What Are Supplier and Vendor Impersonation Scams and How to Protect Your UK Business

Supplier and vendor impersonation is one of the most damaging fraud methods targeting UK businesses today. Unlike a security breach, it leaves no obvious trace. It does not require criminals to compromise your systems or steal credentials. It simply requires them to look and sound like someone you already trust, and wait for a routine business process to do the rest.

This article covers what supplier and vendor impersonation fraud is, how it works, what it looks like when it happens, and what UK businesses can do to protect themselves before a payment goes the wrong way.

What Is Supplier and Vendor Impersonation Fraud?

Supplier impersonation fraud occurs when a criminal poses as one of your existing suppliers or vendors to manipulate your business into making a payment or sharing sensitive information. The attack is not aimed at your IT infrastructure. It is aimed at the person in your finance team who has processed invoices from this supplier without incident for years and has no particular reason to treat the latest one any differently.

This type of fraud goes by several names: mandate fraud, invoice fraud, payment diversion fraud, and business email compromise (BEC). The terminology varies, but the logic remains the same: exploit an existing, trusted relationship to make an illegitimate request appear entirely normal.

According to the UK Government's Economic Crime Survey 2024, fake invoice fraud was the single most common type of fraud reported by UK businesses, with mandate fraud close behind. These are not niche risks. They are the fraud your finance team is most likely to encounter.

The Scale of the Problem: What the Latest Data Shows About UK Supplier Fraud

As reported in UK Government’s Fraud Strategy, fraud now accounts for 45% of all crime in England and Wales, with over 4 million offences recorded in the year ending September 2025 and an estimated economic and social cost of at least £14.4 billion. The report identifies payment diversion fraud as one of the highest-harm fraud types affecting the UK in 2025.

Research by Trustpair and OpinionWay, based on 150 senior UK finance executives, found that 93% of UK companies were targeted by fraud in 2024, yet only one in ten businesses performed consistent checks throughout the supplier payment process.

The UK Finance Annual Fraud Report 2025 recorded 3.13 million fraud cases against UK businesses and consumers in 2024, a 12% increase on 2023, with authorised fraud, where victims are manipulated into making payments themselves, accounting for the largest share of losses.

How Do Supplier Impersonation Scams Work Step by Step

These attacks succeed even in well-run organisations because they are designed around familiarity, not technical failure.

• ‍Research. Before any fraudulent message is sent, criminals study the target: your website, LinkedIn profiles, Companies House filings, and procurement information. By the time they make contact, they often know more about your supplier relationships than many of your own employees do.
• ‍Impersonation. The criminal makes contact posing as your supplier, using a near-identical email domain, a compromised supplier account, or increasingly, AI-generated content trained to mimic the supplier's tone and style closely enough to pass without question.‍‍
• ‍A plausible reason. The fraudster frames the request around something familiar: a change of banking provider, an updated payment mandate, an invoice that needs correcting. The goal is to make it feel like administration, not an alert.‍
• Urgency. A looming deadline, a risk of delivery delays, or a matter that needs to be resolved before the weekend. Urgency is the enemy of scrutiny, and the people running these operations know that well.‍
• The payment. By the time the genuine supplier contacts you about an unpaid invoice, the money has already moved through several accounts and is effectively unrecoverable.

The Most Common Types of Vendor Impersonation Fraud Targeting UK Businesses

1. Invoice fraud‍

A fraudulent invoice arrives closely mirroring your supplier's format: correct logo, familiar reference numbers, language. The only thing that has changed is the account number where the payment should be sent.‍

2. Mandate fraud‍

Mandate fraud involves contacting your accounts payable team directly, posing as a supplier, and updating their banking details. The team updates the record in good faith, and every subsequent payment is diverted, often for months, until someone realises the real supplier has stopped receiving money.‍

3. Business email compromise (BEC)‍

Rather than impersonating a supplier's address, the criminal compromises the real account and sends the fraud from inside it. Automated checks raise no flags because, technically, the email is legitimate.‍

4. Executive-driven supplier payment fraud‍

This type of impersonation involves a fraudster posing as a senior internal figure, pressuring finance staff to make an urgent external payment, framed as a confidential deal that cannot go through normal approval channels. The apparent authority of the sender is used to override the instinct to check.

Why Supplier Impersonation Fraud Is So Hard to Spot

1. They exploit trust

These attacks do not succeed because people are careless. They succeed because they are designed to fit exactly how trust works in practice. When a request appears to come from an organisation you have a working history with, the natural starting point is familiarity. Criminals understand this, and they engineer their attacks around it. They do not send requests that feel alarming. They send requests that feel ordinary.

