New-Vendor Due Diligence: Verifying a Vendor Is Real Before the First Payment
Ask an AP team which payment carries the most risk and the honest answer is almost always the same: the first one to a vendor nobody has dealt with before. Every payment after that rides on a track record — past invoices, past deliveries, a payment history that quietly confirms the vendor is who they say they are. The first payment has none of that. It goes out on faith, on a name in the vendor master and a set of bank details that arrived by email, and it is the single best opportunity a fraudster has to extract money before anyone is paying attention.
Construction makes this worse than most industries. A general contractor onboards new subcontractors and suppliers on practically every project — a new earthwork sub here, a new specialty trade there, a regional materials supplier for one job only. The volume of genuinely new vendors is high, the pressure to get them paid is real because the field needs the work to continue, and the result is that new-vendor setup often gets the lightest touch in the entire AP process. That is exactly backward. New-vendor setup is where due diligence belongs, because it is the one moment when verifying a vendor is cheap and the one moment when failing to costs the most.
0
Share of organizations that experienced attempted or actual payments fraud, the majority through compromised vendor and email channels (AFP Payments Fraud Survey)
A ghost vendor — a fabricated company that exists only to receive payments — produces nothing, delivers nothing, and shows up nowhere on a jobsite. It cannot survive contact with a real verification process. Its entire business model depends on getting into the vendor master without one. Once it is in, the fraud is almost frictionless: an invoice that looks ordinary, a payment that clears, and a vendor record that an auditor scanning a list of three thousand names has no reason to single out.
The same logic applies to a different attack: a real vendor whose identity is being impersonated. A fraudster poses as a legitimate new supplier, submits a real-looking invoice, and supplies bank details that route to an account they control. If your only check is 'does the invoice look right,' it passes. The defense in both cases is the same — verify that the vendor is a real, independently confirmable business, and verify it before the first payment, not after a problem surfaces.
The cost of verification is a few hours of an AP specialist's time. The cost of skipping it is a payment to an account you will never recover from, plus the discovery that the same gap let in three other vendors. Front-load the effort — it is never cheaper than at onboarding.
Effective due diligence is not a background investigation. It is a short, repeatable set of confirmations, each one establishing a fact about the vendor from a source the vendor does not control. Four checks carry most of the weight.
Start with a completed W-9. The legal name and taxpayer identification number on it should match each other — the IRS offers TIN matching for exactly this purpose, and a name/TIN mismatch is both a 1099 problem and a credibility problem. The legal name on the W-9 should also match the name on the invoice, the contract, and the bank account. A vendor invoicing as one entity, registered as another, and banking as a third is not automatically fraud, but it is a question that must be answered before payment, not after. A W-9 that is incomplete, unsigned, or supplied as a blurry image with the EIN partly obscured is a reason to slow down, not speed up.
A real construction business has a real place of business — a yard, a shop, an office. Confirm the address is a genuine commercial location and not a residential house, a vacant lot, a virtual-office suite, or a mailbox-rental storefront. A quick map and street-view check catches most of this in minutes. A vendor whose only address is a PO box, or whose address turns out to be a UPS Store counter, has not failed the check outright — but they have earned a closer look and a direct conversation before they go in the master.
A legitimate company is registered. Confirm the entity exists and is in good standing with the secretary of state in its home jurisdiction — registration records are public and free to search. For any vendor performing licensed construction work, go further and verify the contractor's license directly with the state licensing board: confirm it is active, unexpired, held by the entity you are about to pay, and classified for the trade they are performing. Most state boards publish license status online. A sub whose license is expired, suspended, or registered to a different name is a compliance exposure on top of a fraud question, and on public or prevailing-wage work it can invalidate the payment entirely.
This is the check that stops the most money from leaving. Bank details for ACH or wire payment must be confirmed through a channel independent of the document that supplied them. Do not accept account and routing numbers from an emailed form and pay them as-is. Confirm them by calling the vendor back at a phone number you sourced yourself — from their licensed business record, their established website, the signed contract — never the number printed on the invoice or in the email signature, because in an impersonation scam those route straight back to the fraudster. The same independent-callback discipline applies later when an existing vendor asks to change its bank details: that request is one of the most common business-email-compromise vectors, and it deserves the identical verification gate.
