Vendor Email Compromise on Email
Attackers take over a genuine vendor mailbox and use it to send authentic-looking invoices and bank-change requests from the real supplier address.
Part of: Vendor Email Compromise (BEC) Invoice Fraud
Last reviewed: 1 June 2026
Vendor email compromise is a particularly dangerous evolution of invoice fraud because the messages come from the supplier's genuine email account. Having breached the vendor's mailbox, the attacker can reply within real threads, use real branding, and reference real orders, leaving almost no visual sign of fraud.
Email is where the entire vendor relationship lives — quotes, purchase orders, invoices, and payment confirmations — so a compromised account gives the criminal a trusted platform to operate from. Standard checks like verifying the sender domain fail, because the domain is the legitimate one.
How this scam works on Email
The attacker first compromises the vendor's email account, often through phishing or stolen credentials. They quietly monitor correspondence to understand active deals, payment timings, and the people involved on both sides.
When an invoice is due, the attacker sends or alters a message from the real vendor mailbox, either submitting a manipulated invoice or announcing a change of bank details. Because the email originates from the authentic address and continues a real conversation, the customer has little reason to doubt it.
The customer pays to the criminal-controlled account, believing they are settling a genuine invoice. The compromise may persist for weeks, affecting multiple customers, and is typically uncovered only when the vendor investigates missing payments.
Common red flags
- A genuine vendor email suddenly requesting a change of bank details
- An invoice that differs slightly from previous ones in format or totals
- Replies that arrive at unusual times or with a changed writing style
- New payment instructions inserted into an existing email thread
- A vendor contact who is evasive when asked to confirm by phone
- Pressure to pay quickly to a newly provided account
How to protect yourself
- Verify any bank-detail change by phone with a known vendor contact
- Confirm new payment instructions even when the email looks authentic
- Require dual authorisation for changes to supplier banking records
- Watch for subtle changes in invoice format, totals, or tone
- Encourage vendors to secure their mailboxes with multi-factor authentication
- Confirm the first payment to any new account before processing more
How to report it
- Report the incident to your national cybercrime or fraud centre
- Notify your bank immediately to attempt recall of any payment
- Alert the vendor so they can secure their compromised mailbox
Frequently asked questions
The email came from our supplier's real address, so how can it be a scam?
If the supplier's mailbox has been compromised, fraudulent messages genuinely originate from their real address. That is why a matching sender domain is not enough. Always confirm bank-detail changes by phone with a known contact before paying.