For any new vendor, banking change, or high-value payment:
- Require two approvals, ideally from different roles (e.g., AP + Controller).
- Configure your systems to enforce this; don’t rely on informal “two sets of eyes” habits.
3. Clean up and govern vendor master data
Set a regular cadence (e.g., quarterly) to:
- Revalidate key vendor contacts and banking details via trusted channels.
- Remove unused vendors and stale contacts.
- Confirm that banking details are never updated based solely on email instructions.
This turns your vendor list into a governed asset, not a historical dump.
4. Strengthen email and identity security
Work with the IT team or your Managed IT Services provider to ensure:
- MFA is enforced on email and finance systems.
- DMARC, SPF, and DKIM are properly configured to reduce spoofing.
- Conditional access and sign-in risk policies are in place to flag unusual behaviour.
This directly lowers the chance of business email compromise (BEC), which sits at the centre of many vendor fraud incidents.
In AFP’s 2025 Payments Fraud and Control Survey, 79% of organizations (across 500 respondents) reported attempted or actual payments fraud in 2024, with BEC leading the way as the top attack method.
5. Update security awareness for the AI era
Most phishing training is still based on outdated examples. Ask for training that:
- Uses realistic, AI-grade impersonation scenarios.
- Reinforces that “perfect” emails can still be fraudulent.
- Teaches staff to escalate on process violations (bypassed approvals, urgency, secrecy), not just bad grammar or odd formatting.
Where Leadership Should Focus
Vendor fraud isn’t just “an IT problem” or “a finance problem. It’s really a governance issue.
As a C-suite leader, your role is to:
- Set the ground rules: make it clear that email is not a trusted channel for banking changes.
- Insist on dual control for vendor data and high-value payments, every time.
- Make sure IT and finance are on the same page around identity, email security, and vendor governance.
- Ask for proof, not promises: you should be able to see logs, workflows, and approvals.
It now takes minutes to spin up a convincing fake invoice, and cheap tools can imitate a colleague’s voice well enough to pass a quick phone check. It is becoming easier for attackers to commit fraud which means the bar for your controls has to get higher.
You can’t stop every fraudulent email or call from landing, but you can make sure they hit a process that doesn’t bend.
Clear rules, dual control, and documented verification are what turn “one clever email” into a dead end instead of a six-figure loss.
