Picture this: You’re an accounts payable (AP) leader at a busy assisted living provider. An email comes in from a trusted vendor, requesting a simple update to their banking details. Everything looks legitimate – the vendor’s logo, the contact’s name, even the tone of the message. Your AP team updates the information, processes the next payment, and moves on to the next fire drill.
A week later, the vendor called. They never received the payment. The funds are long gone, rerouted to a fraudster’s account overseas. What seemed like a small administrative task has turned into a six-figure loss, a damaged vendor relationship, and senior management demanding to know how such a mistake could have happened. This isn’t hypothetical. Phony bank account change requests are one of the fastest-growing forms of vendor impersonation fraud.
According to the 2025 AFP Payments Fraud and Control Survey:
- 79 percent of organizations were targeted by payments fraud in 2024
- 63 percent of organizations faced business email compromise (BEC) attacks – many involving fraudulent bank account change requests
- Only 22% of victims recouped more than three-quarters of stolen funds
The trend line is clear: fraud is surging, and the odds of clawing money back are falling fast.
What Are Phony Bank Account Change Requests and How Do They Work?
Phony bank account change requests are a form of vendor impersonation that targets AP. Instead of creating fake invoices, fraudsters focus on changing the destination of legitimate payments.
Here’s how they typically work:
- The Setup: Fraudsters gather vendor information via phishing, hacked emails, or public sources. They replicate logos, email styles, and tones to appear authentic.
- The Deception: The fraudster contacts AP – usually by email – posing as the vendor. They request updated payment details, often citing urgency like “our old account is closing.
- The Hook: If AP staff don’t validate rigorously, the fraudulent account is entered into the organization’s enterprise resource planning (ERP) or accounting system
- The Payout: The next payment is rerouted to the fraudster’s account, often overseas. The vendor goes unpaid, the funds are unrecoverable, and reputational damage follows.
Fraudsters prefer this method because it exploits human trust and routine processes.
AP Change Processes: A Prime Target for Vendor Impersonation Fraud
Manual or semi-automated processes for verifying bank account change requests are riddled with weaknesses. Emails can be spoofed. Callback numbers can be faked. Paper forms can be forged. And when overstretched AP staff are juggling hundreds of requests, red flags can be missed.
Fraudsters know this. They don’t hack systems. They hack people.
How automation changes the game:
- Automated bank account ownership verification. Every bank account change request is automatically validated against trusted databases before it’s approved. This eliminates reliance on vendor-provided data, which can be easily manipulated. It also creates an audit trail, proving every verification step to boards, auditors, and regulators. With real-time bank account verification, fraudsters are stopped before payments ever leave a buyer’s account.
- Integrated TIN vetting and sanctions screening. Vendors are automatically screened against IRS and Office of Foreign Assets Control (OFAC) and sanctions lists alongside bank account verification. Fraudsters often target international payments, where oversight is weaker. Automated vetting closes these gaps and ensures compliance risks are minimized.
- Alerts and escalations on suspicious requests. Any unexpected change triggers alerts, ensuring it isn’t rubber-stamped by rushed AP staff. Escalation workflows route these requests for higher-level review. This not only reduces human error but also reinforces a “pause and verify” culture. Fraudsters encounter roadblocks at every step.
How Automation Prevents Fraudulent Vendor Payment Requests
After a painful fraud incident involving a phony bank account change, imagine your organization saying, “never again.” With bank account verification in place, the process looks very different:
- Vendors submit change requests through a secure portal. No more emailed forms or random phone calls. Fraudsters lose their easiest entry point because all requests flow through one controlled channel.
- Bank account ownership is validated in real time in many cases. In as little as a few seconds, the system verifies that the bank account belongs to the vendor. No paperwork. No guesswork. And there is no chance for fraudsters to redirect payments.
- Exceptions trigger multi-level review before approval. Anomalies like mismatched details or change requests from new suppliers are automatically flagged. Dual approvals and audit trails prevent rushed mistakes and force deliberate decision-making.
The outcome? Fraud attempts still happen, but they’re intercepted before money moves. AP staff feel empowered, vendors are paid securely, and leadership regains trust in AP controls.
Why Preventing Vendor Impersonation Fraud Is Urgent
Phony bank account change requests aren’t just an AP problem. They’re an enterprise-wide risk. They put an organization’s finances, vendor relationships, and reputation on the line. And in today’s environment, fraud tactics are evolving faster than manual verification defenses can keep up.
Here’s why urgency matters:
- The financial stakes are massive. Organizations lose millions annually to fraudulent bank account change requests. Recovery is rare, and reputational damage is often worse than the financial hit. Worse, once fraudsters succeed, they typically target an organization again.
- Fraud tactics evolve faster than manual defenses. Callback verifications and email confirmations are no match for modern spoofing and AI-driven scams. Manual processes lag sophisticated attacks. Without automated verification, AP will always be vulnerable.
- The cost of prevention is far less than the cost of failure. Automated verification tools may feel like an investment, but compared to a fraud incident, they’re a bargain. Prevention also builds trust with boards, auditors, and vendors.
Don’t Let the Next Change Request Be Your Downfall
Phony bank account change requests are among the most dangerous and costly threats facing AP teams today. They exploit human error, thrive on manual verification processes, and strike without warning. But with automation, layered bank account verification, and built-in TIN matching and OFAC checking, organizations can turn this Achilles’ heel into one of their greatest strengths.
Join our LinkedIn group Information Security Community!
