Every day, finance teams at companies around the world process invoices, update payment details, and wire money to vendors they’ve worked with for years. It feels routine. It feels safe. But buried inside that routine is one of the most quietly devastating scams in modern business vendor impersonation fraud.

No guns. No hacking of bank systems. Just a well-crafted email, the right timing, and a criminal who has done their homework.

The Simple Version: What’s Actually Happening

Here’s the core idea: an attacker pretends to be one of your trusted vendors. They contact your finance team usually by email and ask you to update the vendor’s bank account details. Your team, following a normal process, makes the change. The next invoice gets paid. Except the money doesn’t go to your vendor. It goes to the attacker.

By the time anyone notices, the funds are gone often moved across multiple accounts and countries within hours.

This is vendor impersonation, also called Business Email Compromise (BEC) or Accounts Payable fraud. It doesn’t require technical sophistication. It requires patience, research, and the ability to sound convincing.

How Attackers Set the Stage

Before a single fraudulent email is sent, attackers spend weeks sometimes months watching and learning.

They study your company’s website, LinkedIn pages, and any public procurement documents. They want to know: Who are your vendors? Who approves payments? What does your invoice process look like?

Then they look at your vendors the same way. They find out who the account manager is, what their email signature looks like, what tone they use in communications.

Some attackers go further and actually compromise an email account either yours or the vendor’s so they can read real conversations and step in at exactly the right moment. This is called email thread hijacking, and it’s particularly dangerous because the attacker isn’t pretending to start a new conversation. They’re continuing a real one.

The Attack in Motion

Here’s how a typical scenario plays out:

A legitimate vendor sends an invoice. The attacker who has been monitoring the email thread intercepts or mimics the moment. Just before payment is due, they send a message from a spoofed or look-alike email address (think: billing@acme-invoices.com instead of billing@acme.com). The message is professional, warm even. It references the real invoice. It mentions the right contact name. And it says something like:

“Hi — just a heads-up, we’ve changed our banking details. Please use the new account for this and all future payments. Details attached.”

The finance team, busy and trusting, updates the record. Payment goes through. The attacker walks away with the money. The real vendor, still waiting to be paid, eventually raises the alarm but days or weeks have passed.

Real-World Cases That Should Make Everyone Pause

Orion S.A. (August 2024): Orion, a Luxembourg-based chemicals and manufacturing company with operations across three continents, disclosed to the U.S. Securities and Exchange Commission that a non-executive employee was manipulated into making multiple fraudulent wire transfers to accounts controlled by unknown third parties.Approximately $60 million was transferred out before the scheme was detected.What makes this case striking is what investigators found or rather, didn’t find. There was no evidence of unauthorized access to company data or systems , meaning the attackers never hacked anything in the traditional sense. They simply convinced the right person to move money. No malware. No breach. Just deception and a $60 million hole on the balance sheet.

New South Wales Government Department, Australia (Late 2024): It’s not just corporations. A New South Wales government department fell victim to a BEC attack in which cybercriminals impersonating a legitimate financial institution used email deception to convince government employees to alter payment details, redirecting $2.1 million AUD to attacker-controlled accounts. The breach was only discovered after irregularities in payment records triggered an internal review.By then, the money was gone.

Two very different organizations one a global industrial manufacturer, the other a public sector body. Same playbook. Same outcome. And the same root cause: trust extended without verification.

Why This Works So Well

The reason vendor impersonation is so effective is that it exploits something deeply human our tendency to trust familiar names and follow established processes.

Finance teams are not failing because they’re careless. They’re failing because attackers are deliberately engineering situations that look completely normal. The vendor name is right. The invoice number matches. The email thread seems legitimate. Every signal says proceed.

There’s also a timing element at play. Attackers often strike when a company is busy end of quarter, during an acquisition, or around a big project deadline. When people are stretched thin, scrutiny drops.

The Organizational Blind Spots That Enable It

Most companies have some form of vendor verification process. But those processes often have gaps that attackers exploit:

Email alone is not verification. Receiving a request from what looks like a vendor email is not proof the request is genuine. Email addresses can be spoofed or slightly altered.

New staff are prime targets. Someone new to the AP team may not know what normal looks like for a given vendor, making them easier to deceive.

There’s no callback culture. Many finance teams don’t call vendors directly (using a number already on file, not one provided in the suspicious email) to confirm banking changes. This one step would stop most of these attacks cold.

Urgency bypasses controls. Attackers often add pressure we need this processed today to avoid a late fee. That urgency is designed to get people to skip the verification step.

What Good Looks Like

The companies that successfully defend against vendor impersonation fraud aren’t just more technically sophisticated. They’ve built a culture of verification over assumption.

A few practices that genuinely work:

Dual authorization for any bank detail change. No single person should be able to update a vendor’s payment information without a second person confirming it ideally after a verbal check with the vendor using contact details from your own records.

Out-of-band confirmation. Any request to change payment details should trigger a phone call to the vendor, using a number stored in your system not one included in the suspicious request.

Vendor change request forms. Create a formal, internal process for updating vendor banking details. Any request that doesn’t come through this channel should raise an immediate flag.

Regular staff training. Teach finance teams what these attacks look like. Show them real examples. Make it normal to ask questions and slow down on anything involving payment changes.

Closing Thought

Vendor impersonation fraud succeeds not because technology fails, but because trust is weaponized. Attackers are not breaking into your systems they’re walking in through the front door, wearing a familiar face.

The best defense is simple but requires discipline: slow down, verify separately, and treat any request to change payment details as a potential red flag no matter how legitimate it looks.

The cost of one extra phone call is nothing. The cost of skipping it could be everything.

If your organization is reviewing its payment controls and vendor verification processes, this is the right time to do it before an attacker does it for you.