ScamLens
High Risk Average Loss: $20,000 Typical Duration: 1-14 days

Vendor Impersonation Scams: Protect Your Business

Vendor impersonation scams occur when fraudsters research a company's legitimate suppliers and then create fraudulent invoices, emails, or communications that appear to come from those vendors. The scammer typically targets accounts payable departments or finance teams, exploiting the routine nature of vendor payments and the urgency of business operations. According to the FBI's 2023 Internet Crime Complaint Center (IC3) report, Business Email Compromise (BEC) scams—which often involve vendor impersonation—resulted in over $2.7 billion in losses that year, with individual incidents averaging $20,000 to $150,000 for larger enterprises. Small and medium-sized businesses are particularly vulnerable because they may lack sophisticated email authentication systems and payment verification protocols that larger corporations implement. These scams have evolved significantly since they emerged in the mid-2010s. Early versions relied on crude email spoofing, but modern vendor impersonation attacks now incorporate detailed knowledge of company operations, legitimate vendor names, accurate payment terms, and even replicated company letterheads and logos. Scammers often conduct weeks of reconnaissance, monitoring a company's email communications and vendor relationships through data breaches, social engineering, or LinkedIn research. The average time from initial contact to fraudulent payment is just 1-14 days, creating a narrow window for detection before funds are transferred to offshore accounts that become virtually untraceable. The danger extends beyond immediate financial loss. Vendor impersonation scams can damage business relationships with legitimate suppliers, create accounting discrepancies that trigger audits, expose companies to legal liability if they fail to detect fraud, and undermine trust within finance departments. Repeat targeting is common—scammers often return to successfully compromised companies with new schemes, and businesses that fall victim once face a 20-30% higher risk of repeated attacks within the following 12 months.

Common Tactics How to Identify How to Protect Yourself Real-World Examples Frequently Asked Questions

Common Tactics

  • Sending invoices with slightly altered email addresses (e.g., vendorname@gmail.com instead of the legitimate corporate domain) or using domain names that closely mimic the real vendor's URL, such as changing 'supplier.com' to 'suppIier.com' or 'supplier-inc.com'.
  • Requesting urgent payment redirection due to 'bank account changes,' 'system updates,' 'tax compliance issues,' or 'merger/acquisition activities' that create time pressure and bypass normal verification procedures.
  • Replicating legitimate vendor communications by copying actual invoice formats, payment terms, purchase order numbers, and pricing from previous transactions discovered through email breaches or social engineering.
  • Targeting specific employees through spear-phishing emails that reference real projects, deadlines, or executives by name, making the communication appear authentic and time-sensitive.
  • Using legitimate payment methods like ACH transfers or wire transfers to bank accounts in the vendor's name but located in different countries, making recovery extremely difficult once funds clear.
  • Following up with multiple reminder emails or calls from fake vendor support lines, escalating pressure and urgency while answering questions about the fake invoice with surprisingly accurate details about the company's operations.

How to Identify

  • Invoice requests for significantly larger amounts than typical vendor payments, or requests to pay multiple invoices at once that differ from the vendor's normal billing patterns or frequency.
  • Email addresses or domain names that are nearly identical to legitimate vendors but contain subtle misspellings, different extensions (.net instead of .com), or use free email services instead of corporate domains.
  • Sudden requests to change payment methods, add new payees to your approved vendor list, or redirect payments to new bank accounts without accompanying official letterhead, purchase orders, or multi-party approval from the vendor.
  • Communications that create artificial urgency by citing tight deadlines, system maintenance windows, or one-time payment opportunities, especially when they bypass your established procurement workflows.
  • Invoice amounts that don't match historical transaction amounts with that vendor, include unusual line items, or lack detailed descriptions and itemization normally found in that vendor's legitimate invoices.
  • Email headers, metadata, or digital signatures that appear invalid when you forward emails to your IT security team, or requests sent to generic company email addresses rather than the specific accounts payable contact person who normally receives vendor communications.

How to Protect Yourself

  • Implement email authentication protocols including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) to detect and flag spoofed emails from vendors or internal addresses.
  • Establish a mandatory verification protocol requiring finance staff to contact vendors directly using phone numbers from official company websites or previous invoices before processing any payment change requests, new vendor onboarding, or account redirection.
  • Use vendor management software that centralizes approved vendor lists, payment accounts, and contact information in a secure system that requires multi-level authorization before any changes are recorded.
  • Train accounts payable and finance staff quarterly on vendor impersonation tactics, including phishing recognition, email verification techniques, and procedures for flagging suspicious communications without processing payments first.
  • Implement dual approval requirements for any new vendors, wire transfers exceeding threshold amounts (typically $5,000-$50,000 depending on company size), or payment method changes, with secondary approval from a different department or manager.
  • Monitor bank accounts and accounting software for unusual activity including payments to new accounts, transfers to international banks, or invoice amounts significantly outside normal ranges, reviewing flagged transactions within 24 hours of processing.

