Finance & Accounting Automation

Vendor Payment Fraud: How Bank-Detail-Change and BEC Scams Bypass AP Controls

The invoice is real, the supplier is real, only the bank account changed. Here is how vendor email compromise and bank-detail-change fraud bypass AP controls, and the controls that actually stop it.

Kognitos 13 min read
Vendor payment fraud in 2026: how bank-detail-change and business email compromise scams bypass AP controls (the invoice is real, the vendor is real, only the bank account changed), why email security misses them, the controls that stop them, and NACHA's 2026 ACH fraud rules. By Kognitos.

The most expensive fraud in accounts payable is also the hardest to spot, because almost nothing about it looks wrong. The invoice is real. The supplier is real. The email comes from the supplier's actual address, sometimes from their actual compromised mailbox, inside a genuine invoice thread. Only one thing has changed: the bank account the payment goes to. This is vendor payment fraud through bank-detail-change and business email compromise, and it bypasses the controls most AP teams rely on. Here is how it works, why it gets through, and what actually stops it, including the new NACHA rules that make addressing it a 2026 requirement.

TL;DR

Vendor payment fraud through bank-detail-change and business email compromise (BEC) is among the most prevalent and costly fraud affecting accounts payable. BEC affects roughly three-quarters of organizations (per the 2026 AFP Payments Fraud and Control Survey), and vendor email compromise specifically accounts for a large share of it. The scheme: a fraudster, posing as a legitimate vendor (often from the vendor's own compromised email account, sometimes from a spoofed lookalike domain), requests a change to the vendor's bank account details, so future payments are redirected to the fraudster's account.

It bypasses AP controls because it exploits trusted, normal processes rather than breaking them. The invoice is genuine, the vendor relationship is genuine, the request follows the normal process, and when the email comes from the vendor's actual compromised mailbox, it is genuinely from the vendor's address, so email security cannot flag it as spoofed. The fraud often goes undetected for months, until the real vendor asks why they have not been paid, by which time the funds are usually unrecoverable.

The controls that stop it are process controls applied consistently, not email security alone. The most important: out-of-band verification of any bank-detail change, confirming the change by phone using a number obtained independently of the request (never the number in the email), before updating the vendor record or paying. Others include bank-account validation before payment, segregation of duties between vendor-master-data changes and payment, and applying these controls on every bank-detail change and every payment, not just when someone remembers. The recurring failure is not the absence of controls but their inconsistent application under time pressure.

This is now also a regulatory requirement. NACHA's 2026 ACH fraud-monitoring rules require originators to implement risk-based processes to identify ACH entries authorized under false pretenses, NACHA's term explicitly covering BEC, vendor impersonation, and payroll diversion, phased in through 2026.

This post covers how the fraud works, why it bypasses controls, the controls that stop it, the NACHA rules, and how consistent, auditable control enforcement addresses it. For the broader fraud context, see The 2026 Payments Fraud Playbook: Deterministic AI Controls vs Manual Review.

How vendor payment fraud works

Vendor payment fraud through bank-detail-change is a specific, highly effective scheme, and understanding its mechanics shows why it is so hard to catch.

The setup: a fraudster targets the payment relationship between a company and one of its vendors. The goal is simple, to redirect a legitimate payment from the vendor's real bank account to an account the fraudster controls, by getting the company to update the vendor's banking details in its records.

The access: the fraudster reaches the AP team posing as the vendor, through one of a few routes. The most dangerous is vendor email compromise, where the fraudster has actually compromised the vendor's email account (via phishing or account takeover) and emails from the vendor's real address, often inserting themselves into a genuine, ongoing invoice thread, monitoring it for weeks, and sending the fraudulent request at exactly the right moment. Less sophisticated but still effective routes include spoofed lookalike domains (an address that closely resembles the vendor's) and impersonation using researched details. In the vendor-email-compromise case, the email is genuinely from the vendor's address, which is what makes it so hard to detect.

