Local Advisory

Urgent Advisory: 'Phantom Vendor' Invoice Scam Targeting GTA Businesses

A sophisticated business email compromise (BEC) campaign is targeting businesses in the Greater Toronto Area. Attackers pose as established vendors to divert payments to fraudulent accounts.

Threat Simulation

BEC Invoice Fraud

Compromised vendor account tries to reroute payment, blocked by policy.

How the Scam Works

  • Attackers compromise a vendor's email account or spoof their domain.
  • They send an invoice that looks legitimate, often referencing real projects.
  • The email notifies you of a 'new bank account' for payment due to an audit or banking change.

Red Flags

  • Unexpected changes to payment details.
  • Emails coming from slightly different domains (e.g., vendor-billing.com instead of vendor.com).
  • Urgent requests to process payment before a deadline.
Phantom vendor invoice example

Prevention Steps

  • Verify any payment change request by calling the vendor on a known, trusted number.
  • Implement dual-approval processes for all wire transfers.
  • Train AP staff to recognize BEC indicators.

What to do if you paid

Contact your bank immediately to attempt a recall of funds. Report the incident to local law enforcement and the Canadian Anti-Fraud Centre.

Bank change verification checklist