Learn

The bookkeeper's check for vendor bank-detail changes

The most expensive email a small business receives looks like the most boring one: a vendor asking to update their bank details for future payments. It arrives in a real thread, references real invoices, and carries the right signature block, because the sender is either inside the vendor's actual email account or impersonating it closely. The next payment run sends real money to the new account, and the loss usually surfaces weeks later when the real vendor asks where their payment went.

Accounts-payable teams stop this with process, not intuition. The request is designed to read as routine; the routine has to be designed to catch it.

The five-minute verification

First, call the vendor at a number from your vendor master file or their website, never from the email requesting the change, and confirm the new details verbally. Criminals include accomplice phone numbers in their requests, so the source of the number matters more than the call itself.

Second, check the message's own records before trusting the thread. Save the email as a .eml file and examine what the mail systems recorded: whether the sending domain's authentication checks passed, whether the visible sender matches the path the message traveled, and whether replies are silently redirected to a different address. A reply-to pointing at a lookalike domain, vendor-name.co instead of vendor-name.com, is a payment redirect announcing itself.

Third, check any attached documentation the same way. Redirect requests often include a bank letter or updated invoice as a PDF. A letter genuinely issued by a bank or produced by the vendor's accounting system carries that history in its file records; one assembled for the request usually shows a PDF editor, a creation date the same week, or stacked edit layers over an older document.

Process beats vigilance

Put the rule in writing and apply it without exception: bank-detail changes require verbal confirmation at a known number plus a second approver, regardless of how legitimate the request looks or how urgent it claims to be. Urgency is the tell, not a reason to skip the check. The requests that cite a deadline, an audit, or a frozen account are the ones engineered to bypass your routine.

Log every change request, including the ones that fail verification. A failed verification means the vendor's email is compromised right now, and they need to know today, through a channel the criminal does not control.

FAQ

What makes these requests so convincing?

They are frequently sent from the vendor's real, compromised mailbox, inside an existing thread about real invoices. Nothing about the writing gives them away, which is why verification has to rest on the message's technical records and an out-of-band phone call rather than on reading carefully.

Should small businesses verify every invoice this way?

Verify every change to payment details and every first payment to a new vendor. Routine invoices from established vendors at established details carry far less risk; the redirect moment is where the money is lost.

What if the vendor confirms the email is real but the records look wrong?

Confirm you called a number you sourced independently. If the records still look wrong, ask the vendor to send the details through a second channel, their billing portal or a verified phone call, and tell them what you found; mismatched records in a real thread frequently mean their mailbox is compromised.