The request: posing as the vendor, the fraudster requests that the company update the vendor's bank account details, "our banking has changed, please send future payments to this account." The request is often timed near a real payment (right before an invoice is due), supported with legitimate-looking documentation, and framed within the normal process, so it looks routine. Variants include submitting fraudulent or duplicate invoices, but the bank-detail change is the core and most damaging move.

The result: if the company updates the vendor record and pays, the payment goes to the fraudster. Because everything looked legitimate, the fraud is typically discovered only later, often months, when the real vendor follows up about a missing payment, and by then the funds have usually been moved and are unrecoverable. In one documented 2026 case, an organization issued three payments totaling $150,000 on a fraudulent vendor request and recovered only $915. The combination of high loss and low recovery is what makes this fraud so costly.

Why it bypasses AP controls

Vendor payment fraud is effective precisely because it bypasses the controls most AP teams rely on, and it does so by exploiting normal processes rather than breaking them. The specific reasons:

1. The invoice, the vendor, and the relationship are all real. Unlike crude fraud, there is no fake invoice or unknown payee to flag. The vendor is a legitimate, established supplier the company genuinely owes money to. The only fraudulent element is the bank account, which is a single changed field in an otherwise legitimate transaction. Controls that look for suspicious invoices or unknown vendors do not catch a real invoice to a real vendor.

2. Email security cannot catch a compromised legitimate mailbox. When the fraudulent request comes from the vendor's actual compromised email account, it is genuinely from the vendor's address, with no spoofed domain, no malicious link, no malicious attachment. Email security tools, which look for those signals, cannot flag it, because there is nothing technically wrong with the email: it is a legitimate email account sending a fraudulent request. This is the crucial point that defeats a purely technical defense: a perfectly configured email security stack still passes a BEC message from a genuinely compromised vendor mailbox, because the message is, technically, legitimate.

3. It exploits trust in established relationships. AP teams are, reasonably, less suspicious of established vendors than of new ones, and concentrate verification on new payees. Vendor-email-compromise fraud exploits exactly this, attacking the trusted, established relationship where scrutiny is lowest, which is why higher-friction environments push attackers toward compromising real vendor accounts rather than using crude spoofs.

4. It exploits speed and process pressure. AP teams are expected to process payments quickly and at volume, which reduces the time for thorough verification, and the fraudster's timing (right before a payment is due) and framing (urgency, routine) exploit that pressure. The verification step most likely to catch the fraud, independently confirming the change, is also the step most likely to be skipped under time pressure.

5. The verification that would catch it is often bypassed or flawed. Many AP teams have a callback-verification policy for bank-detail changes, but it is inconsistently applied (skipped under pressure), or flawed in a specific way: the verification uses contact information from the same email that made the request, so the team calls the fraudster, who confirms the fraudulent change. Verification that relies on the requester's provided contact information is not real verification, but it is common, and it is exactly the gap the fraud exploits.

The pattern across all five is that the fraud lives in the normal process: the real invoice, the real vendor, the real email account, the routine request, the time pressure: so controls designed to catch abnormal transactions miss it, and the one control that would catch it (genuine out-of-band verification) is the one most often skipped or done wrong.

The controls that actually stop it

Because the fraud exploits normal process and defeats email security, the controls that stop it are process controls, applied consistently. The ones that matter most:

1. Out-of-band verification of every bank-detail change

This is the single most important control. Any change to vendor payment instructions, new bank account, changed account or routing number, must be verified by directly contacting the vendor using a phone number obtained independently of the request (from the vendor's verified records or a known directory, never a number provided in the email or document making the request). This breaks the fraud, because even if the fraudster controls the email, they do not answer the vendor's real phone number. The critical detail is "independently obtained": verifying via the contact information in the request itself is the flawed verification that fails.

