THE INVOICE WAS REAL. THE BANK ACCOUNT WASN'T.
Vendor email compromise attacks cost businesses $183K on average. Here's the domain double-check that stops payment redirect scams.
A commercial real estate firm received an invoice for $36 million last year.
It came from a trusted partner they'd worked with for years. Same logo. Same contact name. Same transaction details they'd been discussing for weeks.
One small difference: the email domain ended in ".cam" instead of ".com."
The wire instructions pointed to the attacker's account.
This is Vendor Email Compromise (VEC)
Vendor Email Compromise (VEC) is the most dangerous evolution of business email scams.
Unlike traditional phishing, attackers don't pretend to be strangers. They impersonate vendors you already trust and transactions you're already expecting.
According to Abnormal Security, 40% of organizations now face vendor email compromise attacks every single month. That's up 50% from the year before.
The construction industry gets hit hardest, with 76% of companies targeted. Retail and consumer goods aren't far behind at 66%.
Why these scams work
Here's the painful truth: you're expecting the invoice.
Attackers don't send random emails hoping someone bites. They compromise a vendor's email account, monitor the conversation thread, and wait until a real payment is due.
Then they send "updated" wire instructions from what looks like the same email thread you've been following for weeks.
The invoice is legitimate. The transaction is real. Only the bank account has changed.
The average vendor payment redirect costs $183,000. Billing account update fraud averages nearly $300,000 per incident.
The domain double-check
We recommend what we call the domain double-check.
Before processing any payment request that includes new or updated bank details, verify two things:
1. Check the domain spelling, character by character.
Attackers register domains that look nearly identical to legitimate ones:
- apexpartners.cam vs apexpartners.com
- supp1ier.com vs supplier.com (number 1 instead of letter l)
- vendor-name.co vs vendor-name.com
One character is all it takes. Your brain autocompletes familiar names, which is exactly what scammers count on.
2. Verify through a separate communication channel.
Call the vendor using a phone number from your existing records or their official website. Never use contact information provided in the email requesting the change.
Ask them to confirm: "Did you send updated banking instructions today?"
If they say no, you just stopped a six-figure theft.
Red flags to watch
Payment redirect scams share common patterns:
Urgency around timing. "Please update before processing Friday's payment."
Plausible explanations. "We're switching banks due to an audit" or "Our old account was compromised."
Requests to keep it quiet. "Please process this directly, no need to loop in others."
Slight email differences. Check the full email address, not just the display name.
Your one takeaway
When a vendor emails new payment instructions, call them using a number from your existing records or their official website.
Never trust banking changes that arrive only by email.
The invoice may be real. The bank account might not be.
Ṣọ Email Security detects vendor impersonation and domain spoofing before fraudulent invoices reach your accounts payable team. Learn how we protect your payments.