Vendor Email Compromise via Phone Calls
After compromising a vendor account, attackers reinforce fraudulent invoices with phone calls posing as the supplier to confirm new bank details.
Part of: Vendor Email Compromise (BEC) Invoice Fraud
Last reviewed: 1 June 2026
Vendor email compromise becomes harder to detect when the fraudulent invoice or bank-change request is backed up by a phone call. A caller posing as the supplier, often referencing genuine order details obtained from the breached mailbox, lends a convincing human confirmation to the deception.
Caller ID can be spoofed to show the supplier's name or number, so the call appears to come from a trusted source. Hearing a confident voice confirm new payment details can override the caution that a written request alone might prompt.
How this scam works on Phone calls
Having compromised the vendor's email account, the attacker learns the details of active invoices and the people involved. They then send a fraudulent invoice or bank-change request and follow it with a phone call posing as the supplier's finance contact.
The caller references the real invoice and confirms the new banking details, reassuring the customer that the change is genuine. The combination of an authentic-looking email from the real mailbox and a corroborating call is highly persuasive.
When the customer pays to the new account, the funds reach the criminal. The fraud is often discovered only when the genuine supplier reports the payment missing, by which time the money has moved on.
Common red flags
- A call confirming a bank-detail change that arrived by email
- Caller ID showing the supplier but an unfamiliar voice
- Knowledge of a real invoice used to build credibility
- Pressure to pay quickly to the newly confirmed account
- A caller reluctant to let you call the supplier back
- New banking details corroborated only by the same caller
How to protect yourself
- Verify bank-detail changes by calling the supplier on a number on file
- Do not treat a corroborating call as confirmation of an email change
- Require dual authorisation for changes to supplier records
- Confirm the first payment to a new account before continuing
- Encourage suppliers to secure mailboxes with multi-factor authentication
- Treat caller ID as unreliable and verify identity independently
How to report it
- Report the incident to your national cybercrime or fraud centre
- Notify your bank immediately to attempt recovery of any payment
- Alert the supplier so they can secure their compromised mailbox
Frequently asked questions
The supplier called to confirm the new bank details from their email. Does that make it safe?
No. If the mailbox is compromised, the same fraudster can make a confirming call, and caller ID can be spoofed. Call the supplier back on a number you already have on file to confirm the change before paying.