Ask most procurement teams how they check a new supplier and you will hear something like this: “We collect a W-9, a bank letter and maybe a certificate of incorporation, then we set them up in the system.” That is not a fraud check. That is data entry with extra steps.
Here is the uncomfortable truth. Vendor onboarding document fraud is one of the least defended attack surfaces in any company, because the people collecting the documents were never asked to treat them as evidence. In our experience, the fake W-9 and the forged bank letter sail through precisely because nobody expects a supplier to lie on a tax form. This post reframes onboarding as a document-fraud problem and shows you what to actually verify.
Vendor onboarding document fraud lives in ordinary paperwork
Think about what a new vendor hands you. A tax form with a name and an identification number. A bank letter or voided check that tells you where to send money. Sometimes an insurance certificate, an incorporation document or a first invoice. Every one of those is a PDF, and every one of them decides whether money moves and where it goes.
That is the entire fraud opportunity in one sentence. A vendor onboarding packet is a set of instructions for paying someone, backed by documents almost nobody verifies.
The Association of Certified Fraud Examiners puts billing and vendor schemes among the most common and costly occupational frauds in its Report to the Nations. Meanwhile the FBI has warned for years that business email compromise, much of it built on fake vendor banking details, drives billions in losses (see the IC3 advisory on BEC). The paperwork is the weapon. The AP inbox is the door.
And criminals know this. A fraudster does not need to breach your network if your onboarding process will happily accept a PDF that took ten minutes to edit.
The fake W-9 almost nobody actually verifies
Let’s start with the W-9, because it is the document teams trust most and check least. It is a plain IRS form with a business name, an address and a taxpayer identification number. No watermark, no issuing authority, no seal. Anyone can download the blank form and type anything into it.
So what exactly is being verified when your team “collects a W-9”? Usually nothing. The form gets filed, the number gets keyed into the payment system and the vendor is live.
Here is where it goes wrong:
- A fraudster sets up a shell that shadows a real, legitimate supplier’s name, then submits a W-9 with their own TIN and address.
- An insider colludes with a fake vendor and waves the W-9 through because “the paperwork is complete”.
- The form itself is a lightly edited copy of a genuine one, with the name and TIN swapped in a PDF editor. The fonts match because they came from the original file.
A W-9 is self-reported data on a form with zero built-in security. Treating a completed W-9 as proof of anything is like treating a handwritten note as a passport. Have you ever actually confirmed the number matches the entity? Most teams never do.
Bank letters and the account-change trick
If the W-9 says who the vendor is, the bank letter says where the money goes. This is the document fraudsters care about most, because changing it is how they get paid.
A bank confirmation letter or voided check looks official. It carries a logo, an account number and a routing number. It is also trivially forged. Take a real letter, open it in a PDF editor, change the account number and re-save. The layout is untouched. To the naked eye it is perfect. Vendor bank letter verification, done properly, means looking below that surface at the structure of the file, not just the picture of it.
The most dangerous version is the mid-relationship swap. An attacker impersonates an existing supplier and emails AP: “We’ve changed banks, here’s the updated letter.” The document supports the story, the story sounds routine and the next legitimate invoice gets paid into the fraudster’s account. Simple, right? That is exactly why it works.
These forged bank documents share DNA with the fake bank statements we broke down in the rising threat of fake bank statements. The manipulation lives in the PDF’s internal layers, the edit history, the fonts, the object structure, none of which a visual review can see. A document that was printed, scanned and re-uploaded to hide those traces should be an immediate red flag, not a convenience you tolerate.
Company records and the paper that props them up
Beyond the W-9 and the bank letter, a serious vendor packet often includes a certificate of incorporation, a business license, an insurance certificate or a first invoice. Each adds a veneer of legitimacy, and each can be faked.
Incorporation documents and licenses are especially easy to dress up, because reviewers rarely know what a genuine one from a given jurisdiction should even look like. An insurance certificate can be edited to inflate coverage limits or invent a policy that was cancelled months ago. A first invoice can be crafted to match a fake company that exists only on paper. You get the point: every extra document is one more thing to trust and one more thing to fake.
