Vendor fraud has become one of the most common threats facing finance and accounting teams. In most cases, it does not rely on a complex technical attack but on a simple change of bank details.
A supplier appears to send a new IBAN, the account number is technically valid, the team updates the supplier's banking information, and the next payment goes straight to the fraudster's account.
The problem is that most companies check documents but not the actual owner of the bank account. Yet a valid IBAN does not guarantee that the account belongs to the right supplier.
There are concrete methods to secure supplier payments and protect your business against this increasingly common form of fraud.
What Is Vendor Fraud?
Vendor fraud is a type of payment fraud in which a fraudster impersonates a legitimate supplier in order to redirect payments to another bank account.
In most cases, the fraud relies on fraudulent supplier bank account changes rather than technical attacks against banking systems.
Key Takeaways
- A valid IBAN does not guarantee that the account belongs to the correct supplier.
- Vendor fraud often relies on fraudulent bank account changes.
- Visual document checks and email confirmations are no longer sufficient.
- IBAN holder verification is now one of the most effective controls against supplier payment fraud.
- Verification of Payee (VoP) improves payment security but remains limited for supplier workflows and automation.
How does vendor fraud work?
The typical scenario
The fraudster identifies a real supplier you work with. This information is often publicly available through your website, LinkedIn, or public tenders. In some cases, they simply impersonate a supplier known in your industry without any prior research.
They send an email impersonating that supplier to notify you of a change of banking details. The accounts payable team updates the vendor file with the new information, which looks identical to the original document. The next invoice is paid directly into the fraudster's account.
The fraud is only discovered when the real supplier follows up on an unpaid invoice, by which point recovering the funds is very unlikely. In some cases, several payments are diverted before anyone realizes what has happened.
A fraudulent IBAN can also enter your system at the point of supplier creation. The fraudster substitutes themselves for a supplier you have just selected and provides their own bank details before the first payment is made.
Vendor creation and bank detail updates are both critical steps and both represent entry points for fraudsters.
Why companies get caught out
Vendor fraud works because it exploits structural weaknesses in finance processes, not individual negligence.
Emails have become highly convincing. Generative AI can replicate the writing style, signature, and vocabulary of a regular contact using nothing more than a few exchanges found online. A lookalike domain name completing the illusion visually. Careful reading is no longer a reliable detection method.
A request to update bank details is also, in itself, completely routine. Suppliers genuinely change banks, merge, or open new accounts all the time. Maintaining systematic suspicion across dozens or hundreds of active vendors is simply not realistic, and that is precisely what fraudsters exploit.
Timing compounds the problem. Requests tend to arrive at month-end, during closing periods, or just ahead of a scheduled payment run. Fraudsters choose this window deliberately, knowing that processing pressure reduces the likelihood of thorough verification.
Finally, fake bank detail documents are visually indistinguishable from genuine ones. A perfectly formatted PDF with the correct logo and accurate company information. Only the IBAN has been changed.
Why traditional controls are no longer enough
The instinctive response to this type of fraud is to strengthen existing checks. The difficulty is that the most common controls each have a specific limitation that makes them insufficient or easy to circumvent.
Visual inspection of bank detail documents provides no protection. A fraudulent document is designed to look identical to a genuine one, and generative AI can now produce a convincing replica in seconds with only the IBAN modified.
Email confirmation is not reliable either, because the email channel itself is the one that has been compromised. Sending a confirmation request to the address that contacted you is effectively asking the fraudster to approve their own request.
A follow-up phone call is a sound practice but has two clear limitations. If the number used is the one provided in the fraudulent email rather than a number independently verified as belonging to your supplier, the call goes directly to the fraudster. Beyond that, this procedure is simply not scalable for organisations managing large numbers of active vendors.
ERP and accounting systems verify that an IBAN is structurally valid and that the BIC code is correct. They do not verify who owns the account. A fraudulent IBAN is a perfectly valid account number belonging to a real bank account. It simply belongs to the fraudster rather than your supplier.
The essential point to retain is this: a valid IBAN is not a safe IBAN. A fraudulent bank detail document contains an account number that passes every format check. It belongs to someone else.
The only verification that actually prevents fraud: account holder verification
Verifying the account holder through direct bank query
The only effective check against vendor fraud is verifying the account holder. Before registering any supplier's bank details, whether at onboarding or when updating existing information, you must confirm that the IBAN provided actually belongs to the company in question. The only reliable way to do this is through a direct query to the bank that holds the account.
If the check shows that the account holder name does not match the expected supplier, the bank details must not be registered and no payment should be made to that account. This holds regardless of how convincing the document looks or how credible the email appears.
