Stopping Vendor Bank-Change Fraud
Here is the email. It comes from a vendor you have paid for years. The message is polite and unremarkable: the company has changed banks, and could you please update their account details for the next payment. New routing number, new account number, maybe an attached letter on company letterhead. Nothing about it looks alarming.
This is vendor bank-change fraud, and it is among the most lucrative scams targeting accounts payable. One successful request reroutes a real, large, legitimate payment straight to a criminal's account. No fake invoice, no fictitious vendor — just a genuine payment sent to the wrong place. This article covers how the scam works, why it keeps succeeding, and the single control that reliably defeats it.
The mechanics are simple, which is what makes it dangerous. The fraudster gets access to — or convincingly imitates — a vendor's email, often after a separate phishing breach of that vendor. They watch for, or simply wait for, a normal billing cycle. Then they send your AP team a request to update the vendor's banking details. If AP makes the change, the next legitimate invoice from that real vendor gets paid into the fraudster's account. The theft is often discovered only weeks later, when the real vendor asks where their money is.
Bank-change fraud succeeds because it does not look like fraud. There is no suspicious invoice to catch — the invoice is real. The request comes from a known vendor, sometimes from their actual compromised email account, so it passes every instinct AP has been trained to trust. And it exploits ordinary helpfulness: updating a vendor's bank details feels like routine admin, the kind of small favor a good AP clerk does without a second thought. The scam weaponizes exactly that helpfulness.
There is one control that defeats this fraud, and it is not complicated: never change vendor bank details based on the request alone. Verify every change by calling the vendor back on a phone number you already have on file — not a number from the request email, not a number in the attached letter. This is 'out-of-band' verification: confirming through a separate channel the fraudster does not control. If the request is fake, a 90-second phone call to the real vendor exposes it instantly.
The verification must use a contact detail you already had before the request arrived. A phone number, email, or contact name supplied in the change request itself is worthless — the fraudster will happily 'confirm' their own request. The whole control is that the channel is independent.
Out-of-band verification only works if it always happens, and 'always' cannot depend on a busy clerk remembering a policy under deadline pressure. The change has to be a workflow with mandatory steps: a bank-detail change cannot be saved until the verification is recorded — who was called, at what number, on what date. And the change should route the next payment to a different approver, so the person who altered the account is not the one who releases money to it.
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
Red Flags in a Bank-Change Request
Verification catches every fraudulent request, but these signals mean treat it with particular care.
Warning signs in a vendor bank-change request
- Urgency — pressure to make the change before the next payment run
- A new contact — the request comes from a person you have not dealt with before at that vendor
- A slightly altered email domain — a character changed or added in the sender's address
- A change to an out-of-area or unexpected bank
- A request to also update the contact phone or email 'while you're at it'
- Reluctance or excuses when you say you need to call the vendor to confirm
0
The single control that defeats bank-change fraud — verifying every change via a phone number already on file, not one from the request
“We got the email — right vendor, right logo, right tone. Our clerk did what the policy said and called the number we already had on file. The real vendor had never sent it. That one phone call saved a six-figure payment from leaving the building.”
— Controller, electrical contractor
Covinly treats a vendor bank-detail change as a controlled event, not an email edit: the change is logged as a distinct action, verification must be recorded before it can take effect, the next payment routes to a separate approver, and the full history is preserved in the audit trail. The control is enforced by the workflow, so it holds during the busy payment run when a manual policy is most likely to slip.
Vendor bank-change fraud is not stopped by being more suspicious — it is stopped by one unbreakable habit: verify every change out-of-band, on a number you already had. Build that into the workflow so it cannot be skipped, and the most lucrative fraud in accounts payable simply stops working.
Written by
Alex Kim
Engineering Lead, AI
Engineering lead for Covinly's AI and ML systems. Previously built fraud detection at a B2B fintech. Writes about how AI actually reads invoices — the math, the edge cases, and why OCR alone isn't enough.
View all posts