The new-vendor file, before the first payment, should contain:
- A complete, signed W-9 with a legal name and TIN that match each other and the invoice
- A confirmed physical business address that is a real commercial location
- Proof of active business registration in good standing with the home-state secretary of state
- A verified, active contractor license of the correct classification, where the work requires one
- Bank details confirmed by an independent callback to a number not taken from the invoice or email
- A current certificate of insurance and, for subcontractors, an executed contract or subcontract agreement
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
Ghost-Vendor Warning Patterns
Beyond the checklist, certain patterns recur often enough in fabricated and impostor vendors that any one of them should trigger a harder look before setup is approved.
Signals that a new vendor warrants extra scrutiny:
- An address that matches an employee's home address, or bank details that match an employee's personal account
- A vendor name that is a near-duplicate of a real, established vendor — a single letter, an added 'Inc.,' a transposed word
- Only a mobile phone and a free email domain, with no business website, no registration record, and no licensing footprint
- Sequential or suspiciously round invoice numbers, or invoices with no PO, no delivery ticket, and only vague line-item descriptions
- Pressure to expedite setup and the first payment, or a request to bypass the normal onboarding paperwork 'just this once'
- A bank account opened very recently, in a different state than the business address, or in a name that does not match the W-9
- No physical evidence the vendor was ever on the jobsite — no sign-in records, no daily reports, no superintendent who recognizes the name
The home-address and personal-account overlap is the signature of an internal billing scheme — a fabricated vendor set up by someone inside the company. It is why new-vendor verification has to be independent of whoever submitted the vendor, and why setup cannot be a single-person task.
Verification only works if no single person can both create a vendor and approve payments to it. The person who runs the checks and enters the vendor into the master should not be the person who signs off that the new vendor is approved for payment. That second set of eyes is not bureaucratic friction — it is the control that defeats the insider scheme, because a fabricated vendor that has to clear an independent reviewer is far harder to push through than one that a single employee can wave in.
Make the segregation explicit. Vendor creation, vendor approval, and payment authorization should be three distinct roles, and the system should enforce the separation rather than relying on people to remember it. Practically, that means a new vendor cannot be paid until a reviewer who is not the creator has confirmed the verification file is complete — W-9, address, registration, license, independently confirmed bank details — and recorded that approval with their name and the date.
“We made one change: a new vendor cannot receive a payment until someone other than the person who set it up has signed off that the file is complete. It added a day to onboarding and it killed an entire class of risk. The first thing the reviewer caught was a 'supplier' whose remittance account was a brand-new account in a state we had never worked in.”
— Controller, mid-market general contractor
Due diligence at onboarding is wasted if the vendor master then degrades. A master that accumulates duplicates, inactive vendors, and unverified records becomes the place fraud hides, because a fraudulent vendor is invisible in a list nobody maintains. Treat the master as a controlled asset: deduplicate aggressively so a vendor cannot be paid twice under two slightly different names, deactivate vendors with no activity for an extended period rather than leaving them as live payment targets, and re-verify key details — bank information especially — on a periodic cycle for active, high-spend vendors.
This is where automation does real work. A construction AP platform like Covinly can require the verification fields before a vendor record can be activated, flag near-duplicate names at the point of entry, hold name-and-TIN consistency against the W-9, and enforce the dual-approval step so a new vendor simply cannot be paid until an independent reviewer has signed off — turning the due-diligence checklist from a habit that depends on a busy person remembering it into a gate the system will not let a payment cross.
The first payment to a new vendor is an act of trust, and trust in AP should be earned by verification, not assumed from a clean-looking invoice. Confirm the legal name and TIN, the physical address, the business registration and contractor license, and — above all — the bank details through an independent channel. Make new-vendor setup a two-person job, and keep the vendor master clean enough that a fraudulent record has nowhere to hide. None of it is difficult. It is simply the discipline of proving a vendor is real while proof is still cheap, instead of discovering they were not after the money is already gone.
Written by
Marcus Reyes
Construction Industry Lead
Spent twelve years running AP at a $120M general contractor before joining Covinly. Lives in the world of AIA G702/G703, retainage schedules, and lien waiver deadlines. Writes about the construction-specific workflows that generic AP tools get wrong.
View all posts