Local Advisory

Urgent Advisory: Phantom Vendor Invoice Scam Targeting GTA Businesses

Our SOC has observed a surge of business email compromise (BEC) emails impersonating long-time suppliers. The adversaries register lookalike domains, wait for invoice cycles, and then reroute payments to mule accounts. The campaign is active across the Greater Toronto Area.

Threat Simulation

BEC Invoice Fraud

Compromised vendor account tries to reroute payment, blocked by policy.

What We Are Seeing

  • Lookalike domains registered within the last 30 days (e.g., suppliername-ca.com vs. suppliername.com).
  • Compromised supplier mailboxes forwarding entire invoice threads.
  • Follow-up phone calls from actors posing as the vendor's finance team to approve the change.
  • Payment instructions referencing urgent tax audits or bank migrations.

Detection Checklist

  • Check SPF/DKIM/DMARC results and domain age before actioning any banking change.
  • Verify account or routing changes using a known phone number, not the one provided in email.
  • Review email headers for forwarding rules or sign-ins from unusual geographies.
  • Update vendor records with a "no email-only changes" policy.
Example of fraudulent invoice change request

Immediate Response Steps

  • Freeze outstanding payments to the affected vendor until verbal confirmation is obtained.
  • Alert your bank's fraud department if money was sent; same-day recalls are sometimes possible.
  • Reset credentials for any compromised mailboxes and review sign-in logs.
  • Notify the vendor so they can secure their environment and warn other customers.

Preventive Measures

Enable supplier verification workflows inside your ERP or accounting platform. ArchiveX customers can layer WORM-backed email journaling, ensuring forensic trails remain intact for investigations. Train payables staff to escalate unusual payment instructions immediately.

Checklist for confirming vendor banking changes