Your vendors aren't who you think they are
Vendor fraud is getting harder to detect and easier to pull off. Here’s how finance teams can keep up.
Between 2013 and 2015, Evaldas Rimasauskas registered a company in Latvia under the name of a well-known Taiwanese hardware manufacturer called Quanta Computer. The real Quanta had contracts with some of the biggest technology companies in the world.
The fraudster forged invoices and contracts tied to the fake company. He created counterfeit company stamps and spoofed email accounts to make the vendor appear legitimate. Before anyone noticed, Google and Facebook had wired $122 million to bank accounts in six countries.
Rimasauskas was eventually caught, but the incident exposed how fragile vendor verification can be. And the underlying problem has only accelerated. Vendor imposter fraud was reported by 45% of organizations in 2024, a sharp jump from 34% the year before. Today, fake businesses can be assembled with AI-generated documents, polished websites, spoofed communications, and authentic-looking corporate filings in a matter of hours.
Fake vendors are getting easier to create and harder to spot. Many are slipping through:
In 2025, federal prosecutors charged five individuals in Brooklyn with creating hundreds of shell companies used to fraudulently obtain more than $20 million in construction materials and appliances.
An Arizona woman was sentenced for helping North Korean IT workers use stolen American identities to secure remote contractor jobs at more than 300 U.S. companies, generating over $17 million in revenue.
U.S. authorities also warned in 2025 that North Korean operatives were using AI tools, fake identities, and “laptop farms” to infiltrate American companies as remote workers while appearing to operate domestically.
We spoke with a fraud attorney, a cybersecurity consultant, a fraud researcher, and identity technology specialists who work with companies to solve exactly these risks.
Given the scale of the threat, experts tell us that your AP team now needs the instincts of a fraud investigator and the skepticism of a detective.
In this guide, we’ll cover:
- What KYB is and how it differs from KYC
- Where vendor fraud is coming from right now, and which threats are growing fastest
- Where most companies are falling short
- What a modern vetting process looks like, from onboarding through ongoing monitoring
What is “Know Your Business,” and why does it matter?
Most finance professionals are familiar with Know Your Customer, or KYC, the identity verification requirements banks use when onboarding account holders. Know Your Business, or KYB, is its commercial counterpart.
“Know your business is more about the mechanism by which you try to avoid vendor fraud. It’s a series of best practices and rules for making sure the people that you’re working with are who you think they are,” says Samuel May, legal research specialist at the Association of Certified Fraud Examiners (ACFE), a global network of fraud examiners, auditors, and compliance professionals.
The core components of KYB include:
- Entity verification (is this company legitimately registered?)
- Ultimate Beneficial Owner disclosure (who actually controls it?)
- Regulatory and reputational screening, including checks against watchlist databases and media scanning for negative news coverage.
- Ongoing monitoring after onboarding.
The challenge, according to Ankur Sheth, senior managing director in the cybersecurity practice at FTI Consulting, is that even when companies run those checks, they tend to run them in isolation: one team checks the business registration, another checks sanctions, and nobody’s putting it all together. A unified system that consolidates all KYB data — with clear ownership — helps companies catch problems before a vendor is approved.
“It’s a series of best practices and rules for making sure the people that you’re working with are who you think they are.”
—Samuel May, legal research specialist, ACFE
Beth Moskow-Schnoll, a partner at Ballard Spahr and co-lead of the firm’s anti-money laundering practice, says the consequences of getting vendor vetting wrong go further than most finance teams realize. It’s a violation of the law to conduct a financial transaction with a sanctioned party.
The Office of Foreign Assets Control (OFAC) runs a searchable sanctions database — which includes the Specially Designated Nationals and Blocked Persons (SDN) list — listing every individual, company, and organization with which U.S. businesses are prohibited from transacting. It also includes sanctioned foreign governments, terrorist groups, drug traffickers, and others deemed a threat to national security. If you’re a finance leader, the responsibility falls on your team to make sure the businesses you’re interacting with aren’t on it.
OFAC violations can carry civil penalties, and in some cases, criminal penalties, regardless of whether a company knew it was dealing with a sanctioned party.
The fallout can show up unexpectedly. Moskow-Schnoll recalls a client that was hit with a ransomware attack and, after verifying the recipient was not on the OFAC sanctions list, made a payment to get their systems back up and running as quickly as possible.
Later, another problem surfaced: OFAC added the recipient entity to the list.
“The insurance company would not pay our client back for the ransom they had paid,” Moskow-Schnoll says.
The client self-disclosed to OFAC, which issued a warning and ultimately cleared the payment — at which point the insurer paid out. But it was a detour that took time and legal resources nobody had prepared for.
The threat landscape
Vendor fraud takes many forms. Here are the main vectors experts are watching right now.
Shell company infiltration: Still the most common entry point, this is a legally registered business that exists purely on paper, but has no real business purpose. These entities are filed with the relevant secretary of state, assigned a tax ID, and sometimes left to age for years before being activated for fraud (known as a shelf company).
