Vendor Email Compromise (BEC) Invoice Fraud

Vendor email compromise (VEC) is a targeted form of business email compromise (BEC) in which criminals gain access to, or convincingly impersonate, a legitimate supplier or vendor's email account. From inside that trusted email thread — or from an account indistinguishable from it — they intercept a real invoice and replace the payment details with their own account, or they introduce themselves mid-conversation to redirect an expected payment.

Unlike generic invoice redirection scams, VEC attacks require significant research and sometimes genuine email access. The attacker monitors real email correspondence, understands the exact invoice values and timing, uses the supplier's real name and communication style, and may maintain the fraud across multiple email exchanges before the payment is made. The result is a fraudulent payment that neither the buyer nor the seller notices until the genuine supplier asks where their money is.

VEC attacks cause particularly large losses because the invoices targeted are typically real and expected. The buyer does not question the payment because they believe they are settling a genuine obligation; the supplier does not follow up immediately because they do not know any invoice has been issued on their behalf.

The attack begins with access — either through a phishing attack on the supplier's email account, a credential breach, or a convincing look-alike domain spoofing the supplier's address. The attacker monitors the inbox for invoice discussions and identifies a payment that is either outstanding or soon to be issued.

At a strategic moment — often just before the expected payment date — the attacker sends a message from the compromised or spoofed account to the buyer's accounts payable team. The message is indistinguishable from the supplier's normal communication in tone, sign-off, and style. It explains a change of banking details: a new account number, a new bank, or a currency change for international transactions.

The buyer updates their records and the next payment goes to the attacker's account. Neither party is immediately aware. The supplier's legitimate account never receives the funds. The buyer's accounts payable team believes the payment was correctly processed.

The fraud surfaces when the real supplier sends a payment chase for the same invoice. By then the funds have been moved onward, often through multiple accounts or converted to cryptocurrency, and recovery prospects are poor.

In cases involving genuine account compromise, the attacker may also read earlier emails to understand ongoing supplier relationships, use real project names and contact names to add credibility, and continue to monitor the account to intercept any queries.

Vendor email compromise is particularly effective because it exploits a real business relationship and a genuine financial obligation. The buyer is not being asked to do something unusual — they are being asked to update payment details for a supplier they know and trust, ahead of a payment they were going to make anyway.

When the message arrives from within an established email thread, using the supplier's real email address (if the account has been compromised), the normal signals of authenticity are all present. Even careful accounts payable staff who would question an unsolicited contact may not apply the same scrutiny to what appears to be a continuation of an existing conversation.

The timing of these attacks — targeting known invoice cycles — demonstrates that the attacker has done significant research or has genuine access. This specificity further removes doubt: the attacker knows the invoice amount, the project name, and the relationship context precisely because they do.

Hi [name], please note we have changed our banking details from [date]. Please update your records and process invoice [number] ([amount]) to the new account below.

We have moved to a new banking partner. Please update your system and ensure all outstanding invoices are paid to our new account to avoid delays.

As discussed with [contact name], our new account details are now active. Please update before your next payment run to ensure smooth processing.

Our previous account will close at end of week. Please urgently update your records — all payments from now should go to the new account details attached.

The only reliable control is an independent out-of-band verification: before recording any change to supplier bank details, call the supplier on a number drawn from your own records — the number on their previous invoice header, your contract file, or their official website. Do not use any number provided in the change-request email.

If you cannot reach the supplier directly, implement a 48-hour hold on the new bank details before they enter any payment run. Most genuine suppliers understand and accept this procedure once it is explained as a fraud-prevention policy.

For organisations with significant vendor payment volumes, implementing a formal vendor portal for bank-detail changes — where updates must be submitted through an authenticated interface and are reviewed by a separate authoriser — removes email as an action channel for this type of fraud. Consider also implementing DMARC on your own email domain, which makes it harder for attackers to spoof your supplier's appearance in communications to you.