What is vendor impersonation phishing?

Vendor impersonation is an email attack where a sender impersonates a known vendor or supplier and asks the recipient to update wire instructions, pay a fake invoice, or change payment details. The goal is to redirect a routine payment to an attacker-controlled account. The attack works because the vendor relationship is real and the request is plausible.

Why is vendor impersonation harder to spot than regular phishing?

The relationship is real. The recipient already trusts the vendor, was already expecting an invoice, and is processing AP under deadline pressure. The email looks routine because routine emails from this vendor look just like this. The attack does not require pretending to be a stranger; it requires pretending to be someone the recipient already knows.

How much do vendor impersonation attacks typically cost?

Loss per incident varies widely with the wire amount but typically runs four to six figures for small businesses and substantially higher for organizations with large AP volumes. The FBI's Internet Crime Complaint Center has tracked vendor email compromise as one of the largest single-pattern loss categories, with annual industry losses in the hundreds of millions.

Does an email paywall stop vendor impersonation?

Partially. The mass version of the attack (the same vendor-update email sent to thousands of small businesses) becomes uneconomical when each recipient costs four cents to reach. The targeted version (where the attacker has researched a specific vendor relationship and crafted a single message) can still be sent. Procedural defenses (out-of-band verification of any wire change) handle the targeted survivors.

Vendor Impersonation Phishing Vector

Q: What is the single most reliable defense against vendor impersonation?

Out-of-band verification. Any vendor wire-update request, bank-detail change, or payment instruction change is verified by a phone call to a number the AP function already had, not a number from the email. This single procedural defense prevents most successful attacks because attackers have no way to intercept a phone call to a number they did not provide.

Vendor impersonation is the quiet, high-loss phishing vector hitting small businesses every week. Here is how it works and what stops it.

Most coverage of phishing focuses on the obvious vectors: credential harvesting from a fake login page, CEO impersonation asking for a wire transfer, fake invoices demanding immediate payment. The attack vector that quietly produces the largest small-business losses gets less coverage because it does not look like an attack until the wire goes out.

This is vendor impersonation. The vendor is real. The relationship is real. The invoice cycle is real. Only the wire instructions are wrong. This post is about how that pattern works and what defenses actually stop it.

How Vendor Impersonation Works

The structure of a vendor impersonation attack:

Step one: research the relationship. The attacker identifies a target organization and one of its real vendors. This is not difficult. Vendor relationships are visible in many places: invoice approval workflows that loop in third parties, LinkedIn posts about vendor partnerships, public procurement records, leaked email threads from prior breaches at adjacent organizations. The attacker does not need deep access to the target. They need to know that vendor X exists and bills target Y.

Step two: register a lookalike domain or compromise a real one. The attacker needs an email address that the target’s AP function will trust. Two approaches. First, register a domain that looks like the vendor’s real domain (example.co instead of example.com, example-inc.com instead of example.com). Second, compromise an account at the real vendor and send the attack from inside. Both approaches are common.

Step three: send the wire-update request. The email is sent to the AP contact at the target. The message reads as a routine wire-update notification: “Please update our wire instructions for your next invoice payment to the following account.” The new account is the attacker’s. The email may include a forged invoice with the new wire details, or just a notification with a follow-up coming.

Step four: collect the wire. The next routine invoice payment from the target lands in the attacker’s account. By the time the real vendor follows up about the missing payment (typically 30 to 60 days later), the funds are gone.

The attack works because the target was expecting a vendor invoice and processed the wire-update notification as a routine administrative task. The AP person handling it did not call the vendor to verify, because they had no reason to think anything was wrong.

Why It Is Underreported

Vendor impersonation does not produce the dramatic news cycles that ransomware or large CEO-fraud incidents do. Most incidents resolve quietly: the loss is between four and six figures for a small business, the attacker cannot be caught, the cyber insurance covers part of the loss, and the business adopts a wire-verification protocol.

Coverage is also fragmented. The FBI’s Internet Crime Complaint Center reports vendor email compromise as a category, but the per-incident losses are smaller than the headline-grabbing single-target BEC attacks. The cumulative loss across all incidents is large, but no single incident makes the news.

The result is a pattern that almost every small business will encounter at some point but that few small businesses prepare specifically for.

Industries Most Affected

Some industries have structural exposure that makes vendor impersonation particularly common.

Construction. Subcontractor and vendor invoices are constant, AP volume is high, project managers approve wires under deadline pressure. We covered this specifically in construction invoice fraud and email protection.

Healthcare and small medical practices. Equipment vendors, EHR providers, billing services, and contractor relationships all involve routine wires. The practice manager handles AP between patient appointments. The attention bandwidth for verification is limited. We covered the broader frame in healthcare practice email security.

Manufacturing. International supplier wires are large, frequent, and often time-sensitive. The lookalike-domain version of vendor fraud is particularly common because the legitimate supplier names are sometimes obscure to the AP function.

Real estate and title. The closing-stage version of vendor fraud impersonates the title company or attorney and redirects the buyer’s wire to the closing. The losses per incident are large because the wires are large. We covered this in real estate wire fraud.

Professional services (law, accounting, consulting). Routine vendor invoices, payroll services, and contractor payments all involve wires. The AP function in a small firm is often the office manager or paralegal who has many other responsibilities.

The common pattern across industries is high AP volume, routine vendor relationships, and a person processing wires who is not specifically trained in fraud detection.

What Standard Phishing Defenses Do and Do Not Do

A typical small business has Gmail or Microsoft 365 native filtering, possibly Defender for Office 365, and possibly a third-party security gateway. What each layer does for vendor impersonation:

Native Gmail or Outlook filtering. Catches most mass-volume mechanical phishing attempts and known-bad domains. Vendor impersonation usually passes because the email is well-crafted, comes from a non-blacklisted domain, and contains nothing technically suspicious.

Defender for Office 365 or Workspace Advanced Protection. Adds URL rewriting, attachment sandboxing, anti-spoofing, and impersonation detection (for Defender). The impersonation detection in Defender Standard tier flags email from external domains that look like display names of internal users; this catches some CEO-fraud variants. The vendor impersonation pattern is usually not caught because the lookalike domain is not technically the same as a known internal sender.

Third-party gateways (Proofpoint, Mimecast, Barracuda). Add deeper threat intelligence, more sophisticated impersonation detection, and sometimes vendor-relationship analysis. The detection rate improves but is not 100%, especially for compromised-vendor attacks where the email is sent from the real vendor’s own infrastructure.

Inbox-layer filtering. A filter that asks unknown senders for a small cover charge does not stop a compromised-vendor attack (the vendor is on your guest list because they are real) but does stop the lookalike-domain mass version (the lookalike domain is unknown, has to pay the cover charge, and a 1,000-recipient blast costs $40 instead of $0 to send).

The honest summary: no single layer catches the precision attacks. The targeted version of vendor impersonation, where the attacker has done research and crafted a specific message from a compromised account, is a procedural problem more than a technical one.

What Procedural Defenses Actually Work

The single most reliable defense against vendor impersonation is out-of-band verification. The protocol:

Any vendor wire-update request, payment-detail change, or unusual payment instruction is verified by a phone call to a number the AP function already had, not a number from the email asking for the change. The phone call is to a person at the vendor whom the AP function has spoken with before. The verification is documented in the AP system.

This single procedure prevents most successful attacks because attackers have no way to intercept a phone call to a number they did not provide. The procedure costs ten minutes per change. It is the highest-impact email-fraud control most small businesses can implement.

Adjacent procedures that help:

Two-person approval for wire changes above a threshold. A second person reviews any wire-update notification before it is processed. The threshold is typically the amount the business can absorb without material harm.

Standardized wire-change form. Instead of accepting a wire-update from any email format, require vendors to submit changes via a standardized form (PDF or paper) with verification fields the AP function checks against records. Some vendors will resist; reputable vendors will not.

Periodic vendor-list audit. Once per quarter, the AP function reviews all vendors and confirms current wire instructions against the vendor’s website or a known-good contact. Catches stale changes that may have been made fraudulently.

Cyber insurance with social-engineering coverage. A cyber rider with social-engineering coverage covers wire-fraud losses up to the policy limit. Verify the sub-limit, the waiting period (typically 30 days for delayed-discovery), and the protocol-compliance requirements.

Where Rythm Fits

Rythm is a structural inbox-layer filter. What it does for vendor impersonation:

Mass lookalike-domain version. A 1,000-recipient blast from a new lookalike domain costs $40 to send when each recipient has a four-cent cover charge. This is high enough to break the economics of the typical mass campaign. The 5,000 small businesses being hit by the same lookalike-domain wave drops to whichever subset the attacker is willing to spend $200 to reach.

Compromised-real-vendor version. Walks straight through Rythm. The real vendor is on your guest list because they are a real vendor. The attack is downstream of identity. Out-of-band verification is the defense. (One caveat that helps: if the attacker is using a lookalike domain rather than the actual compromised account, the email lands as an unknown sender and either pays the cover charge or waits for review. Paid impersonation arrives with a PAID label, which is itself unusual for what claims to be a familiar vendor.)

New-vendor-relationship version. A real new vendor reaching you for the first time is unknown to your guest list. They either pay the cover charge to reach you (which is fine, four cents is not a barrier for a real vendor) or wait in the held-for-review folder. Either way, the message gets through. The cover charge is not a barrier to legitimate business.

The pattern: Rythm collapses the mass version of vendor impersonation. Procedural verification handles the targeted survivors. The combination is what works.

A Specific Honest Note

Vendor impersonation is the quiet attack that bleeds small businesses one $40,000 wire at a time. Most coverage focuses on the dramatic single-target attacks; the cumulative loss to vendor impersonation is much larger.

We are not pretending Rythm prevents the targeted version. The compromised-vendor attack walks through any inbox-layer filter because the vendor is a known sender. What Rythm does is reduce the volume of the mass version, which gives the AP function more attention bandwidth for the messages that arrive, which makes the procedural verification protocols more sustainable.

Procedural defenses (out-of-band verification, two-person approval, standardized forms) are the defenses that actually catch the targeted attacks. Rythm reduces the volume that has to be triaged before those procedures run.

For the related vertical posts, see solo attorney email security, healthcare practice email security, and construction invoice fraud and email protection. For the broader frame, see the anatomy of a modern phishing email and what is BEC. Rythm is $1.65 per month, cancel anytime.

Vendor Impersonation: The Quiet Phishing Vector Nobody Talks About