Real-World Examples

A manufacturing company received an email appearing to come from their primary electronics supplier (a vendor handling approximately $300,000 in annual contracts). The email, sent to the accounts payable manager, referenced an urgent invoice for $47,500 related to a legitimate project and requested payment to a 'new account' due to recent banking consolidation. The email included the actual company logo and invoice format copied from legitimate previous transactions. Within 36 hours, the payment was processed via wire transfer to a bank account in Singapore. The actual vendor confirmed 14 days later that they never sent the invoice. By that time, the funds had been withdrawn and the originating account was closed.

A professional services firm with 150 employees received multiple invoices totaling $89,000 from what appeared to be their IT infrastructure provider, including one invoice supposedly for emergency server maintenance during a known outage the company had experienced. The email came from 'it-support@infrastruct-tech.com' (the real company uses 'itsupport@infrastructech.com'). Three separate invoices were processed over 8 days before the actual vendor inquired why they hadn't been paid for legitimate services they'd recently completed. The scammer had monitored the company's email security issues for three weeks and knew about the exact outage timing.

A 45-person consulting company's finance director received a call from someone claiming to be from their office supply vendor, stating the company's account needed immediate payment of $12,300 for overdue invoices before their services would be suspended. The caller cited accurate order numbers and delivery dates from a recent data breach of the vendor's customer database. The finance director, feeling pressured and concerned about business continuity, processed the payment the same day. Only when the vendor called to follow up on the legitimate invoice three days later was the fraud discovered. The scammer had purchased the vendor's compromised customer data from a dark web marketplace for approximately $400.

Frequently Asked Questions

How do scammers get so much detail about my company's vendors and invoicing?
Scammers obtain this information through multiple sources: data breaches of vendor databases that include customer lists and transaction details, compromised employee emails shared on dark web marketplaces, LinkedIn research on your finance staff and company structure, publicly available information from regulatory filings or company websites, and social engineering calls to vendors posing as your employees. Many successful scammers conduct 2-4 weeks of reconnaissance before launching the attack.
What should I do if I've already paid a vendor impersonation invoice?
Contact your bank or wire transfer service immediately and report the fraud—many banks can halt outgoing transfers if reported within 24 hours. Simultaneously notify your actual vendor, your IT security team, law enforcement (FBI at ic3.gov), and your cybersecurity insurance provider if you have a policy. Preserve all email evidence, including headers and metadata, to support recovery efforts and help law enforcement investigations. Recovery is difficult after funds clear, but reporting within hours significantly improves the chance of intercepting the transfer.
How can I verify a vendor's payment information without offending them?
Use a standardized verification process that applies to all vendors equally, so no single vendor feels targeted. Call vendors using the phone number from your previous invoices or their official website, never numbers provided in the suspicious email. You can simply say: 'We received an invoice requesting a payment method change. Before processing, I'm verifying this through our standard security procedure. Can you confirm your current banking information matches [the details from the email]?' Legitimate vendors expect and respect this verification.
What's the difference between vendor impersonation and business email compromise (BEC)?
Vendor impersonation is a specific type of BEC scam where the fraudster impersonates an external vendor rather than pretending to be an executive within your own company. BEC encompasses a broader category of business email fraud, including CEO fraud (impersonating executives), lawyer scams (impersonating legal counsel), and government impersonation. However, the protection strategies are similar: verify through independent channels, require multi-approval for payment changes, and implement email authentication.
If my company falls victim to a vendor impersonation scam, what are my legal obligations?
You should report the fraud to the FBI's Internet Crime Complaint Center (ic3.gov) and potentially local law enforcement, as this supports broader fraud investigations. You may be required to notify customers if the fraud involves their data (depending on state breach notification laws). Inform your bank, cybersecurity insurance carrier, and auditors immediately. While the company that fell victim typically bears the loss unless the bank was negligent in processing a clearly fraudulent transfer, early reporting and documentation improve the chance of recovery and may support insurance claims. Consult with your legal counsel regarding notification obligations specific to your state and industry.

Think you encountered this scam?