Vendor impersonation exploits one of the most routine processes in any organization: paying a supplier. By the time the fraud is detected, the money has been gone for months — and your real vendor is still waiting to be paid.
Vendor impersonation is one of the most cost-effective fraud attacks available. The attacker identifies an established supplier relationship — often by compromising internal email or monitoring public procurement records — and sends a routine-looking notification of a banking change.
The email comes from a domain that is visually similar to the real vendor: acme-suppliers.co instead of acmesuppliers.com, or with an added character that is nearly invisible at a glance. The message references the real vendor contact name, uses their email signature format, and arrives from what appears to be a legitimate business address.
Your accounts payable team processes the update. It's routine. They've done it before. The next three monthly payments go to the attacker's account. The real vendor, waiting on payment, eventually escalates. By then, the fraud has run for 60–90 days and the accounts have been emptied and closed.
The FBI IC3 reported $446 million in vendor impersonation losses in 2023. The attack disproportionately affects organizations with high-volume, recurring vendor payment flows — manufacturing, construction, professional services, healthcare, and government contractors.
Attack anatomy — step by step
- 1
Attacker identifies a target vendor relationship via compromised internal email, public procurement records, or LinkedIn research.
- 2
Attacker registers a lookalike domain months in advance and builds email sending reputation.
- 3
Attacker sends a bank-change notification using the real vendor's name, contact details, and email signature format.
- 4
AP team processes the update as routine. No verification is requested.
- 5
Subsequent payments are directed to the fraudulent account.
- 6
Real vendor escalates non-payment weeks or months later, triggering discovery.
Why your stack fails
Domain lookalike detection in email gateways relies on similarity scoring against a known-good domain list. Attackers register domains months in advance, building reputation before the attack. DMARC/SPF protect the real vendor's domain — not the attacker's lookalike. Finance teams are trained to process payment updates, not to question them.
How Real Authenticator stops it
A Real Authenticator verification step in the bank-change approval workflow requires the vendor contact to prove their identity cryptographically before the update is processed. A spoofed domain — regardless of how similar it looks — cannot produce the enrolled vendor's TOTP code.
Documented real-world cases
Save the Children — $1M
In 2018, the charity Save the Children was defrauded of $1 million when an attacker compromised email accounts and submitted fraudulent invoices directing payment to overseas accounts. The fraud was discovered only after funds had been transferred.
Source: The Boston Globe, 2018
Frequently asked questions
Can we just call the vendor to verify?
Phone verification is the standard guidance — and it works, when followed. The challenge is the operational friction: AP teams process hundreds of payments, and calling every vendor for every change creates process bottlenecks that teams eventually work around. Real Authenticator reduces verification to five seconds, making it practical to verify every change without breaking the workflow.
Sources & citations
- 1.FBI IC3 Annual Report 2023— Vendor impersonation statistics
- 2.APWG Phishing Activity Trends Report 2023— Vendor impersonation prevalence
Statistics reflect data available at time of publication. Real Authenticator is not affiliated with cited organizations. Links to external sources are provided for reference only.