
E-Commerce · Business Email Compromise
Disrupting a Vendor Invoice Scam
How an e-commerce products company shut down a business email compromise campaign that impersonated its brand to redirect customer payments
Background
In mid-2026, an established e-commerce and wholesale products company — a brand that sells to a large network of trade customers as well as online buyers — became the target of a business email compromise (BEC) operation. The attackers weren't trying to breach the company's systems. They went after something easier and far more lucrative: the trust between the company and the customers who pay its invoices.
Operating from behind a lookalike domain, the fraudsters impersonated the company's staff in emails to its customers, aiming to reroute legitimate payments into accounts they controlled. The entire scheme played out in the customers' inboxes — never touching the company's own network, and never showing up on the company's own website.
The Problem
The operation was deliberately built to look ordinary and to be hard to kill. Several details made it dangerous:
- A convincing cousin domain. The attackers registered a near-twin of the company's real address — a lookalike domain that simply appended a common product-related word to the genuine brand name (think brandname.com → brandname-products.com). To a busy accounts-payable clerk, it reads as the real thing.
- No website at all. The domain existed purely to send and receive email. There was no cloned web page and no phishing form to stumble across — so the signals people (and generic abuse processes) usually look for simply weren't there.
- It targeted the company's customers, not the company. Posing as a named member of the sales team, the emails told each customer that the company had moved to a new "factoring" or receivables arrangement, that previous payment instructions were now void, and asked the recipient to reply for "updated, verified" banking details.
- A reply-harvest that beats content filters. No bank details appeared in the first email — nothing for a filter to flag. Only when a customer replied did a dedicated mailbox catch the response, and the fraudsters continued the conversation to hand over their own account number.
- Built for resilience. The domain was wired to send through several independent commercial email platforms at once, behind shell "factoring" and "receivables" company identities — redundancy designed to keep the fraud flowing even if one channel was shut off.
Market Context
Vendor impersonation is now one of the most common and costly forms of business email compromise. The FBI logged $2.9 billion in reported BEC losses in 2023, at an average of roughly $137,000 per incident, and 79% of organisations were hit by payment fraud in 2024. Around 45% of BEC now targets vendors and suppliers rather than internal executives.
E-commerce and distribution businesses are especially exposed. They transact with a broad, distributed base of trade customers, process high volumes of invoices, and field routine "we've changed our bank" requests that many customers have no easy way to verify. A single redirected payment can run to five or six figures — and the loss lands on a customer who believed they were paying a trusted supplier.
There is also a dangerous blind spot. Because the fraud runs on a separate domain the company doesn't own, tightening the real domain's DMARC does nothing to stop it — DMARC protects the genuine domain's reputation, but it cannot police a lookalike. That gap is exactly why this attack profile keeps working, and why stopping vendor invoice fraud requires watching for the impersonating domain itself.
Risks to the Company
- Direct customer losses: Every payment diverted to the fraudsters is money a customer believed it was paying to the company — triggering disputes, chargeback-style clawbacks, and hard questions about who is liable.
- Reputational damage: A customer defrauded in the company's name remembers the company's name. Trust built over years of trading can be undercut by a single convincing email that the company never sent.
- Operational disruption: Warning customers, fielding queries, gathering evidence, and chasing takedowns pulls finance, security, and leadership away from the business — often at month-end, when the pressure is highest.
- Repeat targeting: The sending platforms and mailboxes behind the scheme can be re-pointed at a fresh lookalike domain within hours, so a one-off takedown is never the end of the story.
The Solution
As soon as the impersonation campaign was identified, DefendDomain moved immediately to disrupt it. With customer payments at stake, the priority was to make the fraudulent domain as useless as possible, as fast as possible — not to wait on a single takedown to work its way through.
- Disruption within hours. The same day, the fraudulent domain was flagged across major anti-phishing blocklists — immediately degrading the deliverability of every email it tried to send, across all of its sending platforms at once.
- Ten disruption channels, in parallel. Rather than tackle the operation one piece at a time, DefendDomain fanned out across ten fronts simultaneously: the email-sending platforms the fraudsters used, the mailbox harvesting victim replies, the domain's registrar and DNS provider, and multiple anti-phishing blocklists and mail-filter and threat-intelligence feeds. Each received a tailored, evidence-backed abuse report.
- Adapted in real time. When the attackers bolted on an additional email-sending platform partway through the campaign — a resilience move to keep the fraud flowing as their existing channels came under pressure — DefendDomain caught the change in the domain's mail configuration and extended the disruption to the new provider, closing the gap before it could be used at scale.
- An abuse case built on the mail, not a website. Because the domain served no web content, DefendDomain built the case on the mail infrastructure itself — its DNS, sending records, and receiving setup — the evidence that generic, web-content-focused abuse processes miss entirely.
The fraudulent domain was ultimately neutralised at the registrar and taken offline entirely — killing the outbound lures and the inbound reply-harvesting in a single stroke. DefendDomain kept watching for a successor domain, ready to repeat the response the moment a replacement appeared, and worked with the company to make sure its customers knew to verify any change of banking details by phone to a known-good number.
The episode is a clear illustration of a threat that conventional defences miss: protecting an e-commerce brand isn't only about your own website and your own inbox — it's about the domains impersonating you to the customers who pay you.
Key Results
- Fraudulent domain neutralised and taken fully offline
- Disruption underway within hours, across ten channels in parallel
- Adapted in real time when the attacker changed infrastructure
- Customer payments protected from redirection
The takeaway
A lookalike domain impersonating you to your customers lives outside your website and outside your inbox — where DMARC and email filters can't reach it. Catching it means monitoring for the domain, then disrupting the attacker's infrastructure fast enough to matter.