Credit risk used to be primarily about financial capability. The core question was simple: Can this customer pay? You analyzed financial statements, reviewed payment history, and assigned a limit. If the numbers looked good, the order shipped. Today, the question has shifted. The question is no longer just about whether they can pay, but whether the person asking for the credit is who they say they are.

‍

The Fake Employee scheme is one of the most pervasive fraud vectors currently hitting B2B credit teams. It does not rely on complex hacking or breaking into your ERP. Instead, it relies on social engineering, urgency, and the natural desire of sales teams to close deals quickly.

‍

How the Fake Employee Scheme Works

This specific type of fraud is difficult to catch because the customer is real. The fraudster uses the name of a legitimate, creditworthy business. They send over real tax documents or credit references belonging to that business. The weak link is the communication channel. The fraudster pretends to be a procurement manager, a site supervisor, or a VP from that legitimate company. They engage sales, place an order, and then divert the shipment.

‍

The stakes are particularly high when the goods are capital equipment or easily resalable industrial supplies. Fraudsters target high-value items that can be moved quickly. By the time the credit manager notices the shipping address does not match the billing address, the goods are often already on a truck.

‍

Why Standard Credit Checks Fail

Traditional credit checks focus on the entity, not the individual requestor. This creates several vulnerabilities:

‍

The Existing Customer Loophole

Many credit policies have fast-track approvals for existing customers or subsidiaries of known entities. If a fraudster claims to be from a company you already do business with, the credit team often skips the deep dive. The system sees the parent company is a good payer, and the check passes. The validation focuses on the entity, not the person requesting credit.

‍

Domain Spoofing and Email Fatigue

Fraudsters use typosquatting to create lookalike domains. If your customer is construction-corp.com, the fraudster registers construction-corps.com or construction-procurement.com. To a busy salesperson or credit analyst reading dozens of emails a day, these look identical. Without automated systems to flag domain discrepancies, these details get missed, especially on mobile devices where full email headers are hidden.

‍

The Sales vs. Credit Tension

Sales teams are incentivized to remove friction. Asking a customer to prove their identity feels like friction or an accusation. Fraudsters weaponize this cultural tension. They act insulted or urgent if questioned, prompting the salesperson to pressure Credit to push the order through.

‍

Manual Verification Limits

Verifying an employee's identity is hard work. There is no central database of every employee at every company. Calling the main HQ line to verify employment takes time and often leads to voicemail. When volume is high, teams default to trust.

‍

Last-Mile Data Changes

The most critical vulnerability often occurs after the credit approval. The credit team approves the account based on a legitimate billing address. Then, hours before shipment, the requester emails the sales rep or logistics coordinator to change the shipping destination to a job site, a warehouse, or a freight forwarder. This change often bypasses the credit team entirely.

‍

The Anatomy of the Attack

Understanding the specific steps fraudsters take allows you to build interruptions into your workflow:

‍

Stage 1: Reconnaissance

The fraudster researches your existing customers. They look for companies with strong credit ratings and large purchasing needs. They scour LinkedIn to find the names of real procurement officers at those companies so they can impersonate them.

‍

Stage 2: The Setup

They register a lookalike domain. They create a fake email signature that looks professional, often copying the logo and format of the real company exactly. They initiate contact, often asking for a quote first to build legitimacy.

‍

Stage 3: The Order and The Pivot

They place the order. Everything looks standard. They provide the company's actual billing address. Then comes the pivot. They request a job site delivery or a one-time drop ship to a location that has no clear affiliation with the billing party.

‍

Stage 4: The Extraction

Once the goods are delivered to the third-party location (often a rented warehouse or a freight forwarder), they are immediately moved again or shipped overseas. By the time the invoice becomes past due and you contact the real company, the goods are gone.

‍

Frameworks for Defense

Defeating this scheme requires a shift in mindset. You are not just underwriting financial risk. You are authenticating identity.

‍

The Three-Point Match for Identity

Most finance teams know the three-way match for AP (PO, Receiver, Invoice). You need a similar concept for onboarding new contacts, even at existing customers.

1. Domain Match: Does the email domain match the web domain of the company exactly? If the website is .com but the email is .net, stop. If the email contains extra words like inc, llc, or group that are not in the main URL, stop.
2. Phone Match: Never rely on the phone number in the email signature. That number goes to the fraudster's burner phone. Independently search for the company's main HQ number (using Google Maps or the official website), call it, and ask to be transferred to the person ordering.
3. Location Match: Does the shipping address appear on the company's website or credit report? If it is a job site, require a copy of the contract or a contact at the site who can be verified.

