ScamSpot for Business

Verify a vendor bank-change request before you update the master file

A vendor just emailed your AP team asking to update their bank-account number, routing number, or payment method. This is the single most common business email compromise (BEC) pattern: studies put unverified bank-change requests at the root of a majority of B2B wire fraud losses.

Before you update the vendor master file, paste the email below to get a B2B-tuned risk read AND walk through the verification protocol. ScamSpot does NOT verify the vendor or the new bank account; it helps your team slow down and verify independently.

Check this bank-change request Read FAQ

Quick answer

Unverified bank-change requests are the #1 BEC pattern

Never update a vendor's bank-account or payment-routing information based on email alone. Require a phone call to the vendor on a number from your existing master file, a second-approver sign-off, and a paper trail with the verification source documented.

Free scam check

Paste the bank-change email or request

The sample is a realistic vendor bank-change BEC. Replace it with the email body, signed letter, or onboarding form you received. Remove account numbers and confidential vendor data first.

Sample loaded

Red flags in bank-change requests

Look for combinations. Any single flag may be innocent, but two or three together should escalate the request.

  • Request arrives by email only - no signed letter on vendor letterhead, no phone notice.
  • Sender is a new contact you have not corresponded with before, even if the domain is correct.
  • Sender domain is a lookalike (extra letter, missing letter, .co vs .com, different TLD).
  • Reply-to address differs from From address (check the raw email headers).
  • Request includes urgency: 'effective immediately', 'this week's run', 'before next invoice'.
  • Bank-change letter is a PDF only, with no original signature you can verify.
  • New bank is in a different country or region than the vendor's historical bank.
  • Vendor's normal AP contact is CC'd but never responds to your verification email.

Bank-change verification protocol

Make this your AP team's standard operating procedure. Document the verification source in the vendor master.

  • Step 1 - Call the vendor on a phone number from your existing vendor master file or a prior signed contract. NEVER use a number from the bank-change email.
  • Step 2 - Ask for two named contacts at the vendor (finance lead + executive) to confirm the change verbally.
  • Step 3 - Require a counter-signed bank-change letter on vendor letterhead, sent via a channel other than the original email.
  • Step 4 - Get a second approver inside your finance team to sign off on the master-file update.
  • Step 5 - Send a small test payment (e.g. $1) to the new account and confirm receipt via the verified phone contact before processing the next full invoice.
  • Step 6 - Document the verification source (caller name, phone number, date, time) in the vendor master comments.
  • Step 7 - Hold all payments to that vendor for 24-48 hours after the change to detect any reversal request.

If the change turns out to be fraud

Speed matters. Wire recall windows close within 24-72 hours.

  • Call your bank immediately and request a wire recall under the FBI Financial Fraud Kill Chain.
  • File a complaint with the FBI IC3 (ic3.gov) the same day.
  • Report to the FTC (reportfraud.ftc.gov).
  • Notify the impersonated vendor so they can warn their other customers and check their own email security.
  • Have IT review whether your AP team mailboxes were compromised.
  • Engage your cyber insurance carrier and legal counsel.

Disclaimer

ScamSpot for Business provides risk indicators only. It does NOT verify vendors, bank accounts, or invoice legitimacy. Always call the vendor on an independently-verified phone number - never one in the suspicious email - before taking action.

  • Not a vendor verification service.
  • Not a bank-account ownership validator.
  • Not legal, financial, or compliance advice.
  • Report confirmed fraud to the FBI IC3 (ic3.gov) and the FTC (reportfraud.ftc.gov).

Example: vendor bank-change BEC

Input

Per our finance director's instructions we moved banking - update our payment file with the new account in the attached letter.

What to notice

  • Email-only bank-change request with no phone notice is a primary BEC indicator.
  • Verify with vendor's finance lead and an executive contact on a known phone number.
  • Send a $1 test payment to confirm before processing the next full invoice.

Vendor bank-change FAQ

What is the single most important control for vendor bank-change fraud?

A call-back to the vendor on a phone number from your existing records - never a number in the email. That one step alone stops the majority of bank-change BEC.

Should I require a signed letter on letterhead?

Yes, but treat it as one signal among several. PDFs of signed letters are easy to forge. The phone verification is what matters.

Why send a $1 test payment first?

If the bank-change is fraudulent, a $1 test payment exposes the wrong account before the full invoice amount is lost. The vendor's verified contact should confirm receipt.

How often does email-only bank-change verification fail?

Industry studies consistently put it among the top causes of BEC losses. The FBI IC3 documents thousands of BEC complaints annually with billions of USD in losses.

Does ScamSpot verify the vendor or the new account?

No. ScamSpot for Business provides risk indicators only. It does NOT verify vendors, bank accounts, or invoice legitimacy. Always call the vendor on an independently-verified phone number before updating master data.