Today’s vendor banking email fraud losses demand that even small business get right sized email fraud defense in place. Here’s how it is playing out in real life, right now.
A vendor emails their customer asking to update banking details for an upcoming payment. The customer’s finance team opens the email, reads the request, and a real person types the new banking information into their accounts payable system. The next payment cycle runs as scheduled. Hundreds of thousands of dollars land in an account belonging to someone the vendor has never heard of, often offshore. The cyber insurance claim gets denied because a human approved the change. The vendor was not actually involved. They were also a victim, and they did not know it.
That’s it in a nutshell: the anatomy of the Adversary in the Middle vendor banking email fraud pattern that bypasses traditional MFA and lands six-figure losses for Toronto SMBs.
We see this fast rising email attack pattern across client environments on a weekly basis now. It is no longer rare. If you process vendor payments and you are relying on traditional multi-factor authentication plus email-based verification, your exposure is real. If you have ever processed a vendor banking change without picking up the phone, you are not alone. Most finance teams have. Until very recently, it was reasonable practice. Things have changed, and we need to adapt to stay protected.
As a Toronto Managed IT Services Provider who focuses on Microsoft 365 security, here’s how we tackle this; defenses include Conditional Access policies, monitoring for account takeover signals, and out-of-band verification with voice or pre-agreed PIN for vendor banking changes.
How the Attack Actually Works
The attack has a name in the security world, Adversary in the Middle, but the mechanics are simpler than the jargon suggests.
An attacker compromises an email account, typically through a phishing page that captures both the password and the active session token. The session token is the part that traditional multi-factor authentication misses. Once it is stolen, the attacker can sign in as the user without needing to re-enter a code or approve a push notification.
From inside the inbox, they monitor activity. Sometimes for weeks.
They learn who pays whom and when. They notice that someone is on vacation, and they reference it casually in a later message so the recipient does not question the tone. They create email forwarding rules to hide their traffic from the real user, so replies land in a folder the user does not check. They set up a near-identical spoof domain. A lowercase L instead of a lowercase I. A zero instead of an O. A missing letter that you would never catch unless you were looking for it.
Then they inject one message into an active conversation. The receiving party sees a familiar sender, an in-progress thread, and a request that fits the cadence of the relationship. The request looks routine. The money moves.
The reason this attack is succeeding now is that AI made the labour-intensive part easy. The patience required to monitor an inbox, mimic a writing style, and time the injection used to limit how many of these attacks could happen at once. That ceiling is gone.
What Actually Stops It
Three things actually defend against this attack. We have built our security baseline around them because nothing else stops it reliably.
The first is identity protection that goes beyond the Microsoft Authenticator prompt on your phone. That prompt is no longer sufficient on its own. Modern Adversary in the Middle attacks bypass it. Conditional Access is the layer that blocks the takeover. It restricts sign-in to compliant devices in trusted contexts, regardless of whether the attacker has the password and the session token. A stolen password and a stolen session token are still not enough to get into the account, because the attacker does not also have a managed device under your control. This is the single biggest gap we see in mid-sized businesses. They have multi-factor authentication enabled and they assume that means they are protected. They are not, against this specific attack.
The second is monitoring that catches the early signals. The moment an attacker creates an inbox forwarding rule, sets an unusual auto-delete pattern, or signs in from an unexpected country, an alert needs to fire. Most businesses do not have this configured. The attack runs in the background for weeks before anyone notices, which is exactly why the AI sounded so convincing when it finally sent the fake message. It had time to learn.
The third is out-of-band verification on the finance side, because no technical control overrides a human approval. If your accounts payable team approves a fraudulent banking change based on an email, the money moves and the insurance claim gets denied.
The simplest version of out-of-band verification is a voice call to the vendor at a phone number from your existing contact record, not from the email signature. For higher-value vendor relationships, set up a pre-agreed verification PIN. The vendor provides the PIN when requesting any change to payment details. If they cannot provide the PIN, you do not process the change. Email confirmation is no longer adequate. Video call confirmation is also no longer adequate, because the technology to forge a convincing video call exists and is being used.
What This Means for You
This is not optional security. It is the new minimum.
The insurance industry knows where the losses are coming from. Claim denials for human-approved fraudulent payments are increasingly common. The cyber insurance you bought a few years ago does not cover what you think it covers, especially if your team typed the new banking information into your accounts payable system based on an email request.
The encouraging part is that the same controls that block this attack also satisfy the questions on enterprise and government vendor security questionnaires. Conditional Access, managed devices, and identity threat detection are the layer that prime clients and Crown corporation procurement teams ask about. The same investment protects your money and qualifies you for bigger contracts.
If you process vendor payments and you have grown past the size where one in-house “tech person” who is good at “that stuff” can keep up, the conversation is worth having. We offer a free consultation to walk through your current setup and identify where the gaps are, and what it would take to protect your business with modern best practices against modern AITM threats. Reach out today.