2. Bank-account validation before payment

Validating that the bank account belongs to the legitimate vendor, through account-validation services that verify account ownership and match it to the vendor identity, before paying, catches redirected payments. Dedicated vendor account-validation services exist for exactly this and are increasingly the expected control, validating bank details against verified databases before every payment.

3. Segregation of duties between vendor-master-data changes and payment

The person who can change a vendor's bank details should not be the same person who approves and releases payments, so no single individual (or single compromised account) can both redirect and pay. Separating vendor-setup and vendor-change permissions from payment permissions is a foundational control against both external fraud and internal collusion.

4. Vendor master data integrity

Because the fraud targets the vendor record (the bank details), the integrity of the vendor master data is central: controlled, audited processes for changing vendor records, with verification built into any bank-detail change, so the record cannot be quietly altered. Vendor master data hygiene is the foundation that the payment controls rest on, connected to The Top AI Tools for Vendor Management and Supplier Onboarding in Finance.

5. Consistent application on every change and every payment

The recurring failure is not the absence of these controls but their inconsistent application: the callback skipped under time pressure, the validation not run on a "trusted" vendor, the verification done using the wrong contact information. The controls only work if applied every time, on every bank-detail change and every payment, regardless of how routine or trusted the request seems, which is precisely where consistent, enforced control execution matters more than the existence of a policy.

The throughline is that stopping vendor payment fraud is an operating-model problem, not a single-control problem: the right controls, enforced consistently on every relevant change and payment, rather than relying on individual judgment and memory under pressure.

The NACHA 2026 rules make this a requirement

Addressing vendor payment fraud is now not just prudent but, for ACH payments, a regulatory requirement, because of NACHA's 2026 ACH fraud-monitoring rules.

NACHA (which governs the ACH network) introduced, for the first time, a formal requirement for proactive, risk-based ACH fraud monitoring across the network. The rules require covered participants to implement processes and procedures to identify ACH entries suspected of being authorized under false pretenses, a term NACHA introduced specifically to capture the fraud typologies used against ACH, explicitly including business email compromise, vendor impersonation, and payroll diversion, exactly the vendor payment fraud this post addresses.

The rules phase in through 2026: Phase 1 (effective March 20, 2026) applies to ODFIs, RDFIs, and non-consumer originators with ACH transaction volume of $1 billion or more, and Phase 2 (effective June 19/22, 2026) extends the requirement to third-party senders, third-party service providers, and originators regardless of volume. The programs must be risk-based, documented, and subject to annual review. The practical effect is that companies originating ACH payments are now required to have risk-based processes to identify payments authorized under false pretenses, which is precisely what vendor bank-detail-change fraud is. This turns the controls above, verification of bank-detail changes, account validation, monitoring for the signals of authorized-under-false-pretenses fraud, from best practice into compliance with NACHA's rules, and it makes consistent, documented, auditable control execution a regulatory expectation, not just a fraud-prevention preference. Companies should confirm which phase applies to them and ensure their vendor-payment controls meet the risk-based, documented standard the rules require.

How consistent, auditable control enforcement helps

The recurring lesson across vendor payment fraud is that the failure is usually not missing controls but inconsistently applied ones: the verification skipped under pressure, the validation not run on a trusted vendor, the callback done using the wrong number. So the most effective response is enforcing the right controls consistently, on every bank-detail change and every payment, so the verification is never skipped and never done wrong, and is documented for the audit and review the NACHA rules now expect.

This is where a deterministic, agentic platform like Kognitos is relevant to vendor payment fraud, honestly scoped. Kognitos is not a dedicated bank-account-validation service (services like the ones noted above specialize in validating account ownership against verified databases) and not an email-security tool (which addresses the email layer). Its relevance is the control enforcement layer in the AP process: enforcing that the required verification and control steps happen on every bank-detail change and every payment, deterministically and the same way every time, rather than depending on a person to remember under time pressure. Because Kognitos executes deterministically, a defined control ("any bank-detail change requires out-of-band verification before the vendor record is updated or payment is made") is applied to every instance, not just when someone remembers, which directly addresses the inconsistent-application failure that the fraud exploits. And because every step is logged in plain language, the control execution is auditable and documented, which is exactly what NACHA's rules' documented, risk-based, reviewable standard requires. For the requirements around AI and automated decisions in financial processes, see AI Audit Trail Requirements: A 2026 Checklist for Finance, Healthcare, and Banking.

