Vendor Account Compromise is On the Rise. Here’s How to Make Sure It Doesn’t Happen to You.
This isn't a fringe risk.
by Ashley Poynter
Content Manager
PaymentWorksVendor Account Compromise is On the Rise. Here’s How to Make Sure It Doesn’t Happen to You.
If you’ve been following our articles here, you know that fraud and cybercrime is on the rise. Now, it’s getting personal. The Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) recently released a notice alerting people that Vendor Account Compromises (VACs) are on the rise.
What does that mean? According to the report, cybercriminals have increasingly targeted vendor portals used by U.S. government and academic institutions, exploiting weak authentication, public information, and poor change-verification processes to redirect payments — sometimes worth millions.
Yes, millions.
And once the money is gone, recovery is difficult (read: near impossible). Worse yet, the reputational damage can be long-lasting.
Table of Contents
How Does a Vendor Account Compromise (VAC) Unfold?
What Vulnerabilities and Weaknesses Do Cybercriminals Seek Out?
What Are the Best Mitigation Steps to Prevent Vendor Account Compromise?
How Does PaymentWorks Guard Against Vendor Account Compromise?
Vendor Account Compromise (VAC) is Not a Fringe Threat
Get Ready for Vendor Management Day 2025
Want Help Aligning Teams On Preventing Vendor Account Compromise?
Interested in More Tips On Preventing Vendor Account Compromise?
Want Personalized Guidance On Preventing Vendor Account Compromise?
How Does a Vendor Account Compromise (VAC) Unfold?
Like many other types of fraud, VACs can be surprisingly low-tech. Still, the perpetrators follow a disciplined playbook. Let’s break down the seven core stages of vendor account compromise.
1. Identify target portal
Criminals select a vendor portal based on its authentication methods. If it relies on easily discoverable identifiers like a Federal Employer Identification Number (FEIN) or vendor ID, it’s a prime target.
2. Identify high-value vendors
Attackers scan public spending reports and “open checkbook” records to find vendors receiving the largest and most regular payments. Sectors like construction, technology, energy, and healthcare are especially vulnerable.
3. Obtain authentication values (FEIN, vendor ID) via public data or social engineering
FEINs, vendor IDs, or similar credentials are gathered from public documents or elicited via social engineering. Bad actors may use convincing stories tied to real contracts or employees.
4. Access vendor account
Once the cybercriminal has the authentication values in hand (or once they’ve persuaded an organization to create a new user account) they log in. Privileged access to vendor payment histories and profile data: achieved.
5. Update vendor contact information
The attacker changes phone numbers, email addresses, and other contact details in the portal. In other words, any future verification attempts ge directly routed to these bad actors.
6. Update vendor remittance information
Bank account numbers or mailing addresses are altered to send payments to attacker-controlled accounts or P.O. boxes. In many cases, attackers enroll vendors in EFT/ACH payments for faster theft.
7. Receive and launder payments
With knowledge of the exact payment schedule, criminals move stolen funds rapidly through U.S.-based accounts, cryptocurrency, or money mules. This makes recovery extremely difficult, if not impossible.
It’s a high-stakes “game” with a low barrier to entry. This means that organizations must take steps to mitigate the threat immediately. We’ll map out how to do this in the next section.
What Vulnerabilities and Weaknesses Do Cybercriminals Seek Out?
Bad actors have a keen eye for vulnerabilities, hiccups, and good old fashioned human error. Unfortunately, this means teams have to be on top of their game 24/7, lest cybercriminals sneak through.
Here are some things that fraudsters look for when perusing for low-hanging fruit:
Static identifiers for authentication (FEINs, vendor IDs) that are easy to find or guess.
Many portals still use outdated “knowledge-based” authentication (e.g., values like FEINs or vendor IDs) as proof of identity. Unfortunately, these identifiers are often publicly available in bid documents, contract awards, or annual reports. Cybercriminals don’t need to hack a system to get them; they can often be found with a quick search or simple social engineering.
No multifactor authentication (MFA) for login or profile changes.
Without MFA, anyone who snags login credentials, even via nefarious means like phishing, stolen identifiers or insider compromise, can access vendor accounts unchallenged. The absence of MFA for sensitive actions like bank detail updates is a major security blind spot.
No out-of-band verification for banking changes.
If banking or remittance details are updated within the portal, most systems will send confirmation to the contact information on file. Here’s the thing: attackers often change those contact details first. Without an independent verification process (e.g., calling a known number outside the portal), fraudulent changes slip through undetected.
This is exactly why we designed our platform to route verification outside the portal—because we know attackers often compromise the vendor contact first.
Minimal monitoring of unusual account or profile activity.
Attackers know they have a window before they’re detected. If no one is actively monitoring for high-risk signals (be on the lookout for a flurry of changes to contact information, logins from unusual IP addresses, or sudden switches to free webmail accounts), they can operate undisturbed until payments are stolen.
Siloed teams: IT, finance, and procurement not collaborating on security.
Vendor portals are often “owned” by finance or procurement, with minimal IT involvement. This separation means operational teams may lack the cybersecurity expertise to spot sophisticated social engineering. Alternatively, security teams may not have visibility into vendor data changes. Criminals exploit these blind spots.
After reading this, do you feel your systems are secure? Reminder: cybercriminals don’t need brute force. They rely on oversights and disjointed processes. Every outdated login method, missing verification step, or siloed team is an open door. It’s time to slam the door on cycbercriminals, but you need modern, proactive practices—and cross-functional collaboration. Let’s discuss what that looks like.
What Are the Best Mitigation Steps to Prevent Vendor Account Compromise?
