Why every business is now in scope
If you receive invoices, you're a target. Construction, professional services, retail, nonprofits — anyone who moves money to vendors that change occasionally is in the dataset attackers buy. Public records, LinkedIn pages, and procurement notices give them what they need to write a convincing email.
The one rule that prevents almost every attempt
Any change to a vendor's payment details — bank account, routing number, address, ACH method — requires a phone call to a phone number you already had. Not the one in the email. Not the one on the new invoice. The one in your records from before today. That single rule defeats the overwhelming majority of attacks we see.
Make the rule a checkbox, not a habit
Don't leave it to memory. The verification process should be a one-page form your AP team signs off on for every change — name of caller, number called, date, signed. Audited quarterly. Documented in writing once, used every time.
Insurance is not a substitute
Cyber-fraud coverage will sometimes pay out, but the deductibles are climbing and the carriers are getting strict about prior controls. The cheapest fraud insurance you'll buy is the playbook above — and a 30-minute training session for everyone who touches AP.