Your AP Controls Were Built for Human-Speed Fraud

A founder I work with runs a 35-person agency. Two weeks ago her AP coordinator paid a $48,000 invoice to a longstanding production vendor. The invoice was real. The work was real. The bank account on the wire was not the vendor's.

On inspection the PDF looked fine. Same logo, same layout, same line items, same signature block. Routing and account numbers had been replaced. The original PDF, signed by the vendor's accounting lead, had been intercepted somewhere between her vendor's email server and her inbox. Re-rendered. Forwarded.

Her vendor called a week later asking when payment would clear.

What changed

For five years the playbook on invoice fraud was the same. Watch for misspelled domains. Confirm large wires by phone. Train people not to trust urgent payment emails from someone claiming to be the CEO. Most $5-15M companies have a version of that policy.

The 2026 attack is different. Attackers compromise one mailbox in a vendor's accounting team and wait. When a real invoice goes out, AI scrubs the PDF, replaces the banking line, and forwards a near-identical copy. It happens in minutes. Cover email tone matches the sender's writing voice from six months of prior threads. No spelling error. No urgency cue. Nothing flags as off.

Vendor impersonation using AI was a curiosity in 2024. By the end of 2025 it was routine. Most growing companies have not updated their controls in that time.

Your AP controls were built for human-speed fraud. The threat now operates faster than the controls do.

What actually catches it

Two controls would have stopped this attack. Neither requires new software.

Any change to a vendor's banking details should require phone confirmation. Not "reply to confirm." Not "email from a different address." A phone call to a known number on file, not the number in the email signature. For a 30-50 person company, this might trigger five or six calls a year. Each one takes four minutes. The cost is trivial and the savings are categorical.

Dual approval on any wire over a threshold the company picks. Ten thousand dollars is reasonable for most $5-15M businesses. Two people see the invoice, the vendor record, and the wire instructions before money moves. One person under pressure makes mistakes. Two people catch them.

AP automation tools companies bought in the last two years can enforce both controls if configured. Most aren't.

What to do this week

Pull your last quarter of vendor bank changes from your AP system. Most growing companies have between two and ten. For each one, confirm whether the change was verified by phone. If you can't tell from the audit log, treat it as unverified.

Write the policy in one paragraph. Banking changes require a phone call to a number on file. Wires over $10K require two approvers. New vendors require a W-9 and a callback before the first payment.

Three sentences. No new software. No new headcount. The reason this still doesn't get done is that nobody's seen the loss yet. The companies that see it first don't tell anyone.