In practice, this means Kognitos can enforce the verification workflow (route every bank-detail change through the required independent verification before it takes effect), enforce segregation of duties and approval on payments, integrate the output of dedicated account-validation services into the enforced process, and maintain the vendor master data integrity that the controls rest on, consistently and auditably. It works alongside dedicated account-validation and email-security tools rather than replacing them: those address the validation and email layers, while Kognitos enforces that the controls actually execute on every transaction and are documented. For a finance team whose vendor-payment-fraud exposure comes from controls that exist on paper but are inconsistently applied, which is the documented common failure, consistent, auditable enforcement is the gap that most needs closing, and it is also what the NACHA rules now require. English-as-code agentic AI makes this kind of control definition and enforcement accessible to finance teams without code. For why payment fraud controls are less widely deployed than the risk warrants, see Why Only 17% of Companies Use AI to Fight Payments Fraud.

This is the deterministic, neurosymbolic approach applied to vendor payment fraud: consistent with the broader argument in The 2026 Payments Fraud Playbook: Deterministic AI Controls vs Manual Review.

Book a working session with a Kognitos solutions engineer → Or try Kognitos free →

Putting it together

Vendor payment fraud through bank-detail-change and business email compromise is among the most prevalent and costly AP fraud because it bypasses controls by exploiting normal process: the invoice is real, the vendor is real, the email often comes from the vendor's actual compromised mailbox, and only the bank account has changed, so email security cannot catch it and controls looking for abnormal transactions miss it. It is usually discovered months later, when funds are unrecoverable. The controls that stop it are process controls applied consistently, out-of-band verification of every bank-detail change using independently obtained contact information, bank-account validation before payment, segregation of duties between vendor-data changes and payment, vendor master data integrity, and above all consistent application on every change and payment, because the documented failure is inconsistent application, not missing controls. NACHA's 2026 ACH fraud-monitoring rules now require risk-based, documented processes to identify payments authorized under false pretenses, making this a compliance requirement, not just best practice. The most effective response is enforcing the right controls consistently and auditably on every transaction, which is a control-execution problem, addressed by applying the verification and controls deterministically and documenting them, so the control is never skipped under pressure and is evidenced for the review the rules require. Vendor payment fraud sits within the broader accounts payable automation process, and consistent fraud controls here protect the accuracy and integrity of the entire AP cycle. For the broader financial services context, see The Top AI Automation Tools for Banking Back-Office Operations. The Finance and Accounting Automation layer is what makes consistent, auditable control execution possible.