This is what our vendor IBAN verification solution provides: account holder verification through direct bank query, accessible via a web portal for individual checks or via an API that integrates directly into accounting tools and ERP systems.
For a full overview of available verification methods and how they work, see our article How to verify the holder of an IBAN.
VoP (Verification of Payee): useful, but limited
Since October 2025, the European VoP (Verification of Payee) regulation requires banks to verify the match between an IBAN and the beneficiary name at the point of payment. This service is free and built directly into bank interfaces.
For small organisations making a few manual payments per month, VoP is a genuine improvement. The check is performed automatically when the transfer is initiated, which is sufficient for that level of volume.
In a supplier management context, however, it has significant structural limitations:
- It operates at the point of payment rather than when bank details are first registered, meaning a fraudulent IBAN can sit in your ERP for weeks without being detected.
- It is manual and one-by-one, making bulk verification of a supplier database impossible.
- It has no API and cannot be integrated into an ERP or treasury management system.
- It generates no audit trail, leaving no verification history or documentary evidence for internal reviews or disputes.
VoP is a useful additional safeguard at the point of payment. It does not replace upstream supplier verification.
Internal procedures to ensure controls are actually applied
Having a verification tool is not enough if it is not used consistently. That is often where the process breaks down.
Formalising mandatory steps
An informal process is not a process. If verifying bank details depends on the attention level of whichever team member happens to handle the request that day, the outcome will be inconsistent and the control easily bypassed.
Verification needs to be an explicit, non-negotiable step in the workflow, treated with the same rigour as invoice approval.
In practice, this means three things. Any new supplier onboarding requires account holder verification before any entry into the vendor master file. Any bank detail update requires immediate verification before the change is recorded.
And periodic audits should include bulk verification of already-registered IBANs to identify any anomalies that may have gone undetected.
It is also worth keeping in mind that fraud does not always originate externally. An employee can modify an IBAN in the ERP without triggering any alert. Verification procedures must cover all changes, regardless of who initiates them.
Integrating verification into your tools
Formalising procedures has a human limit: rules get forgotten, bypassed, or applied inconsistently under pressure. The next step is to make the control automatic and structurally impossible to circumvent by embedding it directly into your tools.
In practice, this means that an unverified IBAN cannot be saved, or triggers a blocking alert before it can be recorded.
Through API integration into the ERP or treasury management system, verification becomes an automated step in the workflow rather than an optional manual action. Every verification is timestamped and logged, providing a complete audit trail for internal reviews or disputes.
This is the approach taken by companies handling significant volumes or seeking comprehensive coverage. Verification is triggered automatically at every supplier creation or bank detail update, with no manual intervention required.
Conclusion
Vendor fraud rarely relies on a complex technical vulnerability. In most cases, it exploits the registration of a fraudulent IBAN at supplier creation or when bank details are updated.
Visual checks and email confirmations are no longer sufficient, and VoP does not cover the needs of organisations that want to verify upstream, in bulk, or in an automated way. The most directly effective response is systematic account holder verification, embedded into your processes and tools as a mandatory and non-bypassable step.
To implement this control in your supplier payment workflow, discover our IBAN verification solution for suppliers.
Frequently asked questions
What is the difference between vendor fraud and CEO fraud?
CEO fraud, also referred to as Business Email Compromise (BEC), involves impersonating a senior internal executive to request an urgent and confidential transfer. Vendor fraud impersonates an external supplier to divert routine payments.
Both exploit trust and social engineering to target a human vulnerability, but vendor fraud is harder to detect precisely because it fits seamlessly into normal payment flows and involves amounts that raise no suspicion.
How do you verify a supplier's IBAN?
Verifying a supplier's IBAN means checking not only that the account number is structurally valid, but also that the account holder matches the supplier in question. A format check alone is not sufficient to prevent vendor fraud.
The most reliable method is a service that queries the bank directly to confirm the match between the IBAN and the supplier name.
Is a follow-up phone call not enough?
It is a sound practice, but it has two limitations. If the number called is the one provided in the fraudulent email rather than a number from your own verified records, the call goes directly to the fraudster. Beyond that, the procedure is simply not scalable for organisations with a large number of active suppliers.
Does VoP protect against vendor fraud?
VoP significantly improves payment security, particularly for manual transfers. However, the check occurs at the point of payment execution, which is very late in the process. For companies that want to verify upstream, in an automated way, or integrated into internal tools to maintain a reliable vendor master file, VoP alone is not sufficient.
What should you do if a payment has already been made to a fraudulent account?
Contact your bank immediately to attempt a recall of funds. The first few hours are critical. File a police report and notify your insurer, as some policies cover payment fraud. Keep all related correspondence as evidence.
