Payment diversion is the end goal of most vendor fraud schemes. Whether through Business Email Compromise (BEC), vendor impersonation, or internal fraud, the objective is the same: redirect legitimate payments to accounts controlled by fraudsters. Prevention requires understanding the attack vectors and implementing systematic controls.

Understanding Payment Diversion

Payment diversion occurs when payments intended for legitimate vendors are redirected to fraudulent accounts. This can happen through:

External Attacks

  • BEC: Fraudsters impersonate vendors via email
  • Vendor impersonation: Fake invoices from lookalike domains
  • Account takeover: Compromised vendor email accounts

Internal Threats

  • Collusion: Employees working with external fraudsters
  • Ghost vendors: Fictitious vendors created by insiders
  • Payment manipulation: Changing payment details before processing

Process Exploitation

  • Weak verification: Changes processed without adequate verification
  • Manual overrides: Controls bypassed for urgent payments
  • Documentation gaps: Missing evidence of verification

The Attack Surface

Payment diversion attacks exploit multiple touchpoints:

Invoice Receipt

  • Fraudulent invoices enter through email
  • Lookalike domains bypass spam filters
  • Compromised accounts send legitimate-looking requests

Vendor Data

  • Changes to banking information
  • New payment addresses
  • Updated contact information

Payment Processing

  • Manual entry of payment details
  • Overrides of automated controls
  • Rush payment requests

Verification

  • Callbacks using fraudulent contact information
  • Incomplete verification procedures
  • Undocumented approvals

Prevention Framework

Effective payment diversion prevention addresses all attack vectors:

1. Establish Vendor Truth

Create a verified baseline for every vendor:

  • Known bank accounts
  • Authorized sender domains
  • Verified contact information
  • Historical payment patterns

Without a baseline, you cannot detect changes. Without detection, you cannot prevent diversion.

2. Detect Changes Automatically

Compare every invoice against verified records:

  • Bank account numbers
  • Routing numbers
  • Remittance addresses
  • Sender email domains

Manual review alone cannot catch sophisticated attacks. Automated detection provides consistent, thorough coverage.

3. Verify Through Trusted Channels

When changes are detected:

  • Use contact information from your verified records
  • Never use contact details from the suspicious invoice
  • Verify through multiple channels when possible
  • Document verification thoroughly

4. Implement Payment Controls

Build verification into the payment process:

  • Hold payments on flagged invoices
  • Require additional approval for high-risk transactions
  • Implement dual authorization for bank changes
  • Separate invoice receipt from payment processing

5. Monitor and Audit

Continuously assess control effectiveness:

  • Track detection rates
  • Review verification documentation
  • Audit payment processes
  • Monitor for bypass attempts

High-Risk Scenarios

Certain situations require heightened scrutiny:

New Vendors

  • No historical baseline
  • Verify thoroughly before first payment
  • Build confidence through multiple transactions

Bank Changes

  • Most common diversion vector
  • Verify through known channels
  • Document verification completely

Rush Payments

  • Urgency is a red flag
  • Apply standard controls regardless
  • Document any exceptions

Large Payments

  • Higher reward for fraudsters
  • Enhanced verification requirements
  • Multiple approval layers

International Payments

  • More difficult to recover
  • Additional verification steps
  • Enhanced documentation

Building Defense in Depth

No single control prevents all payment diversion. Effective prevention uses multiple layers:

Layer 1: Detection

  • Automated comparison against verified records
  • Flag changes before payment processing

Layer 2: Verification

  • Consistent verification workflows
  • Trusted contact information
  • Documented outcomes

Layer 3: Authorization

  • Approval requirements for flagged payments
  • Separation of duties
  • Documented approvals

Layer 4: Monitoring

  • Audit trails for all changes
  • Detection of bypass attempts
  • Regular control assessments

Recovery Considerations

Despite best efforts, some fraud may succeed. Improve recovery chances by:

  • Detecting quickly: Faster detection increases recovery likelihood
  • Documenting thoroughly: Evidence supports recovery efforts
  • Reporting promptly: Notify banks and authorities immediately
  • Preserving evidence: Maintain all related communications

Implementation Priorities

Organizations should prioritize based on risk:

  1. Immediate: Implement bank change detection and verification
  2. Short-term: Establish vendor baselines for high-volume vendors
  3. Medium-term: Expand coverage to all vendors
  4. Ongoing: Enhance controls based on emerging threats

Measuring Effectiveness

Track prevention program effectiveness through:

  • Detection rate: Percentage of changes caught before payment
  • Verification compliance: Percentage of changes properly verified
  • Control coverage: Percentage of payments subject to controls
  • Incident rate: Successful diversion attempts over time

Payment diversion is preventable through systematic controls. Organizations that implement detection, verification, and authorization controls significantly reduce their exposure to vendor fraud.

See TruePayables in action

Learn how TruePayables can help your organization prevent vendor fraud.

Book a Demo Join Waitlist