Frequently Asked Questions

Vendor payment fraud is fraud that redirects or extracts payments through the vendor-payment process, most commonly by getting a company to send a legitimate payment to a fraudster's bank account instead of the vendor's. The dominant form is bank-detail-change fraud via business email compromise (BEC): a fraudster, posing as a legitimate vendor, requests a change to the vendor's bank account details so future payments are redirected to an account the fraudster controls. The fraudster reaches the AP team by compromising the vendor's actual email account (vendor email compromise), spoofing a lookalike domain, or impersonating the vendor with researched details, and times the request near a real payment, framed as routine. Because the invoice, the vendor, and the relationship are all genuine, and only the bank account is fraudulent, the fraud is hard to detect and is often discovered only months later when the real vendor asks about a missing payment, by which time the funds are usually unrecoverable. Related variants include fraudulent or duplicate invoices and internal schemes like fake vendors, but the bank-detail-change via BEC is the most prevalent and costly form affecting accounts payable.
It bypasses controls by exploiting normal processes rather than breaking them. First, the invoice, vendor, and relationship are all real, so controls looking for fake invoices or unknown payees find nothing wrong: the only fraudulent element is a single changed bank-account field in an otherwise legitimate transaction. Second, when the fraudulent request comes from the vendor's actual compromised email account, it is genuinely from the vendor's address with no spoofed domain or malicious link, so email security cannot flag it: a perfectly configured email security stack still passes a BEC message from a genuinely compromised legitimate mailbox because the message is, technically, legitimate. Third, it exploits trust in established relationships, where AP scrutiny is lowest. Fourth, it exploits the speed and volume pressure on AP teams, which reduces verification time. Fifth, the verification that would catch it, independently confirming the change, is often skipped under pressure or done wrong, using the contact information in the request itself (which reaches the fraudster) rather than independently obtained contact information. The fraud lives entirely in the normal process, which is why controls designed to catch abnormal transactions miss it and the one control that catches it is the one most often bypassed.
The single most important control is out-of-band verification of every bank-detail change: any change to vendor payment instructions (new bank account, changed account or routing number) must be verified by directly contacting the vendor using a phone number obtained independently of the request, from the vendor's verified records or a known directory, never a number provided in the email or document making the request, before updating the vendor record or making payment. This breaks the fraud because even if the fraudster controls the vendor's email, they do not answer the vendor's real phone number, so the verification reaches the actual vendor, who confirms they did not request the change. The critical detail is that the contact information must be independently obtained: verifying via the phone number or contact in the request itself is the flawed verification that commonly fails, because it reaches the fraudster. Beyond this, bank-account validation before payment, segregation of duties between vendor-data changes and payment, and vendor master data integrity all help, but out-of-band verification with independently obtained contact information is the control that most directly defeats the scheme, provided it is applied consistently on every change rather than skipped under time pressure.
Email security does not stop vendor email compromise because, when the fraudulent request comes from the vendor's actual compromised email account, there is nothing technically wrong with the email for security tools to detect. Email security tools look for signals of malicious email: spoofed domains, lookalike addresses, malicious links, malicious attachments, suspicious sending infrastructure. In a vendor-email-compromise attack, the fraudster has taken over the vendor's real email account and sends from the vendor's genuine address, often within a real, ongoing invoice thread, with no malicious link or attachment, just a request to update bank details. From the email security system's perspective, this is a legitimate email from a legitimate, authenticated account, so it passes. As security analyses put it, a perfectly configured email security stack still passes a BEC message that originates from a genuinely compromised legitimate mailbox, because the message is, technically, legitimate. This is why defending against vendor payment fraud cannot be purely technical and must include process controls, particularly out-of-band verification of bank-detail changes, that validate the business process (is this change real?) rather than only the message (is this email malicious?). The compromised-mailbox case is specifically what defeats email-security-only defenses.
