Blog
How one spoofed email can cost your client $250K (and your firm its reputation)
Vendor email spoofing remains one of the fastest paths to accounting fraud losses because it exploits trust, not firewalls. The scenario below is composite but faithful to real cases: one plausible message, one rushed approval, and a wire that cannot be recalled.
The setup: a trusted vendor—or a convincing forgery
Your client’s AP contact receives email from a display name they recognize: a long-time materials supplier. The body references an open PO and an “updated remittance account” effective immediately due to a treasury consolidation. The tone is calm, professional, and specific enough to feel legitimate.
In reality, the sender domain is a look-alike or the thread was injected after a mailbox compromise. This is classic vendor email spoofing: the fraud lives in the message, not in your firewall logs.
The urgent bank change request
The email includes new ACH instructions and asks that the next scheduled $250,000 payment use the updated account “to avoid delays.” A junior staffer updates the vendor record in QuickBooks and routes for approval. The approver, juggling month-end, sees a known vendor name and signs off.
- No call-back to a phone number on file
- No comparison to prior successful payments
- No hold on first-payment-to-new-account scenarios
The wire goes out
Funds leave the client’s account and settle into a mule account domestically or abroad. By the time the real vendor asks about the missing payment, the money is layered through other accounts. Recovery is uncertain; law enforcement timelines do not match payroll and supplier deadlines.
Post-incident: blame, insurance, and lost trust
The client asks why the firm’s process allowed the change. Finger-pointing spans email policy, QBO permissions, and who “owned” vendor verification. An E&O claim may follow; crime policies may dispute coverage for voluntary payment to a fraudster. Even when insurance pays partially, the relationship often does not recover—referrals stop, and the firm’s name is tied to the loss in local markets.
Learn control patterns on BEC fraud prevention and firm-specific guidance on for accounting firms.
Prevention timeline: what should have happened
Before any bank change pays: verify out-of-band, compare to historical payee fingerprints, and require dual control for high-dollar first payments to new accounts. Automated alerts on vendor master changes close the gap between policy and daily execution—so spoofed email does not become spoofed banking details.
Stop BEC before the wire
Layer email hygiene with vendor verification and invoice anomaly detection so urgency cannot bypass evidence.