Avoiding Fraud in Cross-Border Vendor Payments (Red Flags)

1. Why cross-border vendor payments attract fraud

Cross-border accounts payable (AP) flows combine three ingredients that attract criminals: opaque counterparties, time zone gaps that slow verification, and multi-leg settlement paths that dilute accountability. Business email compromise (BEC) schemes alone produced 21,489 complaints and adjusted losses above $2.9 billion in 2023, according to the FBI’s Internet Crime Complaint Center. (Internet Crime Complaint Center) Between December 2022 and December 2023, identified global exposed BEC losses rose 9%. (Internet Crime Complaint Center)

Internal control failures are equally costly. The Association of Certified Fraud Examiners (ACFE) reports a median loss of $145,000 per occupational fraud case in 2024, with 22% of cases topping $1 million. (Anchin, Block & Anchin LLP) “43% of occupational frauds were detected by a tip,” the ACFE notes. (ACFE) That single line captures a structural truth: controls often fail silently; human eyes and whistleblowers still surface the most cases.

Sanctions and compliance violations add another vector. The U.S. Office of Foreign Assets Control (OFAC) assessed more than $1.5 billion in penalties across 17 public enforcement actions in 2023, a record tally. (Morrison Foerster) One Thai plastics firm paid $20 million for 467 Iran-related violations after routing $291 million through U.S. banks while concealing origin. (AP News) Screening blind spots are expensive.

Fraud hits smaller firms hardest because recovery is slow. A UK case publicized in early 2025 shows £324,634 sent to fraudsters took nearly a year and £100,000 in legal fees to chase, illustrating the true cost beyond the principal. (Financial Times) UK Finance recorded 3.13 million confirmed unauthorised fraud cases in 2024, with £722 million lost. (UK Finance)

Cross-border payments also carry structural frictions: the World Bank pegs average remittance costs at 6.62% of the amount sent. (remittanceprices.worldbank.org) High fees invite risky shortcuts, such as informal channels or unvetted intermediaries, that increase exposure instead of lowering it. A safe cross border invoice process must weigh cost savings against new attack surfaces.

2. Attack patterns and red flags specific to overseas vendors

Fraudsters exploit the multi-jurisdictional nature of global invoices. Common patterns include:

• Vendor master file manipulation. Sudden bank detail changes, domains with one character swapped, or an “updated” Swift/BIC code sent under urgency. HighRadius lists “invoices with vague descriptions, unusually rounded amounts, or repeated low-value charges that avoid review thresholds” as indicative patterns. (HighRadius)

• Man-in-the-middle BEC. Either the supplier or buyer email is compromised. Fraudsters monitor threads, then send a “final invoice” or “banking update” minutes before payment cut-off.

• FX spread skimming. Rogue intermediaries embed inflated spreads or “handling” fees. The victim sees only a total in local currency.

• Sanctions evasion through nested correspondents. A supplier routes funds via a third-country bank. Documentation looks clean, yet the underlying counterparty is restricted. OFAC case lists show repeated themes: weak screening, ignorance of ownership structures, and failure to block obvious jurisdictional risks. (OFAC)

• Impersonation of regulators or banks. UK Finance notes losses for impersonation scams averaged £7,448, versus £549 for purchase scams, reflecting a shift toward high-volume, low-value tactics that bypass traditional outlier checks. (UK Finance)

Red flags to code into monitoring rules and human checklists:

1. Change request timing — banking changes right before a large payment or near public holidays in the supplier’s country.

2. Document anomalies — mismatched fonts, logos, or invoice numbers that fall outside normal sequence; rounded totals or repeated values just below dual-approval thresholds. (HighRadius)

3. Communications channel drift — a switch from corporate email to free webmail, or new phone numbers with no country code context.

4. Sanctions geography — counterparties, beneficial owners, or IP addresses tied to embargoed regions. (AP News)

5. FX instructions — “pay in USD to this Hong Kong account” when prior payments landed in the supplier’s domestic currency.

