Vendor Payment Change Attacks: How Sophisticated Fraud Destroys Relationships and Empties Accounts
One phone call. One changed account number. Millions of dollars gone.
It happens to careful, well-run organizations every day. A vendor you've paid reliably for years sends a message explaining that their banking details have changed and asking you to update your records. You update them. You send the next payment. It disappears into an account controlled by a criminal, and by the time anyone realizes what happened, the money is gone and the relationship is in ruins.
This is a Vendor Payment Change attack — one of the most financially damaging and emotionally destructive scams targeting businesses today. And it is far more sophisticated than most people assume.
Bad actors don't operate randomly. They research their targets carefully before making a move, and the information they need is often surprisingly easy to find.
They might look at the name on the building you lease to identify your property manager. They might visit a supplier's website to see which clients they publicly reference. They might monitor LinkedIn to understand which vendors your finance team interacts with. In more targeted attacks, they gain access to a mailbox — yours or your vendor's — and read actual invoices, payment histories, and correspondence before crafting a forgery that is nearly indistinguishable from the real thing.
Once they know whose bills you pay, the attack is straightforward. They fabricate a convincing invoice, email, or phone call explaining that the vendor's payment account has changed — a bank switch, a new payment processor, a preference for wire transfer or ACH over check. The explanation sounds routine. The communication looks legitimate. And if you're not specifically watching for this pattern, it's easy to miss.
Why This Attack Works So Well
The reason Vendor Payment Change attacks succeed against smart, careful people is that they exploit trust that was legitimately earned. You've been paying this vendor for years. You have no reason to be suspicious of them. The request arrives in a context — a routine payment cycle — where your guard is naturally lower.
Attackers know this. They time their approach carefully, often coinciding with a real invoice cycle. They match the tone and format of genuine communications. In the most sophisticated versions, they've been reading your email for weeks and know details about your relationship with the vendor that only an insider would know.
The result is that the fraud doesn't feel like fraud. It feels like an administrative update from a trusted partner.
Where to Focus Your Vigilance
It is not practical — or necessary — to treat every repeat payment as a potential fraud risk. Paying the same vendor at the same account you've used for two years is low risk. That's not where your energy should go.
Your vigilance needs to be concentrated on two specific triggers:
- Any request to change payment details for an existing vendor. A different bank account, a different routing number, a switch from check to wire, a new payment platform — any of these should immediately put you on high alert. This is the primary attack vector, and it should be treated as a potential threat until proven otherwise.
- Any request to set up a new vendor for payment. New vendor relationships are a second common entry point, particularly for attackers who have done enough research to fabricate a plausible new supplier.
When either of these triggers occurs, the appropriate response is not a quick email confirmation. It is a deliberate, multi-day verification process.
What Proper Verification Looks Like
When a payment change or new vendor request arrives, slow down — even if there is pressure to act quickly. Urgency is itself a red flag.
- Call someone you already know at the vendor — not a number provided in the suspicious communication, but a number you have independently on file or can find on the vendor's official website. Speak to a person you recognize. Confirm the change directly.
- Escalate internally. Payment changes should require sign-off from more than one person. A fraudster who has compromised one email thread is much less likely to have compromised your entire finance and leadership team.
- Involve your bank. Most banks have fraud prevention teams specifically for situations like this. They can place holds, flag suspicious outbound wires, and in some cases help recover funds if a transfer was made in error — but time is critical.
- Consider asking the vendor to come in person for significant payment changes. For major vendors where the payment amounts are material, an in-person conversation is a reasonable request and a genuine vendor will understand why.
- Use purpose-built fraud prevention tools. Platforms like CertifID and Conduit exist specifically to verify banking information before funds are transferred. For any transaction above a meaningful threshold, these tools are worth the cost many times over.
The Relationship Damage Is Lasting
The financial loss gets the headlines, but the relationship damage from these attacks is often more lasting. When money disappears in a payment fraud, both parties suffer — and both parties question each other, even when neither was at fault. Vendors wonder whether their client's systems are secure. Clients wonder whether the vendor's communications were compromised. The trust that was built over years takes a serious hit, often permanently.
The firms that weather these situations best are the ones that had clear, documented payment verification protocols in place before an attack occurred. When a vendor asks why you're being so careful about a payment change, "this is our standard protocol for all payment updates" is a far better answer than "we got defrauded last year."
The Bottom Line
These attackers are patient, well-researched, and convincing. They do their homework so that when they strike, it doesn't look like an attack — it looks like routine business. The only reliable defense is a verification process rigorous enough that it would catch even a well-crafted deception.
Put a microscope on every payment change request and every new vendor setup. Take several days. Make phone calls. Involve your bank. Use verification platforms. The inconvenience is trivial compared to what you're protecting against.
One uncomfortable phone call to confirm a payment change is a small price to pay. Recovering from a six-figure wire fraud — if you can recover at all — is not.
Want to assess your firm's exposure to payment fraud and vendor impersonation attacks? We help firms implement verification protocols, employee training, and technical controls that stop these attacks before they succeed. Email us at support@hybridge.com to learn more
Share this blog:
