An Invoice Arrives for Payment Processing. The Vendor Name Is Similar to a Legitimate Supplier, but the Bank Account Number Is Different From the One on File. Her Manager Already Approved It. Does She Have to Do Anything?

Quick Answer

When an employee processing a payment notices that a vendor’s bank account number doesn’t match the account on file, does her obligation to flag the discrepancy disappear because her manager has already approved the invoice?

No. Manager approval is an authorization step in the payment process — it confirms that goods or services were received and the amount is reasonable. It does not verify that the bank account number matches the vendor record. That verification step is the responsibility of the person processing the payment. A discrepancy between a vendor’s invoice bank account and the account on file is one of the most common indicators of vendor impersonation fraud and business email compromise targeting accounts payable. The obligation to flag the discrepancy exists regardless of whether the invoice has been approved by a manager.

The Situation

An accounts payable specialist at a mid-size manufacturing company is processing the weekly payment batch. She pulls up an invoice from “Meridian Supply Co.” — a vendor the company has used for three years for raw materials. The invoice amount is $23,400. Her manager approved it two days ago. But when she processes the payment, she notices that the bank account number on the invoice differs from the account number in the vendor master file. The vendor name is exactly right. The invoice format looks correct. Both the routing number and account number are different.

She thinks about asking her manager — but he already approved it and seems confident. She’s also behind on her processing queue. Vendors do update their bank accounts legitimately, and she doesn’t want to create a problem over what might be a routine change.

She is deciding whether to process the payment, investigate the discrepancy, or route it back to her manager.

Choice AProcess the payment. The manager approved it and knows this vendor better than she does. Vendors update their bank accounts — it’s probably a legitimate change. If there was a real problem, the manager would have caught it during approval.

Choice BStop the payment and contact the vendor directly using contact information already on file — not any information from the invoice — to verify whether the bank account change is legitimate. Document the discrepancy and notify the manager and AP supervisor before processing anything.

Choice CAsk the manager to reconfirm before processing. If he says it’s fine a second time, that’s sufficient verification, and she can process it.

The Right Call

Choice B — Stop the payment and verify directly with the vendor through an independently confirmed contact channel.

Choice A processes the fraud. The discrepancy between the invoice bank account and the vendor master record is the single most reliable indicator of vendor impersonation fraud, and manager approval doesn’t change that because the manager wasn’t checking account numbers during approval. Choice C routes the verification question to someone who cannot actually answer it: the manager approved the invoice based on the goods received and the amount, not based on a bank account verification he never performed. Only contacting the vendor through an independently verified channel — not a number from the invoice — confirms whether the account change is legitimate. One call takes 90 seconds. If the change is legitimate, the payment processes normally. If it’s fraud, the call stops a $23,400 loss.

Manager approval is not fraud clearance — it is business authorization.

AP controls are layered specifically because each person checks different things. The manager approves that the goods or services were received and the amount is appropriate. The AP processor verifies that payment routing is correct. When the processor skips their verification because “the manager approved it,” the fraud has no remaining control point. Both steps are required because neither step performs the other’s function.

Calling the number on the invoice is not verification — it is asking the attacker to confirm their own fraud.

In vendor impersonation attacks, the fraudster may have replaced the vendor’s contact information with their own. Calling the number provided in the suspicious invoice reaches the attacker, who will enthusiastically confirm the account change. Out-of-band verification means using contact information the company already has on file — the vendor master record, a previous invoice from before the discrepancy, or a confirmed website — not any information provided in the document being queried.

Correct everything except that the payment destination is a deliberate design choice in vendor fraud.

The vendor name is right. The invoice format looks correct. The amount is routine. Only the account number is wrong. That pattern — familiar everything, different bank account — is not a coincidence. Fraudsters specifically choose familiar vendor names and routine amounts precisely because they will not attract attention. The more convincing the invoice, the more effort went into making it convincing. A suspiciously perfect invoice is itself a signal.

What is vendor impersonation fraud and how common is it?

Vendor impersonation fraud occurs when a fraudster impersonates a legitimate supplier to redirect payments to a fraudulent account — typically by sending an invoice or “bank account update” notice that closely mimics the real vendor’s format. The ACFE’s Report to the Nations consistently identifies billing schemes as one of the most common and costly forms of occupational fraud. Business Email Compromise targeting AP functions is the highest-loss cybercrime category reported to the FBI, generating billions in annual losses with an average incident cost exceeding $120,000.

What are the red flags that should trigger verification before processing an invoice payment?

A bank account number that differs from the vendor’s account on file. An invoice from a vendor not previously used. An invoice format or email domain slightly different from previous invoices. An urgent request to process payment quickly or outside normal cycles. A vendor “bank account update” arriving by email without supporting documentation. Any single element warrants attention. Multiple elements together require escalation before processing.

What should an organization do to prevent vendor impersonation fraud in accounts payable?

Maintain an up-to-date vendor master file with verified bank account information. Require that any bank account changes be verified through out-of-band contact with the vendor using information already on file — not information provided in the change request. Implement a dual-control process where the person approving the invoice and the person verifying account details are different people. Train AP staff explicitly that manager approval is a business authorization, not a fraud clearance, and that account verification is the processor’s independent responsibility.

How to Use This Scenario in Training

Recommended for accounts payable, finance operations, procurement, and any employee who processes vendor payments or approves invoices. Most effective when paired with a clear explanation of the organization’s vendor account change verification process — employees should know exactly what “out-of-band verification” looks like in their specific AP workflow before this scenario is most useful.

This scenario demonstrates the diffusion of responsibility rationalization from the Decision Readiness Engine™: “The manager approved it, so it’s his responsibility if something is wrong.” Decision-ready AP employees recognize that layered controls exist specifically because each person checks different things — and that a manager’s business authorization doesn’t substitute for the processor’s independent account verification step.

More Fraud, Waste & Abuse Scenarios