The Costly Email Mistake: How One Vendor Payment Scam Can Cripple a Distribution Business

Image by Gerd Altmann from Pixabay
 

It starts as a normal day.
 

The branch is moving. Counter traffic is steady, inside sales is working through quotes, and a contractor is waiting on material to finish a job before the end of the week. A shipment just came in that needs to turn quickly, and no one has time to slow down.
 

In the background, finance is working through a batch of payments tied to recent orders. One of those orders is tied to a vendor your team works with all the time, the kind of relationship where nothing usually needs to be double-checked.
 

Earlier that morning, accounts payable noticed something small. A login alert from a location they did not recognize and a couple emails in their sent folder they do not remember writing. They mentioned it, IT is aware, but nobody stops what they are doing because there is too much going on.
 

Then the email comes in.
 

It looks like the vendor. Same contact, same thread, referencing a recent shipment and asking to update payment details before the next payment is processed. Inside sales recognizes the order immediately, the material already moved, and the contractor is waiting on the next delivery, so everything lines up.
 

The update gets entered, and the payment goes out without much hesitation because it fits the normal flow of work.
 

About 45 minutes later, the real vendor calls. They have not received payment, and they never sent any request to change their banking information.
 

That is when everything shifts.
 

Finance starts trying to trace the payment while IT digs into account activity to understand what was accessed and when. At the same time, sales is fielding calls from the contractor asking where the next shipment is, and leadership is getting pulled in without a clear picture of what actually happened.
 

The questions start stacking up quickly. When did this start, is the account still compromised, are there more payments like this, and can the money be recovered. Everyone is trying to solve part of the problem, but no one is clearly driving the response.
 

Then a different kind of question surfaces.
 

Who owns this situation right now?
 

Finance assumed IT would lead the response, IT assumed finance would handle anything tied to payments, and leadership assumed someone had already taken control. Everyone is involved, but ownership is not defined, and decisions slow down right when they need to speed up.
 

The team is now forced to make real calls under pressure. Do you pause payments and risk disrupting operations, or keep things moving and risk sending more money to the wrong place? Who contacts the bank, who talks to the vendor, and what gets communicated internally to the rest of the team?
 

These are business decisions, not technical ones, and they have to be made with incomplete information while the rest of the operation is still running.
 

Most teams assume they would handle this when it happens, but very few have actually worked through it in a structured way. What shows up in these moments is not a lack of tools, it is a lack of clarity around ownership, response steps, and communication across the business.
 

After the fact, it is easy to point to what should have happened. In the moment, there is hesitation, disagreement, and delay, and that is where the exposure lives.
 

This is exactly the type of situation cybersecurity tabletop exercises are designed to surface. They are not presentations or training sessions, but structured scenarios that force your team to respond in real time, with limited information and decisions that cannot be avoided.
 

If your team cannot make a decision, that is not a failure of the exercise. It is a gap in how the business operates.
 

The goal is to see how your organization actually responds when something goes wrong, including who steps in, where decisions get stuck, and which processes hold up versus where nothing is defined.
 

ASA has developed a Business Email Compromise tabletop exercise specifically for distributors and manufacturers, along with supporting materials to help teams run it internally. These resources are available now in the ASA Cybersecurity Starter Kit for Distributors, located in the Innovation section of the ASA website: https://www.asa.net/Innovation/Cybersecurity.  Look for it in the ‘Resources’ section.
 

The exercise walks through scenarios like this and requires your team to define actions, assign ownership, and identify gaps in your current approach, then turn those gaps into a clear action plan.
 

The businesses that handle these situations best are not the ones with the most tools, but the ones that have already decided how they will respond before they are forced to.
 

If your team has not worked through who owns a situation like this, what decisions get made, and how those decisions are communicated, then you are relying on people to figure it out in the moment, and that is exactly when it is hardest to do.