Business Email Compromise in AP: How Teams Get Tricked

Your CFO gets an email from a long-time vendor: "We've updated our bank details. Please use the new account for the outstanding $47,000 invoice." The email comes from the right domain. It references a real invoice number. The AP clerk processes the change and sends the payment. Three weeks later, the real vendor calls asking where the money is.

That is business email compromise (BEC), and it cost organizations $2.77 billion in 2024 according to the FBI's IC3 report. AP teams are the primary target because they control the one thing attackers want: outgoing payments.

Why AP Teams Are the Bullseye

BEC is not a technology problem. It is a process problem that exploits how AP teams work.

Attackers study your payment patterns before they strike. They compromise a vendor's email account (or spoof one convincingly), then wait for an active invoice thread. When they see a payment coming due, they insert themselves into the conversation with a simple request: change the bank details.

This works because AP teams are trained to be responsive. When a vendor asks for something, the default is to help. And the request — updating banking information — happens legitimately all the time.

The Association for Financial Professionals reported that 63% of organizations experienced BEC attacks in 2025. The FBI has tracked $17.1 billion in BEC losses over the past decade, a 1,025% increase since 2015. And by mid-2024, an estimated 40% of BEC phishing emails were AI-generated, making them harder to spot than ever.

The Five BEC Playbooks That Target AP

1. Vendor Bank Detail Change

The most common and most expensive. Attackers compromise a vendor's email or create a lookalike domain (think @acme-corp.com vs @acme-c0rp.com), then request updated payment routing. The AP team processes the change because it came from a "trusted" source.

Why it works: Bank detail changes are routine. AP teams process them regularly without suspicion.

2. CEO/CFO Impersonation

An urgent email from the CEO to the controller: "I need a wire transfer of $125,000 processed today for a confidential acquisition. Do not discuss this with anyone." The email uses the CEO's name, signature, and sometimes a spoofed reply-to address.

Why it works: Authority pressure plus urgency bypasses normal approval workflows.

3. Conversation Hijacking

Attackers gain access to a real email thread about an active transaction. They reply in-thread, matching the tone and style of previous messages, with modified payment instructions. Since the thread is legitimate, email filters do not flag it.

Why it works: The context is real. Only the payment details are fake.

4. Vendor Portal Credential Theft

Phishing emails direct AP staff to fake vendor portals that harvest login credentials. Once inside, attackers can modify legitimate vendor records, including banking information, directly in your system.

Why it works: The change happens inside your own platform, so it looks like an authorized update.

5. Invoice Duplication with Modified Details

Attackers send a duplicate of a real invoice — same vendor, same amounts, same PO number — but with different bank routing information. If duplicate detection is weak, both the real and fraudulent invoices get paid.

Why it works: The invoice itself is nearly identical to a legitimate one your team expects to receive.

The Controls That Actually Stop BEC

BEC prevention is not about buying a single tool. It is about layering controls so that no single failure results in a fraudulent payment.

Out-of-Band Verification for Bank Changes

This is the single most effective control. When any vendor requests a change to banking details, verify it through a different communication channel. Call the vendor using a phone number from your records (not the one in the email). Use a known contact, not the person who sent the request.

Implementation: Create a policy that zero bank detail changes are processed based on email alone. No exceptions. Not for the CEO, not for your biggest vendor, not for "urgent" requests. The FBI specifically recommends verifying requests through a secondary channel.

Dual Authorization on Payment Changes

No single person should be able to both change vendor bank details and approve a payment to that vendor. Separation of these functions means an attacker needs to compromise two people instead of one.

If your team is small, at minimum require a second pair of eyes on any bank detail modification before the next payment runs. This pairs well with strong AP internal controls and a clear segregation of duties framework.

Email Authentication (DMARC, SPF, DKIM)

These three protocols verify that incoming emails actually come from the domains they claim. DMARC alone blocks the simplest spoofing attacks — where an attacker sends email with a forged "From" address.

The gap: Email authentication stops domain spoofing but does nothing against compromised accounts. If an attacker is sending from the real vendor's actual email, DMARC passes. That is why verification controls matter more than technical filters.

AP Automation as a Control Layer

Here is what most BEC prevention guides miss: AP automation is not just about efficiency. It is a fraud control.

When invoices flow through an automated system, every change is logged. Bank detail modifications trigger approval workflows. Invoice matching catches phantom invoices. Audit trails record who changed what and when.

Manual AP processes are BEC-friendly because changes happen in email threads, spreadsheets, and phone calls with no centralized record. Automated systems create friction — the good kind — that forces verification before payment.

Training That Goes Beyond "Be Careful"

Generic security awareness training does not stop BEC. AP-specific training does. Your team needs to practice with scenarios that match their actual workflow:

• A vendor email requesting bank detail changes mid-payment cycle
• A CFO requesting an urgent wire transfer on a Friday afternoon
• An invoice that matches a real PO but has slightly different routing numbers

Run tabletop exercises quarterly. Measure response time and accuracy. The goal is not awareness — it is muscle memory.

What to Do If You Suspect a BEC Attack

Speed matters. The FBI's IC3 Recovery Asset Team reported a 66% success rate in freezing fraudulent BEC transfers — but only when reported within 48 hours.

1. Contact your bank immediately to request a recall or freeze on the wire transfer
2. File a complaint with IC3 at ic3.gov — this is how the FBI tracks and recovers BEC funds
3. Preserve all email evidence including full headers, not just the message body
4. Notify the real vendor so they can secure their compromised email accounts
5. Review all recent bank detail changes across your vendor master for other compromised records

Practical Takeaways

BEC prevention comes down to three principles: verify outside the channel, separate duties, and automate the controls.

Start with the highest-impact change: implement mandatory out-of-band verification for all bank detail modifications. This single control blocks the majority of BEC payment fraud. Then layer on dual authorization, email authentication, and automated invoice processing that logs every change.

The companies that lose millions to BEC are not careless. They are busy, understaffed, and running AP processes that were designed for a world where vendor emails could be trusted. That world no longer exists.

FAQ

How much do BEC attacks cost businesses each year?

According to the FBI's IC3 2024 annual report, BEC attacks resulted in $2.77 billion in losses across 21,442 reported incidents in 2024 alone. Over the past decade, cumulative BEC losses reported to the FBI have reached $17.1 billion. The actual number is higher because many incidents go unreported. The average BEC wire transfer request in early 2025 was $24,586, though individual attacks can range from a few thousand to tens of millions of dollars.

What is the most effective way to prevent BEC attacks in accounts payable?

Out-of-band verification is the single most effective control. When a vendor requests a change to bank details, verify the request through a separate communication channel — call them using a phone number from your existing records, not the number in the email. Combine this with dual authorization (two people must approve bank detail changes) and AP automation that logs all modifications with timestamps and approval workflows. No bank detail change should ever be processed based on email alone.

How do BEC attacks target accounts payable specifically?

BEC attackers target AP teams because they control outgoing payments. The most common tactic is vendor impersonation — attackers compromise a vendor's email account or create a lookalike domain, then request updated bank routing details for an active invoice. Since AP teams process bank detail changes routinely, the request does not trigger suspicion. By mid-2024, approximately 40% of BEC phishing emails were AI-generated, making them nearly indistinguishable from legitimate vendor communications in tone and formatting.