Quick Tech Tip: Verify Payment Changes Before You Pay The Invoice

[no-ez-toc]

Quick practical tech tip: before your business pays a new invoice, changes a vendor’s bank details, or sends money to a “new” payment address, verify the request using a trusted phone number or contact method you already had on file.

This is a simple habit, but it blocks one of the most expensive small-business scams: fake invoices and business email compromise. The FTC warned in May 2026 that scammers send fake bills to businesses hoping someone pays quickly, and the FBI’s Internet Crime Complaint Center continues to track business email compromise as a major fraud category. The fix is not fancy software first. It is a repeatable payment-change rule that your team actually follows.

Set up the rule today

1. Pick the payment changes that require verification. At minimum, require extra review for new vendors, changed bank routing details, changed mailing addresses, ACH/wire requests, gift card requests, cryptocurrency requests, and urgent “pay today” invoices.
2. Use a trusted contact path. Do not reply to the email thread or call the phone number inside the invoice. Use the vendor phone number from your accounting records, a signed contract, the vendor’s official website, or a contact you already verified earlier.
3. Make one person request and one person approve. For small teams, this can be as simple as “bookkeeper reviews, owner approves.” For a one-person office, pause and verify by phone before payment leaves the account.
4. Document the verification. Add a short note in your accounting system: who was called, which number was used, who confirmed the payment details, and when the approval happened.
5. Save known-good vendor payment details. Keep vendor payment instructions in your accounting platform or password manager notes, not scattered across email threads.
6. Slow down urgent requests. Treat pressure as a warning sign. A real vendor can usually tolerate a short verification call; a scammer needs you rushed and isolated.

What to watch for

• A familiar vendor suddenly asks for a new bank account, routing number, mailing address, or payment portal.
• The email looks normal but has a slightly different sender address, display name, reply-to address, or signature block.
• The message says the owner, CEO, pastor, property manager, or vendor is unavailable and wants the payment handled quietly.
• The invoice arrives near closing time, during a holiday week, or while the usual approver is out.
• The request pushes wire transfer, ACH, gift cards, crypto, or another payment method that is hard to reverse.

A small-business workflow that works

For most local businesses, the rule can fit on one page:

1. Invoice arrives.
2. Staff checks whether the vendor, amount, and payment details match existing records.
3. If anything is new or changed, staff calls a known-good number.
4. Second person approves the payment or the owner signs off.
5. Verification note is saved with the bill.

The goal is consistency. You do not need a long policy binder to start. You need a rule short enough that people follow it when the phones are ringing and the day is busy.

What can go wrong

The biggest mistake is verifying through the same compromised channel. If a scammer controls the vendor’s email account or has spoofed a lookalike thread, replying “is this real?” may just ask the attacker to confirm their own fraud. Use a separate trusted contact method.

Another common gap is relying on one person’s memory. If only one employee knows which invoices are normal, a vacation or sick day can become a weak point. Store vendor payment details in a controlled place and keep the approval note with the invoice.

When to call an IT professional

Call for help if an employee clicked a suspicious invoice link, entered Microsoft 365 or Google Workspace credentials, approved an unexpected MFA prompt, or paid money before realizing something was wrong. You may need mailbox rule checks, password resets, MFA review, endpoint scanning, bank notification, and a wider look at whether the attacker changed forwarding rules or accessed other accounts.

If your business handles larger payments, recurring vendor transfers, payroll, rent, taxes, or client trust funds, it is worth setting up a formal payment-change workflow, phishing-resistant MFA where practical, and mailbox auditing before there is an incident.

Useful official resources

• FTC: Run a small business? Pay your bills, not scammers
• FTC: Scams and Your Small Business
• FBI IC3: Business Email Compromise
• CISA: Secure Your Business

Bottom line: before money moves, verify payment changes outside the email thread. That one habit can prevent a normal workday from turning into a bank-recovery emergency.