How to Verify a Vendor Bank Account Change (Step by Step)

A vendor payment runs on autopilot until something about it changes. A change request is the single point where money can be quietly redirected, which is exactly why fraudsters target it. They do not need to hack your accounting system — they just need one believable email and one busy person who updates the payee and moves on.

The good news: the control that catches this is not software and not expensive. It is a phone call to a number you already trusted, plus a record that you made it. The hard part is not knowing that. It is doing it the same way every time, for the routine requests as much as the suspicious ones — because you cannot tell which is which until you have checked.

If you remember nothing else, remember this: never verify a change request using contact information that came with the request.

The phone number in the email signature, the “call us to confirm” line on the new invoice, the contact in the attached letter — treat all of it as compromised. If the request is fraudulent, the fraudster supplied those details, and your “verification call” goes straight to them. Verification only counts when the contact information comes from a source that existed before the request arrived.

Acceptable places to find that number, in order of preference:

1. The phone number already in your accounting system or vendor file from before this request
2. A previously paid invoice or the signed contract
3. The vendor’s main line from their official website — found by typing the company name into a search engine yourself, not by clicking any link in the request
4. A number from the client’s owner or manager who has an established relationship with the vendor

Here is the full procedure. The order matters — each step depends on the one before it.

1. Pause the payment. No money moves to new details until verification is complete. If you cannot finish the check, payments continue to the old account or are held. A short delay is the entire point.
2. Find an independent phone number. Use the independent-contact rule above. Write down where the number came from — this is the exact question an insurer or auditor will ask later.
3. Call the vendor and have them state the new details. Reach accounts receivable, billing, or your known contact. Confirm the company actually requested a change, then ask them to read you the new bank name, routing number, and account number. Do not read your version aloud and ask “is that right?” — a wrong-but-confirmed answer tells you nothing. The digits they say must match the request exactly. If anything differs, it is unverified until the vendor clears it up on the phone.
4. Get a second person to approve. The person who made the call should not be the one who quietly updates the system. A second reviewer checks the record before the change goes live. In a solo practice, the second approver is the client’s owner or manager — send them the details and get a written “approved.”
5. Record everything and check the first payment. Note the request, the number you called and its source, who you spoke to, what they confirmed, and who approved. After the change, confirm the first payment actually reached the vendor. An unprompted “we never got paid” is a red flag worth its own note.

That is the whole verification. Most of the time it takes one short call and a two-line log entry.

None of these proves fraud on its own. Each one means verify with extra care:

• Urgency. “Before Friday’s run,” “the old account is frozen,” “this is holding up payroll.” Manufactured deadlines are the most common feature of fraudulent requests.
• A new phone number in the same request. New bank details and a new contact number — the number is there so your call reaches the fraudster.
• Lookalike sender addresses. vendor-inc.com vs vendorinc.com, .co for .com, an rn standing in for m. Read the address character by character.
• A brand-new contact who “just joined the billing team,” or any switch to a personal-name account, an out-of-state bank, or wire-only payment.
• “Email only, please.” Resistance to a phone call — “our phones are down,” “just confirm by email” — is itself a red flag.

A verification you cannot show is, to an insurer or an auditor, a verification that did not happen. Cyber-insurance applications increasingly ask whether you have a documented procedure for payment-detail changes, and callback conditions in funds-transfer-fraud coverage can decide whether a claim is paid. For each request, keep the original message, the date and channel, what changed (last four digits only — never full account numbers in your log), the callback details and the number’s source, the outcome, and both approvals.

Keep one log per client, or a firm-wide log with a client column. A spreadsheet is fine. The record is the deliverable.

Knowing how to verify a vendor bank account change is the easy part — doing it consistently across every client is where firms slip. The fix is to write the steps down once and run every request through them.

We have published the whole thing as a free vendor bank-detail change verification procedure template — the independent-contact rule, a word-for-word callback script, the dual-approval step, the red-flag list, and a one-page log sheet, ready to adopt under your firm’s letterhead. It costs nothing and needs no software.

If you would rather the procedure run itself — every request forced through the same checklist, the callback captured as it happens, dual approval enforced, and the full history kept in a tamper-evident log you can hand to an insurer across all your clients — that is what CallbackProof does, and nothing more: documentation of a verification workflow. Either way, keep the phone call.