The Due Diligence Gap in Vendor Fraud: What Investigators Find After the Damage Is Done

0
944

By Julia Blokhina

By the time a fraud investigator walks into an organization, the money is usually gone. Wire transfers move within hours. Funds are routed through two or three intermediary accounts before the victim has finished their first call with the bank. What the investigator spends most of their time on is not chasing the funds. It is reconstructing how the organization arrived at the moment it approved the transfer.

That reconstruction almost always reveals the same things.

The Cases Are Different. The Gaps Are Not.

In 2024, the FBI’s Internet Crime Complaint Center recorded $2.77 billion in confirmed business email compromise losses, with the average loss per incident running nearly $130,000. Vendor email compromise is a form of fraud in which an attacker impersonates a supplier or trusted business contact to redirect payments or sensitive financial information. This specific variant targets supply chain relationships and has grown consistently year over year as attackers shift focus toward third-party email access rather than direct internal compromise.

These numbers describe a problem that is large, persistent, and growing. What they do not describe is how routine the failures that enable it tend to be.

In the majority of vendor fraud cases I have investigated, the loss was preceded by at least one moment where a standard verification step either did not exist, was skipped under time pressure, or had never been formalized into policy. The fraud did not succeed because the attacker was sophisticated. It succeeded because the organization’s process had a gap the attacker could walk through.

What Investigators Find

The vendor callback never happened

This is the single most common finding. A vendor sends updated banking details by email. Finance processes the change. The next payment goes to an account the attacker controls. When I ask whether anyone called the vendor to confirm, the answer is almost always no. Sometimes there is no policy requiring it. Sometimes the policy exists but applies only to new vendors, not to changes on existing ones. The attacker, who has spent time studying the organization’s email traffic, knows which threshold to stay under.

The fix is simple and costs nothing: any change to banking details requires a verbal confirmation call to a phone number sourced independently from the change request itself. Not the number in the email. Not the number in the email signature. The number on file from the original vendor setup.

Nobody checked the vendor’s email domain

In vendor email compromise cases, the attacker is typically using an email address that looks like the vendor’s but is not. The domain was registered recently, sometimes within days of the attack. A check against the vendor’s known email domain, or a basic WHOIS lookup showing the sending domain is three weeks old, would have flagged it immediately.

The Ubiquiti Networks case, which resulted in a $46.7 million loss, involved spoofed email addresses impersonating internal employees and vendors. The fraud was not discovered until the company was proactively notified by the FBI about 14 outgoing wire transfers from its accounts taking place over 17 days. How long the attack would have gone unnoticed without FBI intervention remains an uncomfortable topic of speculation. A domain verification step during payment approval would have caught the mismatch before any transfer was made.

For compliance teams without in-house technical resources, this check does not require a security expert. A basic WHOIS lookup shows when a domain was registered. Several free and low-cost domain reputation tools will flag newly registered domains or domains with no established history.

The invoice was never cross-referenced

In a well-functioning accounts payable process, every invoice is matched against a purchase order and approved by the business unit that initiated the spend. In practice, high-volume environments accumulate exceptions: invoices approved directly by finance, payments processed under urgency without procurement sign-off, amounts just below dual-authorization thresholds. Attackers study these patterns. The invoices that sail through are the ones that look like the exceptions the organization has already normalized.

After a fraud, the paper trail typically shows that the fraudulent invoice followed the exact same path as a category of legitimate invoices the organization routinely fast-tracked. The attacker did not defeat the controls. They identified where the controls did not apply.

How Long It Goes Undetected

Attackers may employ sophisticated strategies to delay fraud discovery such as multiparty pretexting, manipulating multiple threads in order to postpone detection. In higher-volume supply chain environments, where fraudulent invoices blend into a large accounts payable ledger, detection at the longer end of that range is common. In the majority of investigations I have been involved in, discovery happened not through a real-time detection system but at a quarterly audit or reconciliation, when a legitimate vendor flagged that an expected payment had not arrived.

By that point, the funds have moved through multiple jurisdictions. Recovery is possible in some cases, but partial and slow. The practical window for intervention is in the first 24 to 72 hours after transfer, which is almost always before the fraud has been detected.

Three Controls Worth Formalizing

If compliance functions take one thing from this: the most effective fraud prevention is not technology. It is process discipline applied consistently to the moments of highest risk. Three controls worth formalizing are:

  1. Establish callback verification for any banking detail change, regardless of whether the vendor is new or longstanding. Make it a non-negotiable step with a documented record, not a courtesy call someone might make if they have time.
  2. Build domain verification into payment approval workflows for vendors who contact you by email. This does not require a technical team. It requires a 90-second check and a policy that flags mismatches.
  3. Audit your exceptions. Every accounts payable process has categories of transactions that move faster than others. Those categories are where fraud enters. Map them, understand why they exist, and close the ones that cannot be justified by operational necessity.

The organizations that avoid vendor fraud are not the ones with the most sophisticated detection systems. They are the ones that made the basic checks non-negotiable before an investigator ever had a reason to ask why they were skipped.

About the Author

Julia Blokhina is Chief of Operations at Transparent Business Solutions B.V. and scaminfo.ai, where she leads multi-jurisdictional online fraud investigations, cryptocurrency transaction tracing, and cyber investigation operations. She collaborates regularly with law enforcement and investigative firms across Europe.