“They are just purely a name and an account and a registered business,” says ACFE’s May.
AI means the facade is both easier to create and more convincing.
Business identity theft: Here, a fraudster doesn’t create a fake company. They take the details of a real, established business and use them to open accounts or submit invoices.
Alloy Principal Advisor for Fraud and Identity Risk Sara Seguin points out they’re leaning on a trusted entity’s reputation to get into payment flows.
In 2022, Eagle Mountain City, Utah lost $1.13 million after fraudsters inserted themselves into an active email thread between the city and a road construction vendor with updated payment instructions. Nobody realized the fraud until the funds had cleared.
Deepfake-enabled impersonation: Given AI capabilities to generate lifelike audio, video, and text, this is the threat that has everyone’s attention right now. Fraudsters are using AI-generated audio and video to impersonate vendors or executives during verification calls, defeating the verification processes companies rely on.
“We used to just pick up the phone and call [businesses],” to verify they are who they say they are, says May. But thanks to AI-generated voices and videos, there’s reason to question whether you’re speaking with a real person.
“Fraud as a service”: Sheth points to the rise of what he calls “fraud as a service,” a concept borrowed from the ransomware world, where bad actors can buy ready-made SaaS-type tools for creating fake companies and impersonating legitimate vendors.
“Less sophisticated people can do it more easily,” Sheth says. As the barriers fall, the volume of attacks is rising with them.”
What good KYB looks like now
A modern KYB process addresses three layers: how you verify vendors before they enter your system; how you monitor them once they’re active; and the technology that keeps both processes scalable, repeatable, and low-lift.
Most companies are only doing the first — and even then, not thoroughly enough.
“When you’re onboarding a new vendor, you have to perform due diligence on every single one, even if they claim to be a huge company that everybody’s heard of.”
— Beth Moskow-Schnoll, Partner, Ballard Spahr
Here’s what getting it right requires.
1. Trust no vendor by default
Verify the business against government registries, confirm tax registrations, validate email domains, and check bank account details. A voided check alone isn’t enough. You should confirm the account actually belongs to the vendor.
“When you’re onboarding a new vendor, you have to perform due diligence on every single one, even if they claim to be a huge company that everybody’s heard of,” says Moskow-Schnoll.
Then go a layer deeper: screen the people behind the business, not just the entity itself.
Seguin says this is where most companies stop short. “It isn’t just the one-time check. Who is that business? Who is sitting under that business? Did you complete fraud screening? It is a full scope [review of] an identity.”
2. Look for connections that don’t add up
May says one of the most overlooked steps in KYB is basic link analysis. This refers to cross-referencing a vendor’s identifying details — address, phone number, registered agent, beneficial owners — against sanctions lists, beneficial ownership databases, and even your own vendor and employee records to find suspicious connections. Many businesses don’t do this on their own: they use a partner KYB platform to automate checks across all those data sources simultaneously.
“If they have a shared address, a shared phone number, a shared registered agent to other companies, it’s a red flag,” he says. “You need to look a little bit deeper.”
For higher-risk or higher-spend vendors, companies may need to go beyond digital checks. “Digital footprints are untrustworthy,” he says. “An on-site visit is becoming more and more of a requirement.”
3. Apply KYB continuously
A lot of fraud doesn’t happen during onboarding. It happens later, like when someone requests updates to their banking details.
Any change to payment instructions should trigger an independent verification step through a separate channel than email. And no single employee should be able to approve and release a payment on their own.
Regular checks are also important because a vendor that passes KYB today may not look the same six months from now. Ownership changes, new sanctions exposure, and other critical changes to a vendor’s profile can introduce new risk.
Seguin calls this “perpetual KYB.” As information on those records changes, your platform should notify you automatically, she says.
How often vendors should be re-verified depends on risk level. Sheth recommends a tiered approach: quarterly reviews for high-risk or high-spend vendors, and annual reviews for lower-risk relationships.
4. Modern fraudsters automate. Your finance team should too.
Manual KYB stops working once your vendor list gets big enough. Finance teams can’t realistically review every registration record, sanctions list, ownership change, and banking update manually.
Middesk Head of Product Drew Singer says companies are replacing manual reviews with automated systems that help teams spot suspicious vendors faster by automating business verification, fraud screening, and risk scoring. They can plug directly into vendor onboarding workflows so checks happen in the background without creating unnecessary friction for legitimate vendors.
Companies get an instant risk assessment before a vendor is approved. It can flag things like business timeline changes, Singer says. A company that has cycled through officers repeatedly since incorporation, for example, warrants a closer review.
Preparing for the fake vendor era
Companies must document their vendor due diligence — those that don’t face major risks and penalties.
Firms staying ahead continuously monitor vendors and build KYB checks directly into procurement and payment workflows. The real risk isn’t just having a fraudulent vendor in your system. It’s not knowing they’re there.
Modern KYB infrastructure requires investment. But the cost of skipping it — fraud losses, OFAC exposure, litigation, and reputational damage — is too big to ignore.
