ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

Vendor‑Invoice Scams Using AI Voices and Deepfakes: The New Face of BEC

Smiling woman having a video call in a home-like setting with laptop.

Introduction — Why vendor invoices are the new target for AI‑powered BEC

Business Email Compromise (BEC) has long relied on social engineering and invoice forgery. In 2023–2024 criminals began pairing traditional vendor‑invoice fraud with voice cloning and deepfake video to add instant credibility to a fake bank‑change request or a last‑minute payment demand. The result: finance teams see an email that looks legitimate and then receive a convincing audio or video “confirmation” that pressures them to bypass normal controls.

These hybrid attacks exploit two assumptions many organizations make: (1) that an email thread from a known vendor means the payment details are valid; and (2) that a familiar voice or a face on a call is proof of identity. Both assumptions can now be defeated with minutes of publicly available audio or video.

How modern vendor‑invoice deepfake scams work — step by step

These scams typically combine email compromise, vendor identity theft, and synthetic media to move funds quickly. Typical stages include:

  1. Reconnaissance: Attackers harvest names, job titles, corporate jargon, and short voice clips from earnings calls, webinars, social posts, or voicemail greetings to train models.
  2. Initial access / thread insertion: The attacker either compromises the vendor’s mailbox or creates a lookalike email address and waits until an invoice cycle is active.
  3. Invoice swap: A legitimate invoice or a follow‑up is replaced with a near‑perfect copy that contains new banking instructions or a payment portal URL under attacker control.
  4. Out‑of‑band reinforcement: Within minutes the accounts payable contact receives a call, voicemail, or an invited video meeting where a cloned voice (or deepfaked executive) corroborates the change and urges immediate payment. This reduces time for verification and raises the chance of a successful wire. Real cases of deepfake‑assisted transfers have been reported in recent years.
  5. Rapid laundering: Funds are moved through mule accounts, domestic transfers, or crypto rails to frustrate recovery.

Because the attack blends channels, a single control—like email authentication—is not enough. Effective defense requires both technical controls and strict human procedures.

Detection, response and prevention — practical checks finance teams can adopt today

Below are prioritized, actionable defenses organized by quick wins, process changes, and technical controls:

Quick verification steps (immediate)

  • Never rely on a single channel: if an email requests a bank change, verify by calling the vendor using a phone number on file (not numbers provided in the message). If call confirmation is required, use a previously agreed callback number or internal directory.
  • Insist on dual authorization: payments above a threshold must have two independent signoffs from people who did not communicate about the change.
  • Use a short 'safe word' or vendor confirmation code stored in the vendor master file for any bank‑change requests.

Operational controls (team and policy)

  • Require a mandatory vendor‑bank‑change form with corporate stamps or notarized confirmation for high‑risk vendors.
  • Train AP to treat last‑minute or after‑hours bank‑change requests as high risk and to escalate to a treasury or legal contact.
  • Rotate responsibility for payment approvals to avoid single‑person bottlenecks attackers can exploit.

Technical mitigations

  • Enforce email authentication (DMARC, SPF, DKIM) with policy enforcement so spoofed messages are blocked or quarantined.
  • Harden email accounts with phishing‑resistant MFA, disable legacy auth, and monitor for mailbox forwarding rules and anomalous login locations.
  • Use transaction monitoring to flag new payee accounts, changes in payee patterns, and unusually fast payment flows for manual review.

If you suspect fraud — immediate actions

  1. Stop further payments and place holds where possible.
  2. Contact your bank immediately; ask them to recall or freeze outgoing transfers and to trace the destination account.
  3. Preserve evidence: export email headers, save call logs, download any video files, and document times and people involved.
  4. Report to law enforcement and to the FBI Internet Crime Complaint Center (IC3) and local authorities. Industry guidance and FBI alerts explain that synthetic‑media BEC is an active threat vector—reporting helps link incidents and supports investigations.

Longer‑term: invest in fraud analytics, vendor validation services, and tabletop exercises that simulate combined email + deepfake voice scenarios. These help reveal procedural gaps before attackers exploit them.

Why leadership must act now

AI makes believable impersonation inexpensive. As attackers adopt voice cloning and realistic video, organizations that treat audio/video confirmation as definitive proof will face growing losses. Combine verification protocols, technical controls, and employee training to reduce risk—then test those controls regularly.

Related Articles

Close-up of a typewriter with the word Deepfake typed on paper. Concept of technology and media.

Deepfake Phone Calls and AI Voices: How Scammers Use Synthetic Media to Steal Identities

Confident black woman in red dress makes a phone call in an office setting.

Fake Job Interviews Conducted by Bots: Red Flags Employers and Job-Seekers Should Know

Happy family celebrating move into new home with unpacked boxes.

When a Celebrity 'Endorses' a Crypto: Real AI-Endorsed Token Scams (2025)