10 Best Practices to Prevent Vendor Impersonation

Fraudsters continue to evolve their tactics—and one increasingly common method is vendor impersonation. Criminals pose as legitimate suppliers, request updated banking information, and redirect payments before anyone realizes what happened.

Whether your organization handles hundreds of vendors or just a few, strengthening your verification process is essential to preventing costly fraud incidents. Below are 10 best practices to help protect your business from vendor‑change scams and payment‑redirection fraud.

1. Verify Changes Using a Trusted, Pre‑Existing Phone Number
Never rely on the phone number provided in an email requesting changes.
Fraudsters often spoof or modify vendor communication channels—including email signatures and attached documents. Always use a verified, pre‑existing phone number from your internal vendor master data or contractual records to confirm any banking update.

2. Use Multi‑Layered Verification
Single‑step verification leaves businesses vulnerable. Instead, use a layered approach, which may include:

• Phone verification
• Identity‑validation tools
• Dual approval
• Vendor identity cross‑checks

Fraudsters have become skilled at exploiting one weak point. Multiple checkpoints reduce that risk substantially.

3. Independently Verify Bank Account Ownership
To strengthen protection against payment‑redirection attacks, organizations should implement a clear, repeatable process for independently verifying that a vendor’s bank account actually belongs to them. Considser impleneting these 5 steps:

• Partner with a verification provider that connects directly to banks or uses validated account‑holder data.
• Before a new vendor is approved for payment, run their banking details through the verification system.
• Anytime a vendor requests updated bank information, trigger a new verification. Treat all changes as high‑risk.
• Avoid relying on emailed documents, PDFs, voided checks, or screenshots. Instead, use secure uploads, portals, or direct vendor input into the verification system.
• AP teams should never update vendor records until verification is complete.

4. Don’t Rely on Voided Checks or Emailed Documents
Voided checks, PDFs, and “official” letters are incredibly easy to forge or alter.
They should never be your sole source of verification.

5. Require Dual Control for Vendor Banking Changes
Any update to vendor banking information should require at least two sets of eyes.
Dual approval reduces both internal and external fraud risks and aligns with standard internal‑control guidance.

6. Use Centralized Systems for Vendor Management
Centralized vendor‑management platforms:

• Log who made changes
• Limit who can access sensitive data
• Provide monitoring and alerts
• Reduce the risk of unnoticed manipulation

Decentralized or email‑based processes create unnecessary vulnerabilities.

7. Watch for Urgency or Unusual Communication Patterns
Common red flags of Business Email Compromise (BEC) or impersonation fraud include:

• Unexpected urgency
• “New” contacts claiming they now manage payments
• Email domains that look similar but aren’t correct
• Tone or writing style that feels “off”

Fraudsters increasingly use AI‑generated emails and even voice deepfakes, making vigilance more important than ever.

8. Conduct Regular Audits of Vendor Master Data
Routine audits help you identify:

• Duplicate or invalid vendors
• Unauthorized changes
• Anomalies in payment history

Periodic reviews are a recommended internal‑control practice and a strong preventive measure.

9. Use Secure Channels for Vendor Updates
Email alone is not secure enough for submitting sensitive information like bank account changes.
Instead, use:

• Vendor portals
• Encrypted forms
• Secure file‑upload systems

This reduces the risk of interception or spoofing.

10. Train Staff Frequently on Phishing and Vendor‑Change Fraud
Most successful scams stem from human error. Regular, role‑based training helps teams recognize red flags and follow proper procedures.

Vendor‑impersonation fraud is becoming more sophisticated—but with the right controls in place, it’s preventable. By implementing layered verification, enforcing dual control, and using secure systems, businesses can significantly reduce the risk of payment‑redirection scams.

Being in the know is the first step to protecting yourself from cyber fraud. Choice Bank is committed to providing you with up-to-date resources and tips to help you stay informed. Learn more at bankwithchoice.com/cybersecurity.