Today’s payment fraud is no longer a single trick—it’s a multi-vector ambush. Attackers layer email compromise, fake websites, and invoice edits into campaigns built to pass every security check you have in place.
In a recent web series episode, Curtis Simpson, CISO at Armis, broke down a real-life $1.23 million fraud attempt that nearly succeeded—despite every traditional control being in place.
Here’s what that multi-vector payment fraud attack looked like, and why it was almost impossible to catch.
What Is Multi-Vector Payment Fraud?
It’s a coordinated form of payment fraud that strings together multiple tactics: email compromise, fake domains, invoice edits, social engineering, and more to bypass detection. These attacks are designed to slip through traditional controls by appearing legitimate at every checkpoint.
How It Defeats Traditional Fraud Controls
Legacy thinking suggests you can stop payment fraud with steps and systems like:
- Checking the sender’s email address and implementing email security tools
- Validating bank account changes
- Calling the vendor to confirm the request or MFA
These used to be effective means of fraud prevention, but modern fraudsters are well aware that these checks are coming and that they are an integral part of many security protocols. To slip through these defenses, they rig the entire process to appear legitimate at every step. This is especially dangerous when security protocols are out of your control.
Attackers often start by targeting vendors, where controls tend to be weaker and security protocols vary.
“I have seen this many times in my career. The vendor doesn’t have as strong of controls as we have internal to organizations, and is one of the weak links in the chain in terms of there is the potential to compromise the vendor.”
— Curtis Simpson, CEO, Armis
Let’s walk through the real-world multi-vector payment fraud attack Curtis described, and break down why traditional checks didn’t stop it.
Anatomy of the $1.23M Multi-Vector Attack
This real, anonymized use case shows just how many layers trackers now use to exploit gaps between controls.
1. Vendor Account Compromised
An attacker breached the email of a trusted vendor (VEC). This gave them legitimate access to real communications, recent invoices, and key contact data. No phishing email or spoofing required—this was a full takeover. This gave them full access to past invoices, real contacts, and ongoing conversation. The attacker found a $1.23 million invoice and locked in on their target.
2. Fake Bank Account Created
Using the real vendor’s information as cover, the attacker opened a new bank account that mimicked the vendor’s legitimate financial details. The new bank account looked essentially identical to the legitimate vendor, but the name was off just enough to create a seemingly legitimate account to redirect the stolen funds to.
3. PDF Invoice Was Edited
The attacker downloaded and cloned the legitimate invoice, changed the banking details, and sent it from the compromised email. Only metadata showed edits—but the document looked clean to the human eye.
4. Lookalike Domain + Website Registered
To back up the deception, the attacker registered a lookalike domain nearly identical to the vendor’s. They also spun up a basic site to make the email headers and domain checks pass inspection.
5. Contact Info Changed to Redirect Calls
On top of this, the fraudsters also updated the invoice contact details so any call-back verification would be routed to them, not the real vendor.
When the finance team followed protocol and called to verify—they reached the attacker.
This is what makes these attacks so dangerous. The finance team followed every control:
- They received an invoice from a trusted vendor, passing their email security.
- They called the number on the altered invoice and confirmed payment details, passing their manual phone verification protocol.
- They validated the new bank account with a third-party tool, passing their traditional bank validation methods.
Nothing raised the alarms because each part of the process had been compromised.
Why Traditional Controls Failed
This is a wake-up call about how process-level controls fail against cross-channel fraud. If anything, this highlights the necessity of context-aware fraud detection.
Here’s what didn’t work:
- Email Security didn’t flag it—because the email was legitimate.
- Bank Validation didn’t flag it—because the fraudulent account was real.
- Callback Verification didn’t work–because the number had been changed.
Each tactic looks clean in isolation, but the full pattern tells another story.
The New Playbook for Stopping Payment Fraud
In 2024, 79% of organizations experienced payment fraud attempts or attacks, and according to the 2024 FBI IC3 report, losses totaled $16.6 billion last year. At Trustmi, we regularly encounter these sophisticated attacks during proof-of-value engagements.
So how do we stop these attacks? Stopping multi-vector payment fraud means using systems that see across silos and recognize the pattern, not just verify the individual parts.
This means detecting:
- Account usage history
- Domain registration changes
- PDF edit history and metadata anomalies
- Vendor behavior patterns
In this case, the company had a modern fraud prevention platform in place that looked beyond surface-level validations. It connected the dots that would have otherwise slipped through. That context-aware detection is what prevented a 7-figure payday.
As Curtis Simpson shares in the webinar, there are tools today that can stop these attacks—but only if they’re really built to understand how multi-vector payment fraud works.
Watch the full webinar to hear Curtis Simpson, CISO at Armis, walk through this case in detail, explore how AI is transforming attacker tactics, and discuss how companies are preparing for this new age threat.
