Vendor impersonation attacks explained
A CEO lost $52,900 in under 90 seconds to a vendor impersonation attack. Here's the two-channel rule framework to protect your business from this fast-growing BEC threat.
A few weeks ago, a CEO told me about the moment his company lost $52,900 and didn't realize it for three days.
It started with a simple email.
A vendor they'd worked with for years sent "updated banking details." Same signature. Same invoice layout. Same friendly tone.
It felt routine. He approved it in under 90 seconds.
There was one problem:
The vendor never changed their bank account.
This is a vendor impersonation attack. It's one of the fastest-growing types of Business Email Compromise. It's rising fast because attackers don't go after your systems. They go after your relationships.
Here's how it works
They study your communication patterns. They harvest real invoice numbers. They mimic tone, timing, and attachment style. Then, they send a single request designed to blend in with your workflow.
By the time you notice, the money has already moved through many accounts.
So here's the framework I teach all leadership teams:
The "Two-Channel Rule"
Whenever a vendor sends new banking details:
1. Verify in email
- Check the domain closely.
- Use a tool if needed.
- Look at the reply-to address.
- Pay attention to writing quirks.
2. Verify out-of-band
Call the vendor on a known number, not the one in the email.
If both channels do not match, you stop.
Vendor impersonation attacks succeed because they exploit trust, not technology.
Your takeaway for today: If money is moving, verification must move too. Slow down long enough to protect your company's balance sheet.