Vendor Email Compromise on WhatsApp
Attackers move compromised-vendor invoice fraud onto WhatsApp, posing as a supplier contact to confirm fake invoices and bank-detail changes.
Part of: Vendor Email Compromise (BEC) Invoice Fraud
Last reviewed: 1 June 2026
After breaching a vendor's email, attackers sometimes shift to WhatsApp to confirm a fraudulent invoice or bank change. A message from a supposed supplier contact, referencing genuine order details taken from the breached mailbox, lends a personal, credible confirmation to the deception.
WhatsApp's informal, mobile-first style makes a confirming message feel like normal supplier coordination. Combined with an authentic-looking email from the real vendor mailbox, a corroborating chat can be highly persuasive and erode the customer's caution.
How this scam works on WhatsApp
Having compromised the vendor's email, the attacker learns active invoice details and the people involved. They send a fraudulent invoice or bank-change request by email, then message the customer on WhatsApp posing as the supplier's finance contact to confirm it.
The message references the real invoice and the new banking details, reassuring the customer that the change is genuine. The combination of a real-looking email and a confirming chat overcomes the doubt either alone might raise.
When the customer pays to the new account, the funds reach the criminal. The fraud is usually discovered only when the genuine supplier reports a missing payment, after the money has moved on.
Common red flags
- A WhatsApp message confirming a bank change that arrived by email
- A new or unknown number claiming to be a supplier contact
- Knowledge of a real invoice used to build credibility
- New banking details corroborated only through email and chat
- Pressure to pay quickly to the new account
- Reluctance to confirm by a phone call you initiate
How to protect yourself
- Verify bank-detail changes by calling the supplier on a number on file
- Do not treat a WhatsApp confirmation as proof of an email change
- Require dual authorisation for changes to supplier records
- Confirm the first payment to a new account before continuing
- Encourage suppliers to secure mailboxes with multi-factor authentication
- Treat any single-channel confirmation as insufficient
How to report it
- Report the number using WhatsApp's in-app reporting tools
- Notify your bank and the supplier without delay
- File a report with your national cybercrime or fraud centre
Frequently asked questions
Our supplier confirmed new bank details on WhatsApp after emailing them. Is that enough?
No. If the mailbox is compromised, the same fraudster can confirm by WhatsApp using a new number. Call the supplier back on a number you already have on file to confirm the change before paying.