Guide · Vendor Verification

Vendor Verification Checklist: How to Safely Check a Vendor Before Payment (2026)

June 2026 AP Clerks Office Managers Small Business 10 min read

Wire transfers are irreversible. Once the money leaves your account, recovering it is rare and slow. This guide gives AP clerks and office managers a step-by-step process to verify any vendor before payment — so you catch fraud before it costs you.

$3B+
lost to business email compromise in the US annually
62%
of organizations hit by payment fraud attempts last year
<1%
of fraudulent wire transfers successfully recovered

Why Wire Transfers Are the Highest-Risk Payment

Unlike checks, ACH, or credit cards — wire transfers cannot be reversed. Once confirmed, funds move immediately and are typically forwarded internationally within hours in fraud cases, making recovery nearly impossible.

This is exactly why fraudsters specifically target wire transfers. The three most common schemes hitting small businesses right now:

What These Scams Actually Look Like

These aren't abstract threats. Here are examples of what each scam looks like in practice — and the red flags that give them away.

Example 1 — CEO Impersonation (BEC)

BEC Scam CEO wire request — fabricated example
1
Sending domain is fake — ceo-acmecorp.net instead of acmecorp.com. One extra word that's easy to miss.
2
Urgency + secrecy combination — "before 3pm" and "don't tell anyone" are designed to bypass your normal approval process.
3
"Do not call me" — eliminates your ability to verify by phone, which is the one check that would catch this immediately.
4
New beneficiary name — HDC Holdings LLC has no prior payment history with your business.

Example 2 — Invoice Redirect Fraud

Invoice Fraud Altered vendor invoice — fabricated example
1
Routing number changed — the #1 red flag for invoice redirect fraud. Always requires a phone call to confirm.
2
Email requests banking detail update — legitimate banks send change notifications by mail or through secure portals, not invoice footnotes.
3
PDF may have been altered in transit — attackers intercept legitimate invoices and edit the banking details before forwarding them on.
Spotted a suspicious invoice or email? Run it through PaySentinel in under a minute — free for small businesses, no account needed.
Check it now →

6 Steps to Verify Any Vendor Before Payment

Use this process for any first payment, or any payment to a vendor you haven't paid in more than 90 days.

1
Verify the business exists independently

Search your state's Secretary of State business database — not the vendor's website. Confirm the company is registered, in good standing, and that the legal name matches the invoice.

  • Check registration date — a company registered last month claiming years of experience is a red flag
  • Verify physical address using Google Maps Street View
  • Cross-reference with LinkedIn and BBB
2
Call the vendor using a number you found independently

Never call a number from the invoice or payment request. Look up the vendor's phone number from their official website or your existing records. Verbally confirm payment amount, routing number, and account number.

  • If they say "don't call, just email" — stop and escalate
  • Document who you spoke with, their title, and the time
3
Check the email domain character by character

Fraudsters register domains that look nearly identical to real ones. Check every character — transposed letters, added hyphens, different TLDs, and added words are all common tricks.

  • acmecorp.com → acme-corp.com (added hyphen)
  • northgate.com → northqate.com (transposed letter)
  • billing@acme.com → billing@acme.net (different TLD)
  • ceo@acme.com → ceo@ceo-acme.com (added prefix)
4
Compare routing and account numbers to your records

Pull up this vendor's previous invoices or payments in your accounting system. Any change to routing or account number requires a phone verification — no exceptions, regardless of how convincing the explanation sounds in an email.

5
Run a fraud check

A structured fraud analysis catches patterns that manual review misses — typosquat domains, ABA routing checksum failures, structuring amounts, and known BEC signals. This takes under a minute with the right tool.

6
Get dual authorization above your threshold

Set a dollar threshold — many small businesses use $5,000 — above which a second person must independently approve. This single control stops most BEC fraud. The approver must verify independently, not just sign off on your work.

Manual Checks vs. Using PaySentinel

Here's what each step looks like doing it manually versus running it through PaySentinel:

Verification step Manual process Time PaySentinel Time
Email domain check Read character by character, Google the domain 3–5 min Automatically flags typosquat domains and free email Instant
Routing number validation Look up on Fed lookup tool manually 5 min ABA checksum validated automatically, flags changes from prior Instant
Fraud pattern check Relies on personal knowledge and gut feel Variable Checks 20+ fraud patterns including BEC signals and structuring ~60 sec
Risk score No structured output — judgment call 1–10 risk score with specific red flags and recommended actions Instant
Audit trail Manual notes if remembered 5 min Automatic case history with investigation queue Automatic
Phone verification
Always required
Call vendor using independently found number 5–10 min Still required — no tool replaces calling the vendor Manual step
✓ What PaySentinel doesn't replace

No tool replaces calling the vendor directly using a number you found independently. PaySentinel catches the patterns that are easy to miss — but the phone call is still the one check that definitively confirms you're talking to the right person.

Curious how a structured tool compares to doing these checks manually? See exactly what each approach catches and what each misses →

Run a vendor check in under 60 seconds Free for small businesses — paste in vendor details, invoice info, or a suspicious email and get a risk score instantly.
Try it free →

Red Flags That Should Stop Any Payment

Each of these signals requires verification before proceeding. Multiple flags together warrant escalation to a manager before anything is sent.

Handling Routing Number Changes

Routing number changes are the most common vector for payment redirect fraud — and also something that legitimately happens when vendors switch banks. The right process:

⚠ The "pre-verification call" trap

A common follow-up tactic: an attacker calls you after sending a fake invoice, pretending to be from the vendor, to "confirm" the payment details. This pre-empts your own verification call. Always initiate the call yourself using a number you found independently. Never accept an inbound call as verification.

New Vendor Onboarding Checklist

Before processing any first payment, collect and file the following. Keep this on record for every new vendor relationship.

When to Stop a Payment and Escalate

The rule

If you cannot independently verify the payment details using contact information you already have on file — the payment does not go out.

It is always better to delay a legitimate payment and apologize to a vendor than to process a fraudulent wire and lose the money permanently. Legitimate vendors have seen this before and understand.

Escalate immediately to your manager or owner if:

If you've sent a fraudulent payment: call your bank immediately, then file a report with the FBI's Internet Crime Complaint Center at ic3.gov.

Check a vendor in under 60 seconds

PaySentinel analyzes vendors, invoices, emails, and payment details for fraud patterns — free for small businesses, no account required.

Run a free check →