Callback control

Vendor verification call script

The callback is the cheapest control in AP fraud prevention, but it only works if your team uses a number already in trusted records.

Do not call a number from the suspicious email, PDF, invoice footer, or signature. Use vendor master data, a prior signed contract, or another independently trusted record.

Generate script in checker Read FAQ

Quick answer

Never verify through the suspicious channel

A callback only counts if the phone number came from your records, not from the email that requested the payment.

Free AP Fraud SOP Kit

Turn this check into an AP policy

Get the vendor bank-change policy, callback script, approval note, incident checklist, and hold triggers for your finance team.

Get the SOP kit Future paid: saved checks, audit log, PDF reports, team templates - $19/mo teaser.

Copyable base script

Use this structure, then document the result in your vendor master or payment approval note.

  • Hi, this is [name] from [company]. I am calling using the phone number already in our vendor records.
  • We received invoice/payment request [number] for [amount]. I need to verify the invoice and payment instructions before release.
  • Can you confirm whether bank, ACH, routing, or wire details changed?
  • Who authorized the change, and can a second known contact confirm it?
  • For security, we will not use any contact details from the suspicious email thread.

What to document

The control is only useful if it creates an audit trail.

  • Caller name and role.
  • Phone number used and where it came from.
  • Date, time, and verification outcome.
  • Second approver name when payment details changed.
  • Decision: pay, hold, reject, or escalate.

Vendor Verification Call Script FAQ

Can I verify by replying to the email?

No. If the mailbox is compromised, your reply reaches the attacker. Start from a trusted phone number or known contact record.

Should we record the call?

Follow your company policy and local law. At minimum, document who verified what, when, and using which trusted number.