The accounts payable assistant in Stuart opened the invoice attachment at 9:14 on a Thursday morning. It looked exactly like the others her office gets every month from a long-time concrete supplier. Same logo, same line items, same project numbers. The only thing that had changed was the routing and account number at the bottom of the page, with a short note explaining that the vendor had switched banks. She forwarded it to the bookkeeper, who released the wire that afternoon. Eight days later, the actual supplier called asking when payment would arrive, and that’s when everyone realized the money was gone.
That sequence is now one of the most common ways a small business in Florida loses real cash to a cyber attack. There’s no malware on the laptop, no encrypted servers, no ransom note. Just a vendor whose email account was quietly compromised weeks earlier, and a finance process that trusted the email at face value. The question every business owner has to answer is whether a few extra minutes on a phone call are worth more than the wire that’s about to go out.
What Actually Happens In A Vendor Email Compromise?
Vendor email compromise is the version of business email fraud where the attacker doesn’t impersonate your CEO from the outside. Instead, they take control of a real account at one of your suppliers, watch the inbox for weeks, and then send you a message at exactly the right moment. By the time it lands, the email is coming from the legitimate domain, threading correctly off a real conversation, and carrying an updated invoice that looks indistinguishable from the originals.
That distinction matters because most of the security advice people read assumes the attacker is on the outside trying to slip past a spam filter. With a compromised vendor account, the email passes every filter. There’s no spoofed display name to catch, no lookalike domain to flag, and no malicious link to detect. The attack works because the email is genuinely from the address it claims to be from. The only thing that’s wrong is the bank account on page two of the PDF.
A real example pattern looks like this. The contractor your office uses for HVAC work has had the same email signature, the same logo, and the same dollar amounts every quarter for three years. One day a slightly different invoice arrives, with a note that they’ve switched processors and the wire instructions are new. The actual person at the contractor has no idea. Their email password was reused on a website that got breached six months ago, and a different person is now controlling the conversation.
How Do Attackers Pull Off Convincing Invoice Swaps?
The mechanics behind a fake invoice swap don’t require a sophisticated hacker. Most of these attacks follow the same playbook, and once you’ve seen the pattern it’s easy to recognize. The reason it keeps working is that small office finance processes were not designed to defend against email accounts that look perfectly legitimate.
It usually starts with credential reuse. An employee at your vendor signs up for an account on a forum or a vendor portal, uses the same password they use for their work email, and then that forum gets breached. The attacker takes the email-and-password combination, tries it on the matching Microsoft 365 or Google Workspace account, and if multi-factor authentication is not enforced, they are in. From that point they sit quietly. They read inbox conversations, watch how money moves, and learn which clients are most likely to follow a payment instruction without asking.
The next move is patience. The attacker creates a hidden inbox rule that auto-forwards anything matching invoice, ACH, or wire to a third-party address, then deletes the original from the vendor’s inbox. The real vendor never sees the conversation that is now happening in their name. When the time is right, the attacker sends the swap message to your business, signed off the real account, often replying inside an existing thread.
That is why business email compromise tactics now top the FBI’s list of the most expensive cyber crimes affecting businesses under 500 employees, ahead of ransomware. The losses tend to dwarf ransomware totals because there is no recovery effort, no decryption fee, no negotiation. The money is wired out, the attacker pulls it through layered bank accounts, and it is gone within hours.
When Should Your Team Always Pick Up The Phone?
Not every payment needs a phone call. If your office cuts a fifteen-dollar petty cash check, nobody is suggesting you call to confirm. The trigger for a verbal confirmation should be based on the dollar amount, the type of payment, and whether anything about the request is different from the last time. A useful starting point for most small businesses on the Treasure Coast is that any wire transfer above a chosen dollar threshold, any change to existing vendor banking information, and any unusual urgency request must get a phone call before the money moves.
The dollar threshold should be set deliberately. For some construction or healthcare offices it makes sense at five thousand. For a smaller professional services practice it might be fifteen hundred. The number itself matters less than the principle that there is a clear line, that the line is published, written down, and known by every person who can release a payment.
Changes to vendor banking information should be the highest-priority trigger regardless of dollar amount. If a vendor you have paid for years suddenly emails new wire instructions, that single fact should pause the payment until somebody confirms it by voice. It doesn’t matter how plausible the explanation looks in the email. The whole point of an email security layer is to assume that the inbox could be compromised, and to require an out-of-band confirmation when the request involves rerouting money.
Urgency is the third trigger. Real vendors rarely insist on same-day payment, almost never refuse to take a phone call, and don’t get angry about a verification step. If an email pushes back hard against a confirmation call, treats the request as offensive, or quotes a deadline that wasn’t part of the original agreement, that is the strongest signal that the inbox is not in friendly hands.
What Does A Real Callback Procedure Look Like?
The single most important rule in a callback procedure is that the phone number must come from somewhere other than the suspicious email. Attackers know that if they put a fake contact phone number in the signature, the AP team will dial it and reach the attacker on the other end. That phone call will confirm the new wire instructions in a friendly voice, and the money will move.
