Vendor impersonation fraud is increasing, and businesses can no longer rely on email alone to validate payment changes. Criminals are highly sophisticated, sending convincing messages and fraudulent invoices that use real vendor names, logos, and formatting to closely mimic legitimate billing documents.

In many cases, fraudsters request updated Wire or ACH instructions and submit fake invoices with new transfer details, often making the request appear routine and urgent. 

One of the most effective safeguards to protecting your business is a simple outbound phone call to a trusted contact using a phone number already on file. Taking a few extra minutes to verbally confirm new payment instructions or validate an unexpected invoice can help prevent significant financial loss and operational disruption.

First Hawaiian Bank strongly encourages clients to implement strict verbal verification procedures before processing any payment instruction changes or paying invoices with updated remittance information.

What Is Vendor Impersonation and Invoice Fraud?

Vendor impersonation fraud is a form of Business Email Compromise in which fraudsters:

• Impersonate a legitimate vendor or supplier.
• Send fraudulent invoices that closely resemble real invoices.
• Request changes to payment instructions (wire or ACH).
• Create urgency or request confidentiality to pressure quick action.

These emails often appear authentic and may even come from a compromised, legitimate email account. In many cases, fraudsters monitor vendor communications to replicate tone, formatting, and transaction timing. Without proper verification controls, businesses can unknowingly redirect payments to fraudsters.

Invoice and Payment Change Best Practices

If you receive instructions to send funds in a new or different account or receive an unexpected or unusual invoice, follow these best practices:

1. Pause and Verify Verbally
   • Call your vendor directly using the trusted phone number already on file.

   • Do not use the phone number provided in the email or listed on the invoice.

   • Speak with a known contact and confirm the change request or invoice live.

2. Confirm All Details Carefully
   • Verify the sender’s email address character by character.

   • Watch for subtle domain changes (for example, “.co” instead of “.com”).

   • Inspect invoice details, including remittance information and formatting inconsistencies.

   • Be cautious of urgent, confidential, or last-minute payment requests.

3. Review of the Vendor’s Normal Payment Patterns
   • Are the payment amounts typical?

   • Is timing consistent with normal invoices?

   • Has the vendor changed banking information before?

   • Does the invoice match existing purchase orders or contracts?

If You Suspect Fraud

Act immediately to protect your business:

• Contact your banker or the bank right away to report the fraudulent attempt. 
• If you have sent a fraudulent payment, ask your bank for assistance in stopping or 
    recalling the transaction. Time is critical in attempting to freeze or recover funds.  
• File a police report with your local law enforcement agency.
• File a complaint with the Internet Crime Complaint Center at www.IC3.gov, regardless of the dollar amount involved.
   

Prompt reporting improves the chances of recovery and helps protect other businesses from similar attacks.

First Hawaiian Bank Is Here to Help

If you suspect your business has been targeted or victimized by fraudsters, contact your banker or First Hawaiian Bank immediately by calling (toll-free at 888-844-4444).

Protecting your business requires vigilance, strong internal controls, and consistent verbal verification procedures. Please share this information with your accounting teams and employees to help safeguard your business from fraud.