‍

The Late-Change Protocol

Implement a strict policy: Any change to shipping information after credit approval triggers a re-hold.

Logistics and Sales must understand that they cannot unilaterally change a ship-to address on a credit account without notifying the Credit department. If the address changes, the order goes back on credit hold until the new address is vetted. This single policy change stops the majority of interception fraud.

‍

The Too Easy Test

Train your sales team to recognize the Too Easy deal. If a new contact appears out of nowhere, knows exactly what they want, does not negotiate on price, and wants the goods immediately, it is a red flag.

Legitimate procurement involves negotiation, questions about specs, and discussions about lead times. Fraudsters do not care about price because they never intend to pay. They only care about speed.

‍

Technical Defenses and Data Strategy

While policies are essential, manual enforcement is prone to error. Technology plays a critical role in scaling these defenses.

‍

Automated Domain Analysis

Modern credit intake systems can automatically validate email domains. They can check the age of a domain. A legitimate company has had its domain for decades. A fraudster's spoofed domain might be three days old. Your system should flag any application coming from a domain registered in the last 90 days.

‍

Company Validation with Company Radar

Before accepting a large order from a new contact at an existing customer, verify the company itself is still legitimate and active. Company Radar scans financial filings, industry news, legal databases, and compliance records to detect red flags like recent bankruptcies, ownership changes, M&A activity, or legal actions.

‍

If a fraudster is using a company that recently went bankrupt or underwent major restructuring, Company Radar surfaces these changes immediately. This helps identify cases where fraudsters exploit companies in transition when normal communication channels may be disrupted.

‍

Try it free: Company Radar

‍

Address Verification Service

Use tools that visualize the shipping address. Is the warehouse actually a residential house? Is it a self-storage facility? Is it an empty lot? Automated address verification tools can run these checks at scale.

‍

Bank Account Validation

If the customer provides banking information for ACH setups, validate the account ownership. Does the bank account name match the business name exactly? Fraudsters often open accounts under slight variations.

‍

Strategic Impact of Fraud Defense

The value of stopping fake employee fraud extends beyond the immediate loss of inventory.

‍

Revenue Protection

When you lose inventory to fraud, you lose twice. You lose the Cost of Goods Sold (COGS), and you lose the opportunity to sell those goods to a paying customer. High-value equipment losses can wipe out profit margins for entire regions.

‍

Credit Team Credibility

When the Credit department catches a fraudster that Sales missed, it changes the dynamic between the teams. Credit stops being the Department of No and becomes the Department of Revenue Protection. It builds trust. Salespeople begin to respect the checks because they realize those checks save their commissions (which are often clawed back in fraud cases).

‍

Operational Efficiency

Cleaning up fraud is messy. It involves police reports, insurance claims, write-offs, and endless internal meetings. Preventing the fraud upfront, even if it takes an extra hour of verification, saves weeks of cleanup work later.

‍

The Defense Playbook: Actionable Steps

To combat the Fake Employee scheme effectively, you need a plan that involves Credit, Sales, and Logistics.

‍

Update Your Credit Application

• Add a field for Supervisor Name or AP Contact separate from the buyer.
• Require a main corporate line in addition to a mobile number.

‍

Implement the 15-Minute Rule

• If a deal feels rushed, pause for 15 minutes. Use that time to verify the domain, run a Company Radar check, and call the HQ.
• Fraudsters rely on momentum. Breaking the momentum often reveals the cracks in their story.

‍

Questions to Ask Your Team

• Do we have a system flag for email domains that do not match the website?
• Does Logistics have the authority to change a ship-to address without Credit approval?
• When was the last time we verified the employment status of a buyer at a major account?
• Are we running Company Radar checks on new contacts claiming to represent existing customers?

‍

Review Your Job Site Policy

• Shipping to construction sites or temporary locations is necessary for many industries, but it requires higher scrutiny. Require a copy of the Notice of Commencement or the prime contract for the job site before releasing goods.

‍

Fraud is evolving. The Fake Employee scheme represents a significant threat to B2B credit operations. By implementing identity authentication protocols alongside traditional credit risk assessments, credit teams can protect inventory while maintaining sales velocity.

‍

Facing fake employee fraud attempts? Bectran's fraud detection suite includes automated email domain verification, Company Radar for real-time risk monitoring (detects bankruptcies, legal actions, M&A activity before fraud occurs), address validation that flags residential or suspicious locations, bank account ownership matching, and ship-to change alerts that trigger credit re-holds—stopping impersonation fraud before goods leave your warehouse. See how fraud prevention works.

‍