Business Email Compromise in Accounts Payable Explained

Jul 9, 2026

Try it now, capture a real invoice

Free plan · No credit card · Your data stays yours

Business email compromise (BEC) in accounts payable is a scam where a criminal impersonates a trusted vendor or executive by email and tricks the AP team into redirecting a legitimate payment to a fraudulent bank account. The most common version is a fake vendor bank-change request: the attacker emails AP claiming the supplier has new banking details, AP updates the vendor record, and the next real invoice gets paid to the criminal. It works because the invoice itself is genuine. Only the destination account has been changed.

The FBI's Internet Crime Complaint Center has consistently ranked BEC among the costliest cybercrimes, with reported losses running into the billions of dollars a year across tens of thousands of complaints. Accounts payable sits directly in the blast radius, because AP is the team that holds vendor banking data and initiates payments. This guide explains how the attack unfolds, the warning signs, and the specific controls that stop it before money leaves your account.

What is business email compromise in accounts payable?

Business email compromise in accounts payable is a targeted fraud that uses a spoofed or hijacked email to change where a payment goes. Unlike a mass phishing blast, BEC is researched and personalized. The attacker studies your vendors and staff, then sends a message that looks like routine business, usually a request to update bank details or expedite a payment. Because the request rides on a real invoice and a familiar name, it slips past teams that check the invoice but not the identity behind the email.

There are two main entry points. In spoofing, the criminal registers a look-alike domain (swapping an l for a 1, or adding a word) and sends from it. In account takeover, the criminal has actually compromised a real mailbox, often the vendor's, and sends from the genuine address, which is far harder to catch. Either way, the goal is the same: get your vendor master file to point at their account.

How a BEC attack on AP unfolds

The pattern is consistent enough that you can build controls around each step:

  • Reconnaissance. The attacker identifies a supplier you pay regularly and the names of your AP and finance staff, often from LinkedIn, your website, or a prior breach.
  • The lure. An email arrives, apparently from the vendor's finance contact, saying their bank has changed and future payments should go to a new account. It may include a convincing letterhead or a spoofed reply chain.
  • The change. If AP updates the vendor record without independent verification, the fraudulent account is now on file.
  • The payout. The next legitimate invoice is paid to the criminal. Because everything else about the invoice is real, nothing looks wrong until the true vendor asks where their money is.
  • The window closes. By the time the genuine vendor follows up, often weeks later, the funds have usually been moved on and are hard to recover.

Red flags AP should treat as stop signals

Train the team to pause on any of these, even when the email looks legitimate:

  • A request to change a vendor's bank account, especially by email alone.
  • Urgency or secrecy ("process this today," "do not call, I am in meetings").
  • A reply-to or sender domain that differs by one character from the real one.
  • A change of bank details that arrives close to a known large invoice or payment run.
  • A new account in a different country or bank than the vendor has always used.
  • Slightly off language, formatting, or signature compared with prior emails from that contact.

Controls that stop BEC in accounts payable

No single control is enough. Layer these so a failure in one is caught by another:

  1. Out-of-band verification for every bank change. Confirm any change to vendor banking by calling the supplier on a phone number you already have on file, never a number in the request email. This one control blocks most BEC losses.
  2. Dual approval on vendor master edits. Require a second person to approve any change to a vendor's bank details, and log who changed what and when.
  3. Separation of duties. The person who can edit vendor banking should not be the person who releases payments.
  4. Email authentication. Deploy DMARC, DKIM, and SPF so spoofed domains are flagged or rejected before they reach AP.
  5. Automated duplicate and anomaly checks. Software that flags a changed bank detail, a mismatched vendor, or a repeated invoice number gives AP a second set of eyes on every bill.
  6. A verified vendor onboarding process. Collect and validate banking details through a controlled process at onboarding, not through ad hoc email later.

Manual versus automated defenses against BEC

The table shows where automation strengthens the human controls that catch BEC.

ControlManual APAutomated AP
Bank-change verificationDepends on staff remembering to call backChange is flagged and held pending verification
Vendor master editsOften a single person, lightly loggedDual approval with a full audit trail
Duplicate or altered invoiceCaught only if someone noticesAutomatically flagged before payment
Approval trailEmail threads and memoryTime-stamped record for every step

Automation does not replace the callback rule, but it removes the reliance on any one person catching the fraud. A system that holds a bank-detail change until it is verified, and records every approval, turns a policy that people forget under pressure into a step the workflow enforces every time.

What to do if you suspect a BEC payment

Move fast, because recovery odds fall by the hour. Contact your bank immediately and ask them to recall the payment and freeze the receiving account. Report the incident to the FBI at ic3.gov, which coordinates fund-recovery efforts. Notify the real vendor so they can check whether their own mailbox was compromised. Then review your logs to see how the change was made and close that gap. Finally, reconcile carefully: download the bank statement and import those transactions straight into your books to confirm exactly which payments cleared and to which accounts, so you know the full scope before you brief leadership.

Building BEC resistance into your AP workflow

The teams that rarely lose money to BEC are not the ones with the best instincts. They are the ones whose process makes the safe action the default: bank changes are verified out of band, vendor edits need two people, and software flags anything unusual before a payment runs. If your controls live only in people's heads, they fail exactly when an attacker applies pressure. Moving those checks into an enforced workflow is the durable fix. To see how automated detection catches altered bank details and mismatched vendors, read about invoice fraud detection software, review the broader set of schemes in our invoice fraud examples guide, and lock down the intake side with a verified vendor onboarding process. For the wider control framework, see our guide to accounts payable fraud prevention.