Verification Procedures

What Is Verification Procedures?

Vendor banking-detail BEC is one of the most lucrative attacks in circulation. The pretext is almost always the same: a long-standing supplier emails to say that their bank was just acquired or their account was rotated, and asks the AP coordinator to update the payment record before the next cycle. The story is plausible. The invoice number references a real upcoming payment. The signature matches a real account manager the AP team has talked to before. The only thing that is wrong is the contact information and the bank account, and a victim with no formal verification procedure has no reliable way to spot it. In this simulation, you are the AP coordinator on the morning before Friday's payment run. An urgent email from a real-looking Marcus Webb at Cascade Heavy Industries asks you to redirect a $47,830 payment to a brand-new bank account at a different bank. You will work the verification procedure that catches this class of attack: open VendorVerify, the company's authoritative procurement-vetted vendor directory; compare the verified phone, verified email, and banking change history against what the email claims; and call the verified number on a recorded line to confirm with the real account manager. The exercise demonstrates why the contact information inside a suspicious request is part of the attack, why bank-acquisition stories are easy to fabricate in email and impossible to fabricate in a procurement record, why a formal change-request process keeps AP from being a single point of failure, and why every attempted vendor BEC needs to be reported even when no money moves so the SOC can pivot on indicators and warn other AP teams.

What You'll Learn in Verification Procedures

• Treat banking-detail change requests as the highest-risk request type in accounts payable, with formal verification mandatory regardless of urgency or relationship history
• Use an authoritative vendor directory kept under separate control by Procurement as the only reliable source for verified contact and banking details
• Reject contact information supplied inside a suspicious request - phone numbers, reply-to addresses, and signature blocks in the message are part of the attack
• Compare an inbound request against a vendor's banking change history to detect fabricated stories like sudden bank acquisitions or routing rotations
• Place an out-of-band verification callback to the directory's verified number on a recorded line before any banking record is updated
• Require a formal change request flowing through Procurement before AP can act on a banking-detail change
• File a structured incident report capturing sender domain, spoofed phone, fraudulent account, and the verification steps taken so the SOC can hunt for parallel attempts

Verification Procedures — Training Steps

1. A Quiet Thursday Morning

   It is Thursday morning at CypherPeak Technologies. You're Alice, an Accounts Payable Coordinator, and Friday's vendor payment run is your last big task before the weekend. Most of the work is routine: match invoices to purchase orders, queue payments, and double-check that any banking-detail changes have been formally approved through Procurement.

2. An Email From Cascade Heavy

   An email arrives in your inbox marked urgent. The sender display name reads Marcus Webb - the senior account manager at Cascade Heavy Industries, one of your long-standing suppliers.

3. Reading the Request

   The subject line reads URGENT: Banking Detail Update Before Friday's Cycle - INV-2024-3847 . Marcus's name is right. The invoice number is right. The amount and due date match Friday's run. But Marcus is asking you to redirect the payment to a brand-new bank account because his company's bank was supposedly just acquired.

4. CypherPeak's Verification Policy

   Your AP playbook is clear. For any banking-detail change request, the verification procedure is non-optional: Look up the vendor in VendorVerify , the procurement-vetted authoritative directory. Use the verified phone number from VendorVerify - never a number from the request itself. Confirm the change with the vendor's named contact on a recorded line. Require a formal change request through Procurement before any account update. The point is simple: an attacker can spoof an email, a signature, even a reply-to. They cannot spoof the verified contact details that Procurement keeps under separate control.

5. Open VendorVerify

   Open the browser and navigate to VendorVerify. The directory is hosted internally at vendor-verify.cypherpeak.com and is the only authoritative source for vendor contact and banking details at CypherPeak.

6. Sign In to VendorVerify

   VendorVerify uses CypherPeak SSO, the same account that gates every internal portal. Use the saved credentials in your password manager.

7. Search for the Vendor

   VendorVerify shows the directory dashboard. Search for the vendor named in the email so you can compare what the email claims with what Procurement has actually verified.

8. Open the Vendor Record

   One verified result matches: Cascade Heavy Industries. Open the record to see the verified contact and banking details that Procurement keeps under separate control.

9. Compare the Verified Phone

   The vendor record shows the contact details Procurement actually verified, with the date of verification. Compare those against what the email claims.

10. Compare the Banking History

    Banking changes at CypherPeak are tracked formally. Procurement records every approved change with a timestamp and an approver. The history makes the email's story easy to falsify.