Vendor Verification Checklist: How to Confirm a Supplier, Contractor, or Partner Is Legit

Overview

If you need a practical vendor verification checklist, start here: confirm legal identity, validate contact and ownership details using independent channels, review payment instructions carefully, and match the level of review to the level of risk. The goal is not to create unnecessary friction. It is to make fake vendor scams, shell-company impersonation, and rushed social-engineering attempts much harder to pull off.

A strong vendor verification process protects against several overlapping threats:

• Fake vendor scams, where a fraudster invents a company or poses as a real one to collect payment.
• Business email compromise, where an attacker hijacks or imitates a vendor email account and sends updated banking instructions or fake invoices.
• Contractor fraud, where an individual misrepresents credentials, licensing, insurance, or authority to perform work.
• Partner impersonation, where a shell entity uses a similar name, domain, or logo to look like a trusted business.
• Data exposure risk, where a vendor is real but not appropriate for the access, information, or systems they are requesting.

The most useful approach is tiered. A low-risk office supplier does not need the same review as a software contractor with admin access or a new manufacturer receiving a large prepayment. Build a repeatable standard, then add enhanced checks for higher-risk engagements.

As a baseline, every vendor review should answer five questions:

1. Does this business or person legally exist?
2. Are we communicating with the real organization through verified contact points?
3. Do the services, pricing, location, and payment instructions make sense together?
4. Does the signer actually have authority to bind the business?
5. Does this relationship create financial, cybersecurity, compliance, or operational risk that needs extra review?

If any of those answers are unclear, pause the onboarding or payment process until the mismatch is resolved.

Checklist by scenario

Use the checklist below before approving a new supplier, onboarding a contractor, expanding access for an existing vendor, or changing payment details. Treat it as a pre-approval workflow, not an after-the-fact audit.

1. New supplier or service provider

Use this when you are deciding how to verify a supplier for the first time.

• Confirm the legal business name exactly as registered, not just the brand name shown on a website or invoice.
• Collect basic identifying details: registered address, tax ID or business registration number where appropriate, company website, main phone number, and primary business email domain.
• Verify the website independently. Look for a consistent domain, working contact page, business-relevant content, and signs that the site was built for actual operations rather than a temporary front.
• Check the email domain carefully. One-letter lookalikes, added words, or unusual country-code domains can indicate impersonation.
• Call a published number from an independent source, not only the number provided in an email signature or PDF.
• Ask for a named point of contact and confirm that person through the company switchboard, public staff page, or another verified channel.
• Review business footprint. Confirm the company appears where you would reasonably expect: business registry listings, trade presence, procurement references, or industry directories. Do not rely on one source alone.
• Match services to the business. A company claiming advanced technical, manufacturing, or regulated services should show credible evidence of capability.
• Validate bank details before first payment using a call-back process to a known contact.
• Require internal approval from procurement and finance before the vendor record is activated.

2. Independent contractor or consultant

Use this contractor fraud check when hiring individuals or small firms.

• Verify identity using government-issued identification where legally appropriate and proportionate to the role.
• Confirm business status if the contractor is operating through an LLC, partnership, or other entity.
• Review credentials relevant to the work: licenses, certifications, insurance, portfolio, or prior project references.
• Contact references directly using independently sourced information when possible, not only phone numbers listed on a resume or proposal.
• Confirm who will perform the work. A proposal may come from one person while access or billing requests later come from another.
• Check for consistency across contract name, invoicing name, tax forms, bank account name, and email domain.
• Limit access by default. Do not issue broad credentials before legal, security, and manager approvals are complete. For more on related risks, see Account Takeover Warning Signs: How to Spot and Stop ATO Before It Spreads.

3. Existing vendor with new banking instructions

This is one of the highest-risk scenarios because it often looks routine. Many fake vendor scams rely on urgency and familiarity.

• Never approve bank changes from email alone, even if the message appears to come from a known contact.
• Use a call-back procedure to a previously verified phone number already on file.
• Require dual approval for any change to remittance details.
• Compare the request against prior invoices, contact names, tone, spelling, and account history.
• Check whether the email account may be compromised. Slightly unusual urgency, attachment type, or reply-to behavior can be a warning sign.
• Hold payment if anything changes suddenly, especially near weekends, holidays, quarter-end, or payroll cycles.
• Document the verification step in the vendor record so auditors and future staff can see how the change was confirmed.

This overlaps closely with invoice fraud and BEC risk. If your team handles payment approvals by email, pair this checklist with Business Email Compromise Checklist: How to Prevent BEC in Finance and Operations Teams.

4. Vendor requesting system, data, or facility access

A vendor can be legitimate and still present unacceptable risk if access is not scoped properly.

• Confirm contract scope before granting access. The requested permissions should directly support the stated work.
• Verify security contacts and escalation paths on the vendor side.
• Review minimum necessary access. Use separate accounts, time limits, and approval gates.
• Check domain ownership and login URLs before setting up federated access, shared portals, or support tools.
• Validate support requests independently if a vendor asks to install remote tools, scan a QR code, or use a new portal. Similar social-engineering patterns appear in QR Code Scams Explained: How to Check a QR Code Before You Scan.
• Ensure offboarding is defined before onboarding. Know how access will be removed when the project ends.