NACHA's 2026 ACH fraud-monitoring rules establish, for the first time, a formal requirement for proactive, risk-based ACH fraud monitoring across the ACH network. They require covered participants to implement processes and procedures to identify ACH entries suspected of being authorized under false pretenses, a term NACHA introduced to capture the fraud typologies most used against ACH, explicitly including business email compromise, vendor impersonation, payroll diversion, account takeover, and social engineering. The rules phase in during 2026: Phase 1 (effective March 20, 2026) applies to ODFIs, RDFIs, and non-consumer originators with ACH transaction volume of $1 billion or more, and Phase 2 (effective around June 19-22, 2026) extends the requirement to third-party senders, third-party service providers, and originators regardless of volume. The programs must be risk-based, documented, and subject to annual review. The practical effect for companies originating ACH payments is that having risk-based processes to identify payments authorized under false pretenses, exactly what vendor bank-detail-change fraud is, becomes a compliance requirement rather than just best practice, making consistent, documented, auditable vendor-payment controls a regulatory expectation. Companies should confirm which phase applies to them and validate their controls against the rules' standard with appropriate advisors.
AP automation helps prevent vendor payment fraud primarily by enforcing the right controls consistently, addressing the documented core failure, which is not missing controls but inconsistently applied ones (verification skipped under pressure, validation not run on a trusted vendor, callback done using the wrong contact information). Automation can enforce that the required controls execute on every relevant transaction: routing every bank-detail change through independent out-of-band verification before the change takes effect, requiring bank-account validation before payment, enforcing segregation of duties between vendor-data changes and payment approval, and maintaining controlled, audited vendor master data, applied the same way every time rather than depending on individual memory under time pressure. This consistency is the key benefit, since the fraud exploits the moments when controls are skipped. Automation also creates the documented, auditable record of control execution that NACHA's 2026 rules require. It is important that the automation enforces these controls accurately and auditably rather than just processing payments quickly, since the goal is consistent control application, and that it work alongside dedicated tools, bank-account-validation services for the validation itself and email security for the email layer, rather than replacing them, with the automation ensuring the overall control workflow executes consistently on every transaction.
Vendor payment fraud through bank-detail-change commonly goes undetected for an extended period, often months, because nothing about the transaction looks wrong at the time. When the company updates the vendor's bank details and pays, the payment appears to be a normal, legitimate payment to a real vendor for a real invoice, so no immediate red flag is raised. The fraud typically surfaces only when the real vendor follows up to ask why they have not been paid, since the payment went to the fraudster's account instead of theirs. By the time this happens, often weeks or months later, after the vendor's payment terms have lapsed and they have inquired, the fraudulent funds have usually been withdrawn or moved through other accounts and are unrecoverable. This long detection lag is a major reason the fraud is so costly: the delay both allows the funds to disappear and can allow multiple fraudulent payments before discovery. In one documented 2026 case, an organization made three payments totaling $150,000 before the fraud was caught and recovered only $915. The long lag underscores why prevention through verification controls at the point of the bank-detail change is far more effective than trying to detect and recover after the fact.
General payments fraud is the broad category of fraud targeting a company's payments, including check fraud (the most common type, exploiting paper checks), business email compromise, internal fraud, card fraud, and others, across all payment types and methods. Vendor payment fraud is a specific subset focused on the vendor-payment relationship, most prominently bank-detail-change fraud via business email compromise, where a fraudster posing as a legitimate vendor redirects payments by changing the vendor's banking details. The distinction matters for controls: general payments fraud is addressed by a broad set of controls spanning payment methods (for example, moving off paper checks to reduce check fraud, which is a major component of general payments fraud), while vendor payment fraud is addressed specifically by vendor-relationship controls, out-of-band verification of bank-detail changes, vendor account validation, segregation of duties on vendor data, and vendor master data integrity. Vendor payment fraud is one of the most costly subsets of general payments fraud because of its high success rate (exploiting trusted relationships and defeating email security) and low recovery rate (long detection lag). Addressing it requires the specific vendor-focused controls described here, within a broader payments-fraud control program that also addresses check fraud and the other vectors.

Last updated: June 2026. Statistics from the AFP Payments Fraud and Control Survey and other industry sources are as reported by those sources. NACHA rule details should be verified against NACHA's official documentation and with qualified advisors for applicability to your organization. This article is informational and does not constitute legal, compliance, or security advice.

K
Kognitos
Kognitos

Enforce vendor-payment controls consistently and auditably on every transaction.

Inconsistent control application is the documented failure in vendor payment fraud: the verification skipped under pressure, the validation not run on a trusted vendor. Kognitos enforces the required controls on every bank-detail change and every payment, deterministically, with every step logged in plain language for the audit and review NACHA's 2026 rules require.

Book a Working Session
Or try it free →