It’s Monday morning at a busy healthcare provider. The accounts payable (AP) team is knee-deep in invoices from medical supply vendors, payroll approvals, and urgent requests from department heads. Amid the flood of emails, one message stands out: a trusted supplier is updating their bank account details and needs the change made before the next payment run. The request looks completely legitimate – the supplier’s logo is there, the email address looks right, and the message mentions an ongoing order for lab equipment. Pressed for time, the AP specialist enters the new bank account details and moves on.
Two weeks later, the supplier calls asking why payments have stopped. Only then does the team realize that they’ve been sending thousands of unrecoverable dollars to a fraudster. What seemed like a simple “to-do” has turned into a crisis that could have been avoided with stronger practices for verifying bank account change requests.
Why phony bank account change requests are harder to detect
At first glance, bank account change requests don’t seem like a major risk – after all, suppliers update their details all the time. But fraudsters have learned that AP departments, especially in healthcare, are often stretched thin, with limited bandwidth to double-check updates. This makes bank account change requests a prime attack vector. They’re routine enough to avoid raising suspicion, but if successful, can reroute funds straight into a criminal’s account.
Fraudsters are more sophisticated than ever. Their requests:
- Mimic real communications. Attackers use spoofed email addresses or compromise legitimate ones, making messages nearly indistinguishable from actual supplier correspondence. These fraudulent emails often contain the right logos, formatting, and even writing style, which can fool even experienced AP staff. As cybercriminals refine their tactics, traditional methods of spotting typos or unusual phrasing are no longer reliable.
- Exploit urgency and trust. Requests often come with a tight deadline or reference senior executives, pushing AP teams to act quickly without scrutiny. Fraudsters know that healthcare organizations prioritize patient care and supplier relationships, so they create pressure to make the request feel legitimate. This tactic plays on human behavior, creating an environment where AP and finance staff feel they cannot delay or question the change.
- Leverage complexity. With thousands of vendors, staff struggle to know every contact, making fraudulent requests easier to slip through. Fraudsters exploit this complexity by targeting suppliers who are less frequently engaged, assuming staff won’t recognize the difference. The larger and more decentralized the organization, the higher the risk of a fake request being overlooked.
- Bypass traditional checks. Simple callbacks aren’t enough when fraudsters spoof phone numbers or impersonate known contacts. In some cases, they even gain access to legitimate email accounts, meaning a callback to the “usual” contact still ends up in the fraudster’s hands. This creates a false sense of security, leaving AP teams exposed to fraud risk.
Best practices that make the difference
The good news is that healthcare organizations don’t have to stay vulnerable. By adopting stronger, more consistent best practices, AP and finance leaders can make it harder for fraudsters to succeed. These aren’t just “nice-to-have” safeguards – they’re key defenses in a world where cybercriminals are actively targeting healthcare providers for their high transaction volumes.
Here are best practices that can help safeguard an organization from phony account change requests:
- Always validate outside the request channel. Never trust emails or forms alone. Verify changes through a separate, trusted contact method. If a request comes by email, use the phone and call a known, verified contact number, not the one on the request. This step can feel small but it’s often the difference between stopping fraud and losing funds.
- Use multi-level approvals. Require a second set of eyes for all bank account changes, especially for large or sensitive suppliers. Second reviewers often catch details the first person overlooked, especially when pressure or urgency is being applied. This added control creates accountability and reduces the chance of a single error leading to major losses.
- Maintain centralized supplier records. Keep current, verified contact details in a secure system so staff always know the right person to call. A centralized database reduces reliance on memory, sticky notes, or outdated spreadsheets, which are prime sources of error. By keeping supplier data current, you make it far harder for fraudulent details to sneak through.
- Educate AP and finance staff. Regular training ensures employees recognize red flags and resist urgency tactics. Training should include real-world examples of fraudulent requests to help staff develop instincts for spotting suspicious behavior. Empowered employees are more likely to question unusual requests and escalate them for proper review.
- Adopt automated bank account verification tools. Technology can remove human error from the equation and scale protection as an organization’s supplier base grows. Automated tools cross-check requests in real time against authoritative data sources, offering a layer of defense that manual processes cannot consistently match. This gives finance leaders confidence that every request has been rigorously verified before payments are altered.
How automation helps stop fraud at the source
While best practices build a strong foundation, automated bank account verification is what takes fraud prevention from reactive to proactive. Healthcare AP and finance departments are managing hundreds or even thousands of transactions weekly, and it’s not realistic to expect human staff to manually verify every bank account change request with the same rigor. Automation adds speed, scale, and consistency to the process, ensuring no fraudulent request slips through the cracks.
Automated bank account verification provides a stronger, faster, and more reliable safeguard by:
- Instantly validating ownership. Automation cross-checks bank account details against authoritative data sources to confirm the supplier really owns the account. This eliminates guesswork and removes reliance on supplier-provided documents that can be easily falsified. The result is immediate clarity on whether the change request is safe or fraudulent.
- Reducing AP and finance workload. Automation eliminates the need for manual callbacks or back-and-forth communication. Instead, AP staff can focus on higher-value tasks like analysis and reporting. The time savings alone can make automated bank account verification pay for itself in weeks.
- Ensuring consistency. Automated bank account verification applies the same standards to every request, without relying on individual judgment or memory. Manual bank account verification leaves too much room for human error, particularly when staff are busy or under pressure. Automation enforces uniformity, making sure no shortcuts or oversights occur.
- Creating an audit trail. Automation provides documentation that proves verification occurred, essential for compliance and audits in heavily regulated healthcare environments. This record is invaluable when demonstrating due diligence to regulators or auditors. It also helps protect your organization’s reputation by showing a strong commitment to security.
A safer scenario with best practices in place
Contrast the earlier “day in the life” with one where best practices and automation are standard operating procedure. A phony request arrives, but this time the system automatically flags the request for verification, cross-checks ownership, and fails the fraudster’s attempt. The AP team is alerted, funds remain safe, and the organization avoids a costly mistake. Instead of reacting to fraud after the fact, this healthcare provider stays ahead of it – safeguarding its suppliers, protecting its finances, and strengthening AP’s role.
Final thought
Phony bank account change requests aren’t just another check box on a fraud prevention list – they’re one of the most immediate and dangerous threats facing healthcare AP teams today. A single lapse can have devastating financial and reputational consequences. By combining staff vigilance with automated bank account ownership verification, finance leaders can transform AP from a vulnerable target into a strong first line of defense, keeping the organization focused on patient care.
Photo: kentoh, Getty Images
Phil Binkow is CEO of Financial Operations Networks (FON), developer of VendorInfo, InvoiceInfo and the Vendor Information Management Center of Excellence, a leading suite of software-as-a-service platforms that allow finance teams to onboard, verify and manage suppliers with confidence, reduce cost and risk and strengthen compliance.
Prior to starting Financial Operations Networks, Phil founded and served as CEO of PayTECH, a leading electronic invoice processing, disbursements and spend analytics platform serving companies such as Oracle, Cisco, the Gap, Charles Schwab, JP Morgan Chase and NCR. Under Phil PayTECH grew to process and pay over 100 million invoices annually. In 2002 FON founded The Accounts Payable Network (TAPN), which grew to become the world’s largest accounts payable training and certification organization.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.