5. Strategic partner, reseller, or high-value supplier

For higher-value or longer-term relationships, expand your business partner due diligence process.

• Review beneficial ownership or control information where available and appropriate.
• Assess litigation, sanctions, or adverse media risk using approved internal or external review methods.
• Confirm insurance and compliance requirements relevant to your sector.
• Evaluate operational maturity: staffing, support responsiveness, escalation procedures, and documentation quality.
• Test commercial credibility. Does the deal structure make sense, or does it rely on pressure, exclusivity claims, or unusual prepayment terms?
• Perform executive verification for anyone negotiating contract terms or payment changes. Fraudsters sometimes impersonate leadership in ways similar to bank and platform impersonation scams. See Bank Impersonation Scams: How to Tell If a Fraud Alert, Text, or Call Is Fake for the broader verification mindset.

What to double-check

Even when a vendor passes an initial review, a few details deserve extra scrutiny because they are common points of manipulation.

Legal name versus trading name

Fraudsters often hide behind a familiar trading style while invoices, contracts, and bank accounts use different names. Differences are not always fraudulent, but they should be explainable and documented.

Domain age, spelling, and email behavior

You do not need to become a forensic analyst to spot obvious risk. Double-check whether the website and email domain match the claimed company, whether the spelling is exact, and whether reply-to addresses or payment emails shift to a free-mail account unexpectedly.

Physical location and operational logic

An address should make business sense for the services offered. A virtual office is not automatically suspicious, but a company claiming warehouse distribution, regulated repair work, or field services should have an operational footprint that supports that claim.

Invoice formatting and remittance changes

Many fake invoice scams are successful because teams focus on line items but not on remittance details. Compare invoices side by side. Look for changed account numbers, renamed beneficiaries, new payment portals, or altered contact details. If your business also accepts customer payments, the defensive habits in Chargeback Fraud and Friendly Fraud: A Merchant Playbook for Detection and Prevention can help reinforce disciplined transaction review.

Authority of the signer

A real company can still send an unauthorized person to open an account, sign a contract, or request access. Verify who has approval authority for onboarding, ordering, invoicing, and banking updates.

Pressure and urgency

Urgency is not proof of fraud, but it is a reason to slow down. Requests framed as confidential, emergency, or last-minute should trigger stronger verification, not fewer checks.

Mismatch between commercial and technical signals

A polished sales process can hide weak security, and a technically capable team can still have poor financial controls. Review both sides: can they do the work, and can they transact safely?

Common mistakes

The fastest way to weaken a vendor verification checklist is to treat it as paperwork instead of a control. These are the mistakes that most often create openings for fraud.

• Trusting inbound information too quickly. If the vendor provides the website, phone number, bank letter, and references, you still need at least one independent confirmation path.
• Skipping checks for “known” brands or repeat vendors. Many fraud attempts impersonate established companies, marketplaces, banks, and payment platforms. The same logic behind consumer impersonation scams applies in B2B settings. See Amazon, PayPal, and Apple Impersonation Scams: Common Signs and Safe Verification Steps.
• Approving banking changes under deadline pressure. End-of-month and end-of-quarter processing windows are common points of failure.
• Using a single reviewer for onboarding and payment changes. Separation of duties is one of the simplest anti-fraud controls.
• Granting system access before legal and finance checks are complete. Vendor fraud is not only about payment loss. It can also lead to account compromise, data theft, or operational disruption.
• Failing to document exceptions. If your team waives a step for a legitimate reason, record who approved it and why. Unwritten exceptions become permanent loopholes.
• Not preserving evidence when something feels off. Save emails, invoices, call logs, payment requests, and screenshots. If the situation turns into a confirmed fraud event, this will help your response and any external reporting. If needed, use How to Report a Scam: Where to File Complaints and What Evidence to Save as a follow-on guide.

A good rule is simple: if a request changes identity, access, or payment, it deserves fresh verification.

When to revisit

Do not archive this checklist after onboarding. Vendor legitimacy is not static, and your own risk changes as tools, access, and payment workflows evolve. Revisit the review process at predictable moments and after meaningful changes.

At minimum, reassess vendor verification:

• Before seasonal planning cycles, when new suppliers are added quickly and approval pressure increases.
• When workflows or tools change, such as new ERP systems, invoice automation, procurement portals, or access-management platforms.
• When a vendor changes banking details, domain, ownership, or primary contacts.
• When contract scope expands to include more sensitive data, remote support, admin privileges, or higher payment volume.
• After a phishing, BEC, or account compromise incident affecting your organization or one of your vendors.
• During annual vendor reviews for medium- and high-risk relationships.

To keep the process practical, turn this article into an internal action list:

1. Create three review tiers: low, medium, and high risk.
2. Define mandatory checks for each tier.
3. Require independent verification for all first payments and bank-detail changes.
4. Assign separate approval roles to procurement, finance, and system owners.
5. Log every exception and every out-of-band verification step.
6. Train staff to pause on urgency, secrecy, and unusual payment changes.
7. Set a calendar reminder to revisit the checklist before planning cycles and after major workflow changes.

If your team can answer “who verified this, how, and when?” for every active vendor record, you are in a much stronger position than organizations that rely on trust, speed, or inbox familiarity. That is the real value of a vendor verification checklist: it makes legitimacy a documented decision instead of an assumption.