A working procedure looks something like this. When a wire payment request meets the trigger criteria, the person handling the payment pulls the vendor’s phone number from an independent source. That source could be the signed master services agreement, the vendor’s verified website, a number that was used on a prior invoice from before the suspicious email, or the contact card stored in your business’s verified vendor file. It should never be the number in the questionable email.
The call itself does not need to be long. Ask for the person you usually deal with by name, mention that a new payment instruction came in, and ask them to confirm in their own words what bank account the payment should be routed to. If they don’t know about the email, you have just stopped a wire fraud. If they confirm in detail, document the confirmation, store it with the invoice, and release the payment.
If something feels off during the call, treat it as a possible incident. Pause the payment, document the discrepancy, and trigger your incident response playbook so the right people can investigate before any more money moves. It is much easier to delay one payment for a day than to recover funds that were wired into a controlled account on Friday afternoon.
How Do You Roll Out A Verification Policy Without Slowing Payments?
The biggest objection to a callback policy is always that it will slow operations down. That objection is usually overstated. Most small businesses send a handful of wires per week, not hundreds. Adding a five-minute phone call to the largest one or two each week costs less than thirty minutes of staff time. The cost of a single fraudulent wire dwarfs that overhead by several orders of magnitude.
The rollout does not have to be complicated. Start by writing the policy as a one-page document that names the dollar threshold, defines the trigger conditions, and lists the approved channels for verification. Get sign-off from the owner, the bookkeeper, and anyone else who can release a payment. Then put it on paper next to every workstation that handles invoices.
Train the finance staff with a short walkthrough and one realistic example. Most people learn this faster than expected because the underlying logic is intuitive. The hard part isn’t understanding it. The hard part is sticking to it when a vendor email looks normal and the AP assistant is busy. That is why pairing the policy with an outsourced IT team that monitors for compromised credentials and unusual sign-in patterns gives the policy a much better chance of catching the cases where the email itself wouldn’t raise any internal flags.
Finally, test the policy at least once a quarter. Send a simulated request to one of your AP staff that triggers the threshold or changes vendor banking. Watch what they do. If they catch it, reinforce the behavior. If they release the payment, treat it as a teaching moment, not a firing offense. The point is to find the gaps before an attacker does.
How Can You Get Help Setting This Up?
Most small Florida offices don’t have a finance team large enough to debate process for weeks. The practical path is to start with the policy template, adapt it to your dollar volume, and pair it with technical controls that make compromised vendor accounts less likely to slip through silently. That is exactly the combination O&O Systems sets up for clients under compliance-grade fraud controls, where the written process and the technical alerting work together. If your office processes wire payments to outside vendors of any size and hasn’t formalized a wire transfer verification policy yet, that is the gap worth closing this month.
Frequently Asked Questions
What is the difference between vendor email compromise and CEO fraud?
Both fall under business email compromise, but the attack path is different. CEO fraud impersonates an executive at your own company, usually from a lookalike domain, asking finance to send money. Vendor email compromise uses a real account at one of your suppliers, after the attacker has taken control of it, to redirect a legitimate-looking invoice. The vendor variant is harder to catch because the email actually does come from a trusted address.
Does multi-factor authentication on our end prevent invoice scams?
Multi-factor authentication on your accounts protects your own email, but it doesn’t help if the compromise is on the vendor’s side. Most invoice-swap fraud happens because the vendor’s account was breached, not yours. The defense has to focus on what your team does when a vendor email arrives, especially when it requests a change to payment instructions. The policy and the phone call are the controls that work even when the other party has been compromised.
How fast can a fraudulent wire be reversed by the bank?
The honest answer is that wire reversal is rare and time-sensitive. If you call the originating bank within hours and the funds are still in the receiving account, there is a chance to recall them. Most fraud rings sweep the money through layered accounts within a few hours, and once it moves to a foreign bank, recovery is unlikely. The time window often closes the same day, which is why prevention is the only reliable answer.
Should we verify ACH transfers the same way as wires?
For large ACH payments, yes. ACH is slower than a wire, which gives you a slightly longer recovery window, but a fraudulent ACH that clears can still leave you on the hook. Apply the same dollar threshold, the same banking-change trigger, and the same out-of-band confirmation step. The format of the payment matters less than the dollar amount and whether the instructions are new or changed.
Who should make the verification phone call?
Whoever is releasing the payment should also make the call, not delegate it to somebody who didn’t see the request. That keeps accountability with one person and avoids the broken-telephone problem where one staff member tells another that the call was made when it wasn’t. For larger payments, a two-person rule with the bookkeeper plus the owner adds another layer.
What if the vendor refuses or pushes back on a verification call?
A real vendor will not refuse a verification call on a wire that touches their banking information. If a vendor’s response is hostile, urgent, or insists that the payment must move before any call can happen, treat that as a strong indicator the inbox is not in friendly hands. Pause the payment, escalate it internally, and follow up through a channel you’ve used safely before.
Does cyber insurance cover wire fraud losses?
Coverage varies and is one of the most carefully worded sections of any small-business cyber policy. Many carriers will cover social engineering and fund-transfer fraud only if a written verification procedure was in place at the time of the loss and was followed. Some carriers exclude losses that happened without a documented callback step. Read the policy language carefully, and document your verification process so a claim is not denied for lack of process evidence.