This is the same lesson from the Feeding Our Future case, where backdated documents hid $250M worth of fraud from auditors who accepted the paperwork at face value. The documents were internally inconsistent in ways a human could not catch but a metadata check could.
The point is not that every supplier is a criminal. Most are exactly who they say they are. The point is that your process has no way to tell the difference, and fraudsters count on that.
What a real vendor fraud looks like from the inside
Let me walk through how these pieces combine, using an anonymized composite of cases we have seen. For confidentiality reasons, we will call the target company Meridian Facilities.
A finance clerk at Meridian receives an onboarding packet from a cleaning-services supplier that genuinely bid on a contract. The W-9 is filled in. The bank letter has a logo and an account number. The certificate of incorporation looks right. Everything is “complete”, so the vendor goes live and the first two invoices are paid without a hitch.
Three months later, an email arrives from that same supplier: new bank, please update the account, letter attached. The clerk updates it. The next invoice, €38,000, lands in an account controlled by a fraudster who had been reading the supplier’s compromised mailbox the whole time.
Here is the part that stings. Every single document in that chain was inspectable. The original bank letter and the “updated” one had different metadata fingerprints. The second letter had been edited in a PDF editor and re-saved, leaving traces in the file structure that no human reviewer would ever open the document to find.
A five-second forensic check at the point of the account change would have flagged it. Nobody ran one, because updating a bank detail did not feel like an onboarding event.
That gap, the moment a document changes and nobody re-verifies it, is where most vendor fraud actually lands.
Why AP and procurement teams keep missing this
If this is so exploitable, why does it keep happening? Three reasons, and none of them come down to people being careless.
The first is that the whole job is measured on speed, not scrutiny. Procurement gets scored on how fast suppliers go live and invoices clear. A fraud check feels like friction, so it quietly shrinks into a checkbox.
The second is that nobody actually owns document authenticity. Compliance owns customer KYC. Security owns the network. AP owns payments. The supplier document sits in the gap between them and belongs to no one. It is the same organizational blind spot we described in our KYC document verification guide for fintechs, just pointed at vendors instead of customers.
The third is that the forgeries are genuinely good now. Modern fakes preserve the fonts, the layout and the metadata. A reviewer who glances at a W-9 or a bank letter for fifteen seconds has no chance of spotting byte-level manipulation. No amount of training fixes a limitation of the human eye.
Put those three together and you get a process that collects documents, feels thorough and verifies nothing.
Supplier onboarding fraud checks that actually work
Good news: you do not need to slow onboarding to a crawl to close this gap. You need to treat supplier documents as evidence and run them through a real check. Here is how we recommend structuring it.
-
Verify the document, not just the data. Run every W-9, bank letter, incorporation record and first invoice through automated document forensics before the vendor goes live. The system checks the PDF’s internal structure, fonts, metadata and edit history for signs of manipulation the eye cannot see.
-
Cross-reference the packet against itself. The name on the W-9, the account holder on the bank letter and the entity on the invoice should line up. Mismatches are one of the strongest fraud signals, and finance teams already do a version of this, as we covered in document verification for accountants.
-
Treat every bank-detail change as a new verification event. A mid-relationship request to change payment details is exactly when a fresh, forensic check of the new bank letter matters most. Never update an account on the strength of an email and an attached PDF alone.
-
Reject printed-and-rescanned documents by default. If a supplier sends a scan of a printout instead of the original PDF, ask why. That extra step usually exists to strip away the metadata that would expose a forgery.
This is where VerifyPDF fits in. We analyze the internal structure of every supplier PDF and return a clear risk rating in seconds, so your team can approve genuine vendors fast and flag the ones that need a second look. No guessing, no fifteen-second eyeball test.
The vendor packet is a payment instruction. Verify it like one.
Vendor onboarding document fraud survives because a W-9, a bank letter and a certificate feel like paperwork, not risk. But every one of those PDFs is really a signed instruction telling your company who to trust and where to send money. If you would not wire funds on the strength of a stranger’s word, do not do it on the strength of a document you never actually checked.
Collect fewer assumptions and verify more files. That is the whole job. At VerifyPDF, we help procurement and AP teams turn a stack of supplier documents from a liability into a checkpoint, before the first invoice ever gets paid.