The Quiet Heist in Your AP Inbox
The New Accounts Payable Scam You Need to Know About
In today’s finance world, scams don’t look like scams anymore. The latest wave of accounts payable fraud involves hackers quietly sitting inside real vendor inboxes — sometimes for months — learning how they write, what they invoice, and when they get paid.
Then, when the timing is right, they strike.
How It Works
These aren’t quick-hit phishing attempts. This is vendor email compromise — a long-game scam built on observation and timing.
The hacker gains access to a vendor’s email (usually through stolen credentials or weak passwords).
They monitor real conversations between the vendor and your AP or CFO team — reading invoices, tone, and timing.
When they see an opportunity — a new client onboarding, a pending payment, or a change request — they intercept or mimic the legitimate message.
They send real-looking invoices or piggy-back of real ones but swap out the banking details.
They may even update signatures and phone numbers so your team can’t easily verify the request.
👉 The result: your company pays a legitimate invoice — to the wrong bank.
Why It’s So Hard to Catch
These emails are convincing because:
They come from real accounts, not spoofs or look-alike domains.
The tone, formatting, and conversation history are authentic.
Hackers often target new vendors — sliding into a thread before the real vendor sends banking info.
They’re polite, professional, and patient — not the frantic “wire this now” tone of old scams.
By the time the real vendor notices missing payments, the money is long gone.
The Stakes Are Horrifically Real
According to industry sources:
Losses from BEC (Business Email Compromise) — which this scam falls under — are measured in billions of dollars. Tipalti
The average loss for a vendor-email-compromise attack is very high. MineralTree+1 In short: this isn’t a low-risk nuisance; it is a significant operational and reputational risk for finance teams and CFOs.
Red Flags for AP Teams
Keep your team alert for subtle warning signs:
🚩 Banking changes sent via email only (especially without a signed form or portal request).
🚩 Vendors using different phone numbers or email footers than usual.
🚩 New vendors suddenly sending payment info earlier than expected.
🚩 Friendly follow-ups about “outstanding invoices” that feel slightly off.
🚩 Requests to rush payments or avoid “delays with the new bank.”
How to Stay a Step Ahead
Smart processes, not just tech tools, prevent most of these losses.
1. Use secure payment platforms
Platforms like Bill.com or Ramp help close the gap by:
Requiring vendors to log in and enter their own banking details — not email them.
Offering two-factor authentication and notifications for any account changes.
Keeping audit trails for all vendor and payment updates.
Allowing multiple users or approval steps before funds are released.
Even if you use manual processes, build similar checkpoints into your workflow.
2. Verify out-of-band
If a vendor sends new payment info:
Never rely solely on the email thread.
Call a known contact at the vendor (using a number from your records, not the email).
If it’s a new vendor, confirm via the original contract or portal before processing any payments.
3. Add simple process safeguards
Require dual approval for all vendor bank changes.
Keep a vendor change log — note who, when, and why a change occurred.
Encourage staff to flag any “odd” payment timing or tone shifts.
For new vendors, don’t exchange banking details via email — always through a secure form or portal.
4. Reduce exposure
Encourage vendors to use a dedicated accounts receivable email that’s not public-facing.
Internally, change passwords regularly and use multifactor authentication.
Audit your vendor master file every quarter for new or changed accounts.
Easy Steps Vendors Should Take To Protect Themselves
Vendors are often victims too — here’s how they can reduce the risk of their inbox being used to steal payments:
Use a dedicated AR email (e.g., ar@yourcompany.com) that’s not publicly listed everywhere.
Rotate email passwords regularly and use strong, unique passwords.
Enable two-factor authentication for any email or billing portal accounts.
Set login alerts and monitor login locations — get notified if an unknown IP or country accesses the AR inbox.
Limit mailbox access to only necessary staff and remove ex-employees promptly.
Require vendor portals or secure forms to collect banking details — avoid sending account numbers by email.
Train staff to spot unusual payment requests and to verify changes through a phone call to a known contact.
How CFOs Can Lead the Charge
CFOs set the tone for security culture. Reinforce that:
Slowing down for a verification step is a sign of professionalism, not distrust.
A strong process protects both your company and your vendors.
Regular process reviews (not just tech upgrades) are your best defense.
Consider adding a quarterly AP workflow review to your financial controls checklist — ensuring your procedures, tools, and training stay one step ahead of fraud tactics.
Bottom Line
This new form of AP fraud isn’t flashy — it’s subtle, patient, and devastatingly effective. But with awareness, thoughtful workflows, and secure payment systems, your team can stop it before it starts. Use secure payment platforms, adopt simple verification steps, and push preventative wins with vendors (AR-only emails, 2FA, login alerts).
If your business would like help reviewing AP controls or setting up safer payment workflows through tools like Bill.com or Ramp, our team at Acru Solutions can help you assess risks and strengthen safeguards — without slowing down your operations.
Acru Solutions - Your Trusted Accounting Partner
#partner #accounting #businessdevelopment #scamawareness
Need help creating policies that protect your payments?