2. They are organised

As Mike Haley, CEO of Cifas, noted in the Fraudscape 2026 report, fraud is being industrialised, with AI accelerating criminal activity that is increasingly digital, organised, and international. Cifas members reported more than 1,200 fraud incidents every day throughout 2025, the highest figure ever logged in the National Fraud Database. These are not opportunists taking a chance. They are structured operations that invest time in research before a single message is sent.

3. They strike at the right moment

A fraudster who knows your business is completing a large project will choose the moment of final invoicing to strike. A criminal who knows your finance lead is travelling will wait for that exact window. Context is not incidental to how these attacks are constructed. For many of them, it is the attack.

4. AI is making all of it more convincing

Voice cloning, deepfake video, and AI-generated written content are now being used to make every type of supplier impersonation harder to question. A spoofed email can be written in the supplier's exact style. A phone call can sound like someone your finance director knows well. The technology does not create new types of fraud. It makes the existing ones significantly harder to question.

How to Protect Your UK Business from Supplier and Vendor Impersonation Fraud

• ‍Require independent verification for any payment instruction change. Require independent verification for any payment detail change. Never rely on a single message. Confirm through a trusted, separate channel using contact details you already hold, not those provided in the request, as phone numbers and emails can be spoofed. Solutions like UnDoubt provide a secure, independent way to verify requests before any changes are made.‍
• Separate duties in your accounts payable process. The person who receives a payment request should not be the same person who approves it. Dual authorisation above a defined threshold limits the damage a single compromised decision can cause.‍
• Keep your supplier master file current. Outdated supplier records are an open door. If your team does not know which contact details are verified, they cannot spot when something has changed unexpectedly.‍
• Make verification a cultural norm, not an exception. Most impersonation fraud succeeds because the pressure to be responsive overrides the instinct to check. Organisations where pausing to verify is expected and routine, are considerably harder targets.

Why Standard Fraud Prevention Tools Do Not Stop Supplier Impersonation

Most fraud systems were built for different threats. Spam filters, phishing detection, and ID checks still matter, but supplier impersonation targets relationships, not systems. By the time a tool spots something unusual, a real person has often already approved the payment because everything looked legitimate.

That is the real gap. When a payment request comes in, most organisations have no reliable way to confirm that the person behind it is genuinely who they say they are. Traditional controls cannot confirm, in real time, that the right person is making that specific request at that moment. That is exactly where impersonation fraud thrives, and the gap UnDoubt was built to close.

What is UnDoubt and How It Works

UnDoubt helps individuals and organisations stop impersonation fraud before any action is taken. Instead of detecting fraud after the fact or relying on employees to spot warning signs under pressure, it enables real-time, mutual verification before trust is extended or money moves.

When a payment is initiated or supplier bank details are changed, both parties independently confirm their intent. If the right person cannot verify the request, it does not proceed. Looking legitimate is not enough. The requester must be verified at that exact moment, something a fraudster cannot replicate.

UnDoubt Connect Helps UK Businesses Stop Supplier Impersonation Before It Happens

Supplier impersonation works both ways. Criminals pretend to be your suppliers to trick your team into making payments. They can also pose as your organisation, sending fraudulent instructions to your suppliers and partners. UnDoubt addresses both risks.

• UnDoubt Connect adds an external layer of verification across voice, video, and email. It allows suppliers and partners to confirm that a message genuinely came from your organisation before they act on it.
  
• UnDoubt Connect+ enables two-way verification, so you can confirm your vendors' emails, calls, and messages are legitimate, and they can confirm you.

To discuss a pilot tailored to your highest-risk supplier workflows, contact undoubt@lastingasset.com 

References

[1] UK Government. (2024). Economic Crime Survey 2024. Home Office. https://www.gov.uk/government/publications/economic-crime-survey-2024/economic-crime-survey-2024 

[2] UK Government. (2025). Fraud Strategy. Home Office. https://assets.publishing.service.gov.uk/media/69ae77ddc78869bf8eb8a509/fraud-strategy-web.pdf

[3] Trustpair and OpinionWay. (2025). 93% of UK Companies Experienced Vendor Fraud in 2024. Trustpair.
https://trustpair.com/blog/fraud-report-uk-2025-press-release/

[4] UK Finance. (2025). Annual Fraud Report 2025. UK Finance. https://www.ukfinance.org.uk/system/files/2025-05/UK%20Finance%20Annual%20Fraud%20report%202025.pdf 

[5] Cifas. (2026). Fraudscape 2026. Cifas National Fraud Database Annual Report. https://www.fraudscape.co.uk/