The story
Precision Manufacturing LLC has been a supplier to Hartwell Industries for four years. Accounts payable processes their monthly invoices without a second thought — it's a known relationship, a known amount, a known contact.
In October, Hartwell's AP team receives an email from what appears to be their Precision contact, David Kim. The email domain is precisionmfg-llc.com. The real domain is precisionmfgllc.com. The difference is a hyphen — inserted between 'mfg' and 'llc' — that is invisible in most email clients at a glance.
The email is professional. It references their most recent invoice by number, uses David's standard signature, and explains that Precision has changed banking partners and all future payments should go to the new account. A PDF attachment shows the new wire instructions on what appears to be Precision's letterhead.
AP updates the vendor record. October, November, and December invoices — totaling $280,000 — are paid to the fraudulent account. In January, David Kim calls to inquire about three months of outstanding invoices. The conversation takes under a minute to reveal what happened.
The fraudulent domain precisionmfg-llc.com was registered four months before the attack. During that time, the attacker built email sending reputation, ensuring the messages would not be flagged by spam filters. The letterhead was reconstructed from a publicly available press release PDF.
The FBI IC3 reported $446 million in vendor impersonation losses in 2023. The average fraud duration before detection in recurring payment schemes is approximately 90 days — precisely enough time for three full payment cycles.
What happened
~$280K in vendor payments redirected over 90 days.
What stops it
A verification step before any bank-change approval requires the real vendor contact to prove their identity — a spoofed domain fails immediately.
What this scenario teaches us
Lookalike domains are specifically engineered to pass visual inspection. A hyphen, a transposed character, or a different TLD makes the difference undetectable at normal reading speed.
AP teams are process-focused, not verification-focused. The organizational expectation is that payment updates are routine — and attackers exploit that expectation with routine-appearing communications.
The 90-day average discovery window for recurring payment fraud is not coincidental. Attackers specifically design attacks to run for multiple payment cycles before triggering enough anomaly to prompt investigation.
Verification protocols for payment changes — even from known vendors — should be standard, not exceptional.
Prevention checklist
Require Real Authenticator code verification for all vendor bank account changes
Implement a policy: no banking change is processed without a confirmed code from the vendor contact
Maintain a verified contact list for all major vendors with enrolled Real Authenticator connections
Add a mandatory waiting period (e.g., 5 business days) before any bank change takes effect
Frequently asked questions
Can we just call the vendor to verify?
Yes, and you should — but voice calls can be spoofed and some staff are reluctant to make 'extra' calls for routine updates. Real Authenticator reduces verification to five seconds per transaction and makes it operationally sustainable at scale.
Sources & citations
- 1.
- 2.
Loss figures are based on documented cases or FBI IC3 reported averages. Individual scenario details are illustrative reconstructions based on documented attack patterns. Real Authenticator is not affiliated with any cited organization.