Does QuickBooks Bill Pay Verify Vendor Bank Account Changes?

When you add or update a vendor’s bank details for ACH Bill Pay, QuickBooks typically initiates a micro-deposit (a penny or small test amount) to the account. The earliest it processes is usually a couple of business days later, and the point is to confirm the account number and routing number are valid and the account can receive a payment.

That’s account validation. It answers “does this account exist and can it accept an ACH credit?” It does not answer the question that matters for fraud: “did the real vendor actually ask me to send their money to this account?”

There’s a second limitation worth knowing. As QuickBooks users and Intuit support threads point out, after a vendor’s bank info is entered at setup you can’t simply re-verify it in place — to change an existing vendor’s ACH details you generally toggle the payment method (for example off Online Bill Pay and back) so the system re-requests the bank information. Convenient or not, none of that is an identity check on the person making the request.

The most common way firms lose client money isn’t a hacked system — it’s a believable email: “Our bank details have changed, please update before the next payment.” The attacker has often been reading a real mailbox for weeks, copies the vendor’s branding, and sends the request right when a payment is due.

Now walk it through QuickBooks Bill Pay. You update the vendor’s ACH details to the new (fraudulent) account. QuickBooks sends a penny to that account. It clears — because the fraudster’s account is a real account that can receive money. Everything looks “verified.” The next payment goes to the criminal.

The penny test did its job (the account is valid) and still didn’t help, because validity was never the question. The FBI’s Internet Crime Complaint Center reported business email compromise losses in the billions of dollars in 2024 (2024 Internet Crime Report), and a large share trace back to exactly this swap.

The control that catches a fraudulent bank-change request is an out-of-band callback: you call the vendor on a number you already had — from a prior invoice, a signed contract, or your vendor file — not a number, link, or reply address from the change request, and confirm the new details verbally before you save them. Industry surveys bear this out: roughly 55% of companies verify bank changes in-house by phoning the vendor, while only about 11% rely on penny verification (the rest use third-party tools).

Two more pieces make it stick:

• Maker–checker (dual control). The person who enters the bank-detail change shouldn’t be the one who approves it. Separating those duties is one of the most effective AP fraud controls there is.
• A documented audit trail. Record who you called, the number you used and where it came from, what was confirmed, who approved it, and when. This is what an auditor — or a cyber-insurer reviewing a claim — will ask you to produce.

None of that lives inside QuickBooks Bill Pay. The penny test stays useful for catching typos and dead accounts, but the verification-and-documentation layer is something you add on top.

If you’re a bookkeeping or accounting firm paying vendors for multiple clients through QuickBooks, the exposure is multiplied: every client’s vendor list is a place a “we changed banks” email can land, and you’re the one who’d have to prove you checked. Relying on Bill Pay’s penny test as your control is the gap that gets firms — and their clients — burned.

The fix doesn’t require leaving QuickBooks. It requires a consistent procedure around it: treat every payment-detail change as unverified until someone calls the vendor back on a known number, gets a second approval, and logs it — then update QuickBooks. No log, no change.

If you want a ready-made version of that procedure, our free vendor bank-change verification template lays out the independent-contact rule, a word-for-word callback script, a dual-approval step, and a one-page log sheet — no signup, nothing to buy. For the full mechanics, see how to verify a vendor bank account change. And if you carry cyber coverage, read does your cyber insurance require a callback — many policies make that documented call a condition of paying a claim.

CallbackProof exists to make this routine across all of your clients: it enforces the callback-and-approval sequence and keeps a tamper-evident log you can hand to an insurer or auditor. It’s a documentation and workflow tool — it doesn’t replace QuickBooks and doesn’t move money; it records that you verified the change before you made it.

QuickBooks Bill Pay’s penny deposit confirms a vendor account is valid and can receive funds. It does not confirm that a bank-change request is legitimate, and it gives you no built-in way to independently re-verify a change — so it won’t stop payment-diversion fraud on its own. The control that does is an out-of-band callback to a known number, with dual approval and a documented record, performed before you update the vendor in QuickBooks.