6. Pressure language — “urgent”, “must settle today to avoid penalties”, “CEO approved already”.

7. Network anomalies — SWIFT highlights the value of “a unique view on payment anomalies observed at network level” to flag outliers. (Swift)

3. Controls that actually work: layering people, process, and tech

Fraud prevention is less about any single tool and more about layered defense. The following structure aligns with a safeguarding international AP workflow:

3.1 Governance and segregation

• Dual authorization for vendor onboarding and for any bank detail change.

• Explicit segregation between those who approve vendors, those who process invoices, and those who release cross-border wires.

• Governance frameworks echo SWIFT’s guidance: “establish a governance model; establish a cybersecurity risk management framework” across counterparties. (Swift)

3.2 Verification and call-backs

• Independent call-backs to a verified number on file before executing changes. Document the date, time, person, and method.

• Video calls can supplement but not replace verification; spoofed video is now viable with generative AI voice and face cloning, flagged by UK Finance. (UK Finance)

3.3 Data hygiene in the vendor master

• Freeze fields such as bank account number or beneficiary name post-approval; any change triggers a workflow ticket and re-verification.

• Attach scanned contracts, tax IDs, and beneficial ownership attestations; require renewed attestations annually.

3.4 Payment screening and sanctions controls

• Screen both parties and payment messages against updated sanctions lists (OFAC, EU, UK HMT). Record evidence of each check.

• Apply ownership and control rules: a non-listed entity owned 50%+ by a listed party is treated as sanctioned in U.S. context.

• Track OFAC enforcement patterns to calibrate risk appetite. Record-setting penalties in 2023 show regulators punish process failures, not just bad intent. (Morrison Foerster)

3.5 Network-level anomaly detection

• Use SWIFT Payment Controls or equivalent to set transaction rules, block duplicates, and catch unusual value/date combinations. (Swift)

• Cross-reference known supplier patterns: average invoice size, currency, counterpart bank, cut-off time.

3.6 Incident response playbooks

• Pre-draft BEC response scripts: freeze funds, contact originating and beneficiary banks, trigger recall via SWIFT MT192/199 or ISO 20022 equivalents, file with IC3 or local cyber units.

• The FBI IC3 success metric indicates that 71% of recovery attempts were successful across 3,008 incidents, with $538.39 million frozen. (Internet Crime Complaint Center) Timely action matters.

4. A secure international invoice payment guide: step-by-step

This “international vendor payment checklist” can be embedded into an AP system or policy manual:

1. Pre-onboarding diligence

   • Verify legal entity name, registered address, tax number.

   • Check beneficial owners against sanctions and adverse media.

   • Validate bank account ownership via bank letter or micro-deposits.

2. Contractual safeguards

   • Insert clauses on notification protocol for banking changes and require encrypted channels for sensitive data.

   • Stipulate currency, correspondent bank, and accepted fee splits (OUR/SHA/BEN). This reduces ambiguity and protects against FX fraud by locking spreads.

3. Invoice intake controls

   • Only accept invoices from authorized domains.

   • Auto-match invoice data to purchase order and goods receipt.

   • Flag rounding or repeated small values. (HighRadius)

4. Bank detail change workflow

   • Require a signed change form plus documentary proof.

   • Initiate a call-back using a number independently sourced (website registry, prior contract), not from the change request.

5. Sanctions and AML screening

   • Screen beneficiary, ordering customer, intermediaries, and narrative text fields.

   • Review trade purpose, commodity codes, and routing to detect hidden Iran/Russia/Cuba exposure as seen in OFAC cases. (AP News)

6. Payment execution layer

   • Use straight-through processing with tiered approvals: amounts, jurisdictions, and currencies map to specific approver matrices.

   • Apply payment controls to detect duplicates or out-of-pattern timings. (Swift)

7. Post-payment monitoring

   • Reconcile settlement confirmations to original instructions; MT103/ISO pacs.009 copy should match.

   • Review FX rates achieved versus interbank benchmarks; large deltas signal hidden costs. This supports a plan to lower fees on global invoices without increasing risk. (remittanceprices.worldbank.org)