VAC attacks succeed because they exploit predictable weaknesses in authentication, verification, and monitoring. The FBI and MS-ISAC stress that stopping these schemes isn’t about one single fix. Instead, teams should focus on layering defenses so that even if attackers breach one control, others stand in their way.
Specifically, the FBI/MS-ISAC recommends that organizations:
Enforce MFA and challenge questions for both new accounts and sensitive changes.
Add a second layer of verification (think: one-time passcodes, authenticator apps, or challenge questions) for account access for all high-risk actions. This makes it significantly harder for attackers to move from credential theft to account takeover.
Require multi-step verification for any change to payment or remittance details.
Don’t rely on a single confirmation channel. Verify changes through multiple steps, ideally using contact details verified from outside the portal (e.g., calling a number from your procurement records, not the portal’s vendor profile).
Review vendor contact changes carefully, especially if moving from a long-standing domain to a free email service.
Legitimate large vendors almost always use corporate email domains. If you’re seeing change requests from Gmail or Proton Mail, for example, it should trigger immediate scrutiny and verification.
Monitor for red flags like new domains, sudden profile overhauls, and suspicious IPs.
You should have established baseline patterns for how your vendors behave. Better yet, set up alerts for deviations in the pattern. For example, the system should alert you to multiple changes in hours to accounts that have been static for years, or logins from IPs far from the vendor’s normal location.
It’s one of the reasons our system does more than simply store vendor records—it watches them. Real-time alerts for behavioral anomalies help customers spot trouble before money moves.
Unify IT, finance, and procurement teams to share visibility into vendor activity.
Make portal security a cross-departmental responsibility. IT brings the technical defenses, finance understands payment processes, and procurement knows vendor relationships. Together, they can detect and block suspicious changes faster.
Work closely with your portal provider to enable advanced security features and receive threat updates.
Your portal vendor may offer features you’re not using, such as bank account verification, IP geofencing, or change approval workflows. Maintaining an active relationship ensures you can turn on protective measures quickly when new threats emerge.
Managing these risks is about building layered defenses. Start by eliminating static authentication methods and enabling MFA across the board. Implement out-of-band verification for sensitive changes, and monitor for unusual activity in real time. Most importantly, break down silos; security is a shared responsibility between procurement, finance, and IT. When these teams work together, you close the gaps that fraudsters love to exploit.
How Does PaymentWorks Guard Againts Vendor Account Compromise?
While most vendor portals were designed for operational efficiency, PaymentWorks was designed with fraud prevention at its core. It closes the gaps VAC attackers exploit. Full stop.
Specifically, here’s how we help:
Verified Identity & Bank Ownership
PaymentWorks verifies the vendor’s legal identity and confirms that the bank account belongs to that vendor using authoritative, third-party data sources. This prevents payments from ever being routed to fraudulent accounts.
For our more visual learners:
Authentication Beyond FEINs & Vendor IDs
Static identifiers are no longer the gatekeepers. PaymentWorks uses secure, identity-verified onboarding to ensure that the person creating or accessing a vendor profile is truly authorized — shutting down impersonation attempts.
Automated Change Verification
Any update to critical information (banking, tax IDs, addresses) triggers an automated, independent verification process with the vendor’s verified contact, outside potentially compromised communication channels.
Continuous Monitoring & Alerts
PaymentWorks actively scans for high-risk changes, suspicious domains, and other red flags. Real-time alerts allow rapid investigation before any payment is made, and a full audit trail supports forensic review.
Cross-Department Collaboration
PaymentWorks becomes the single source of truth for verified vendor data, accessible to procurement, finance, and IT. This shared visibility eliminates silos, making it harder for criminals to hide malicious activity in plain sight.
In sum (and to be clear), we don’t just guard against vendor account compromise—we back it up. Our customers benefit from a $2M ACH fraud indemnification policy, providing an extra layer of financial protection on top of our controls.
Vendor Account Compromise (VAC) is Not a Fringe Threat
Vendor Account Compromise a proven, repeatable scheme that’s stealing millions from government and educational institutions across the country. The FBI and MS-ISAC have made it clear: weak authentication, siloed teams, and lack of independent verification create the perfect conditions for attackers to succeed.
The financial ramifications are dire: every dollar lost is likely to be a long-lasting financial hit. However, that’s just the beginning. Organizations that fall victim to VAC risk public trust, vendor relationships, and operational stability.
And here’s the kicker: the cost of prevention is a fraction of the cost of recovery.
PaymentWorks invites you to move beyond reactive defenses. We’ll help you verify Endor identity and bank ownership, monitor continuously for red flags—and give IT, finance, and procurement teams a shared view of critical vendor data. In short, we’ll close the very gaps that VAC attackers are looking to exploit.
We have the playbook. We built the playbook. Let us help you guard against this threat now—not after the next payment goes to a criminal instead of your vendor.
Get Ready For Vendor Management Appreciation 2025
The Vendor Management Appreciation Day (#VMAD) celebration continues in 2025! And you should join us.
Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.
Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for the 2025 celebration, and we want you to be a part of it!
VMAD is a new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
Moreover, we’ve released gifts each month to help you supercharge your vendor management efforts. Additionally, we’re planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
In the meantime, learn more here, and grab some free vendor management goodies.
Want Help Aligning Teams On Preventing Vendor Account Compromise?
Explore our blogs below. They’re filled with action items you can implement right away.
Nacha’s Upcoming Rule Change: What You Need to Know
The Case for Automating Third-Party Risk Management: Costs, Risks, and ROI
Cleaning Up Vendor Information Management for 2025
Vendor Verification: How NOT to Do it and What to Do Instead
Interested in More Tips On Preventing Vendor Account Compromise?
Want Personalized Guidance On Preventing Vendor Account Compromise?
