The Vendor Payment Redirect Scam: What It Is and How to Stop It

March 4, 2026By Ṣọ Email Security•5 min read

The vendor payment redirect scam is a Business Email Compromise attack that tricks accounts payable teams into wiring legitimate payments to a fraudster's bank account. Learn how it works, real cases, detection checklists, and prevention steps.

vendor payment redirectbusiness email compromiseBEC fraudaccounts payable fraudsupplier impersonationwire fraudemail securityphishinginvoice fraudcybersecurity for small businessAEO cybersecurity

The Vendor Payment Redirect Scam: What It Is and How to Stop It

What Is the Vendor Payment Redirect Scam? (Direct Answer)

The vendor payment redirect scam is a Business Email Compromise (BEC) attack in which a fraudster impersonates a trusted vendor or supplier to convince an accounts payable team to update the banking details on file. Once the record is changed, the next legitimate payment is wired directly to the attacker. No malware is required. The entire attack happens through email, and losses are rarely recoverable.

How Is the Vendor Payment Redirect Scam Defined?

The vendor payment redirect scam, also known as accounts payable redirect fraud or supplier impersonation fraud, is a targeted social engineering attack that exploits the routine business process of updating vendor payment information.

Attackers either compromise a legitimate vendor's email account through phishing or credential theft, or register a lookalike domain (for example, vendor-corp.co instead of vendorcorp.com) to send convincing spoofed messages. The fraudulent request typically cites a routine business reason, a bank merger, a new accounting platform, or a change in business entity, as justification for updating the bank account on file.

The FBI classifies this attack as a form of Business Email Compromise, which it defines as a sophisticated scam that targets businesses performing wire transfer payments. Unlike phishing campaigns that cast a wide net, vendor payment redirect attacks are precisely targeted and use insider knowledge to appear credible.

Why Does the Vendor Payment Redirect Scam Matter?

The financial damage from this category of fraud is severe and growing year over year.

According to the FBI's Internet Crime Complaint Center (IC3) 2023 Internet Crime Report, BEC scams resulted in adjusted losses exceeding $2.9 billion in 2023, making it the single highest-loss cybercrime category reported to the IC3 for the fourth year in a row. That same report recorded more than 21,000 BEC complaints filed in 2023 alone.

The Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations found that billing fraud and payment diversion schemes carry a median loss of $145,000 per incident and that losses often go unreported due to reputational concerns.

What makes this scam especially dangerous is its simplicity. It requires no technical exploit, no malware deployment, and no breach of the victim's own infrastructure. The attack surface is entirely human. A single accounts payable employee receiving a routine-looking email from a known vendor contact is all the entry point an attacker needs.

How Does a Vendor Payment Redirect Attack Work?

Attackers follow a repeatable, six-stage sequence:

Step 1: Reconnaissance The attacker identifies a target organization and researches its vendor relationships using publicly available sources — LinkedIn company pages, procurement portals, press releases, and email data exposed in prior breaches.

Step 2: Email Account Compromise or Domain Spoofing The attacker either gains unauthorized access to the legitimate vendor's email account through a phishing attack, or registers a visually similar domain designed to pass a quick glance. Common techniques include transposed letters, added hyphens, and alternate top-level domains.

Step 3: Fraudulent Banking Update Request Using the compromised or spoofed account, the attacker contacts the target's accounts payable team with a request to update vendor banking details before the next payment cycle.

Step 4: Social Engineering Reinforcement To build credibility, the attacker may reference real invoice numbers, active project names, or prior email threads obtained during reconnaissance. Artificial urgency is introduced for example, a claim that the old bank account will be closed by a specific date.

Step 5: Payment Wired to Attacker The accounts payable team, believing the request is legitimate, updates the vendor record. The next scheduled payment — often a large one — is wired to the attacker-controlled account.

Step 6: Discovery and Unrecoverable Loss The real vendor follows up on a missing or overdue payment, triggering the discovery. By that point, funds have typically been moved through multiple layered accounts or converted, making recovery nearly impossible without immediate intervention from the FBI's Internet Crime Complaint Center or the receiving financial institution.

Has This Scam Claimed Real Victims?

Yes, including government agencies and large organizations.

In 2019, the City of Saskatoon, Canada lost approximately $1 million CAD after an attacker successfully impersonated a construction contractor and redirected scheduled payments. The city had no independent verification process in place for banking change requests, and the fraud was not discovered until the legitimate contractor followed up on unpaid invoices.

In the United States, the FBI has documented vendor impersonation cases across municipalities, healthcare systems, law firms, and professional services companies. The FBI's IC3 issued a specific advisory warning that real estate wire fraud — a direct variant of the vendor redirect scam — cost victims more than $446 million in 2022, with individual losses sometimes exceeding $500,000 per incident.

How Do You Detect a Vendor Payment Redirect Attempt?

Use this checklist when evaluating any banking change request from a vendor:

Did the request arrive via email only, with no follow-up phone confirmation?
Is the sender domain an exact character-for-character match with the vendor's known domain?
Does the email include artificial urgency or a tight deadline for completing the update?
Was the request unsolicited initiated by the vendor rather than triggered by a known event?
Does the new account belong to a different country or financial institution than the vendor typically uses?
Is a new or unfamiliar phone number provided inside the email itself for verification?
Does the email header show a mismatch between the display name and the actual sending address?
Has the request been verified by calling the vendor on a phone number from your existing records — not one provided in the email?

How Do You Prevent Vendor Payment Redirect Fraud?

Implement a dual-verification policy. Any banking change request must be confirmed through a second, independent communication channel. This means calling the vendor using a phone number sourced from your own records, never from the email requesting the change.

Enforce separation of duties. The employee who receives a banking update request should never be the same person who approves or processes it. NIST SP 800-53 Rev. 5 explicitly supports this principle under its separation of duties and least privilege access controls.

Train accounts payable staff regularly. Security awareness training must include live examples of vendor impersonation scenarios. The IRS recommends analogous controls for tax professionals to counter W-2 and payment redirect fraud targeting payroll departments.

Deploy email authentication protocols. Require DMARC, DKIM, and SPF to be configured for all vendor domains in your supply chain. Use an email security solution that flags authentication failures and lookalike domains before messages reach employee inboxes.

Audit your vendor database periodically. Review all vendor banking records for unauthorized changes. Any update without a corresponding dual-verification log entry should be treated as a potential security incident pending investigation.

Use AI-powered email security. Solutions that analyze behavioral signals, unusual sender domains, atypical request types, language anomalies, and thread context — can surface vendor redirect attempts that bypass standard spam filters and signature-based detection.

Trust Aside: Ṣọ Email Security analyzes incoming emails for BEC patterns, lookalike domains, and behavioral anomalies on our secure servers. Email content is never stored, never read by humans, never used for training.

AI-powered protection, zero data collection. That's the Ṣọ promise.

Sources

FBI IC3 2023 Internet Crime Report: ic3.gov
ACFE 2024 Report to the Nations: acfe.com
NIST SP 800-53 Rev. 5: csrc.nist.gov
IRS Tax Scam Alerts: irs.gov/newsroom
FBI PSA on BEC (June 2023): ic3.gov/Media/Y2023/PSA230609

#EmailSecurity #BEC #VendorFraud #CyberSecurity #PhishingPrevention #AccountsPayable #SmallBusinessSecurity #WireFraud #SupplierImpersonation