Vendor Email Compromise on Slack
When companies collaborate with suppliers in shared Slack channels, a compromised vendor account can deliver fraudulent invoices and bank-change requests that appear genuine.
Part of: Vendor Email Compromise (BEC) Invoice Fraud
Last reviewed: 1 June 2026
Shared Slack channels and Slack Connect have made it common for businesses and their suppliers to work side by side in one workspace. A compromised vendor account turns that convenience into a risk, allowing an attacker to send fraudulent invoices and payment-change requests under the supplier's trusted name.
The informal pace of Slack and the assumption that a shared channel is a safe collaboration space reduce the scrutiny applied to financial messages. A bank-change request that would trigger caution in a formal email can slip through when it arrives as a casual chat from a familiar contact.
How this scam works on Slack
After compromising the vendor's account, the attacker uses its presence in shared channels or connected workspaces to observe active deals and payment timing. They then send a manipulated invoice or a request to update banking details, presented as everyday vendor communication.
Because the message comes from the genuine vendor identity within an established channel, finance or project staff are inclined to trust it. The chat format invites a quick response and discourages the formal verification that new payment details should always trigger.
If staff pay the altered invoice or change the banking record, the money goes to the criminal. The compromise may affect several customers and is usually uncovered only when the vendor investigates missing payments.
Common red flags
- A vendor requesting a change of bank details through a Slack channel
- An invoice posted in chat that differs from earlier ones
- Payment instructions delivered informally rather than through billing
- A connected vendor account behaving differently than usual
- Pressure to pay promptly to a new account
- Avoidance of a phone call to confirm the change
How to protect yourself
- Verify any bank-detail change by phone with a known vendor contact
- Apply the same scrutiny to chat invoices as to emailed ones
- Require dual authorisation for changes to supplier records
- Review and limit connected external workspaces and guests
- Encourage vendors to secure accounts with multi-factor authentication
- Confirm the first payment to any new account before continuing
How to report it
- Report the compromised vendor account to your workspace administrator
- File a report with your national cybercrime or fraud authority
- Notify your bank and the vendor immediately
Frequently asked questions
Is a shared Slack channel with a supplier a safe place to handle invoices?
It is convenient, but a compromised supplier account can post fraudulent invoices or bank changes there under a trusted name. Keep financial verification outside chat: confirm any new payment details by phone with a known contact before paying.