Vendor Email Compromise on Telegram
Attackers shift compromised-vendor invoice fraud onto Telegram, posing as a supplier contact to confirm fake invoices and bank-detail changes.
Part of: Vendor Email Compromise (BEC) Invoice Fraud
Last reviewed: 1 June 2026
After compromising a vendor's email, attackers sometimes move the conversation to Telegram to confirm a fraudulent invoice or bank change. A message from a supposed supplier contact, referencing genuine order details from the breached mailbox, can lend further credibility to the deception.
Telegram's username-based identities and anonymity make it easy to impersonate a supplier contact with little to verify. Combined with an authentic-looking email from the real vendor mailbox, a corroborating Telegram message can be highly persuasive.
How this scam works on Telegram
Having compromised the vendor's email, the attacker learns active invoice details and the people involved. They send a fraudulent invoice or bank-change request by email and then message the customer on Telegram posing as the supplier's contact to confirm it.
The Telegram message references the real invoice and the new banking details, reassuring the customer that the change is genuine. The combination of a real-looking email and a confirming chat overcomes the caution either alone might trigger.
When the customer pays to the new account, the funds reach the criminal. Because Telegram identities are hard to verify, tracing the impersonator is difficult, and the fraud surfaces only when the genuine supplier reports a missing payment.
Common red flags
- A Telegram message confirming a bank change that arrived by email
- A username-based contact claiming to be a supplier
- Knowledge of a real invoice used to build credibility
- New banking details corroborated only through the same channels
- Pressure to pay quickly to the new account
- Reluctance to confirm by a phone call you initiate
How to protect yourself
- Verify bank-detail changes by calling the supplier on a number on file
- Do not treat a Telegram confirmation as proof of an email change
- Treat username-based identities as unverified by default
- Require dual authorisation for changes to supplier records
- Confirm the first payment to a new account before continuing
- Encourage suppliers to secure mailboxes with multi-factor authentication
How to report it
- Report the account using Telegram's in-app reporting feature
- Notify your bank and the supplier without delay
- File a report with your national cybercrime or fraud centre
Frequently asked questions
A supplier confirmed new bank details over Telegram after emailing them. Is that enough?
No. If the mailbox is compromised, the same fraudster can confirm over Telegram, and usernames are easy to fake. Call the supplier back on a number you already have on file to confirm the change before paying.