Why the first invoice from a new vendor is the riskiest one

Every vendor you pay regularly has a pattern: roughly the same amount, roughly the same schedule, the same bank details month after month. A new vendor has none of that. There is nothing to compare the first invoice against. That gap is exactly what fraud is built to exploit. A padded amount, an unfamiliar payment request, or an entirely fabricated vendor can all look like a normal first bill to someone approving payments quickly.

This is not a hypothetical risk. In AFP's 2026 Payments Fraud and Control Survey, 76% of organizations reported experiencing attempted or actual payments fraud in 2025, and business email compromise, the category that includes spoofed vendor emails and vendor impersonation, was the most common attack type, hitting 74% of organizations.

None of that means every new vendor is a threat. It means the first payment deserves a different process than your fifteenth payment to a supplier you have worked with for two years.

What actually goes wrong the first time you pay a new vendor

A few patterns show up again and again in a new vendor's first invoice:

  • A padded amount with no history to catch it. There is no prior invoice to compare against, so an inflated first bill is easy to wave through.
  • Bank or payment details that do not actually belong to the vendor. A convincing email claiming to be the new supplier, sent before or during onboarding, is a common vendor impersonation pattern.
  • A "confirm your details" message that changes the payment info. A last-minute update to routing or billing details, timed right before the first payment, is a known warning sign rather than routine account maintenance.
  • Card or account details saved and reused later. If you hand over your everyday company card, a new vendor's billing system can store and reuse it well beyond the invoice you meant to pay.

A short vendor-vetting checklist before the first payment

Run through this before the invoice gets approved. None of it takes more than a few minutes:

  • Confirm the vendor's identity through a contact channel you already had, not a phone number or email printed on the new invoice itself.
  • Match the invoice amount to a signed agreement, purchase order, or original quote before approving it.
  • Confirm internally who brought this vendor in and why, so the relationship is verified, not assumed.
  • Treat any "updated bank details" or "new payment info" message near the first invoice as something to verify independently, not act on directly.
  • Add the vendor to the Payees module with their confirmed contact and company details, so the check has a record attached to it.

How a single-use virtual card limits the damage if something still slips through

Create one virtual Visa card for this vendor's invoice, fund it from your wallet, and cap it to the exact amount on the invoice instead of a rounded-up buffer, then hand the vendor that card instead of your everyday company card or bank details. A charge above the cap is declined on the spot, and once the vendor's charge settles you cancel the card, which is what makes it single-use in practice.

This article focuses on the vendor-vetting side of that first payment. For the full mechanic, including what settlement actually means and a worked invoice example, see the complete guide to single-use virtual cards for vendor payments.

Ready to pay a new vendor for the first time?

See the full cap-and-cancel mechanic, worked example, and FAQ for issuing a single-use vendor card.

Read the full guide

Why a capped card beats handing over your everyday card or bank details

Here is the difference between the two ways most first payments to a new vendor actually go out.

First payment with your everyday card or bank details

The vendor gets the same number every other supplier has.

  • No cap tied to this specific invoice, so a padded amount can clear.
  • The number sits in a brand-new vendor's billing system indefinitely.
  • If the vendor turns out to be fake, your main account was already exposed.
  • A second, unapproved charge later looks like just another line on your statement.
First payment with a capped single-use card

The vendor gets a number scoped to this one invoice.

  • A charge above the exact invoice amount is declined at authorization.
  • Your main company card and bank details never touch a vendor you have not vetted twice.
  • If the vendor turns out to be fake, the exposure is capped at one invoice, not your whole account.
  • You cancel the card once the charge settles, so nothing about it can be reused later.

When to move a vendor off single-use cards

Single-use cards are for the first payment, not every payment. Once the vendor delivers what was agreed, the invoice matches the quote, and you expect to pay them again, a fresh one-time card for every bill becomes friction rather than protection. At that point, move the relationship to a reloadable card capped at the expected amount, or fold it into your regular vendor-payment workflow. The comparison in single-use vs reloadable virtual cards covers exactly when to make that switch, and how to pay vendors with virtual cards covers running that ongoing relationship day to day.

Keep the verification on record, not just the payment

A vetting check that only lives in someone's memory disappears the moment that person is out sick or has moved on. Use the Payees module to record the vendor's confirmed contact and company details, and note there what you verified and how. That way, the card, the invoice, and the check you ran to approve it all sit next to each other, with a per-payee transaction history you can pull if a payment is ever questioned later. Clean records are also what make an audit or a dispute fast instead of a reconstruction project.

Mistakes to avoid when paying a new vendor for the first time

Do not skip verification because the invoice looks professional. A polished layout and a real-looking logo are the easiest parts of an invoice to fake; they say nothing about whether the vendor or the bank details are genuine.

A cap set above the invoice amount is not a safety margin. It is headroom a padded invoice can spend into, so match the cap to the exact figure due.

Do not treat the card as full protection against a fake vendor. A capped card only limits the amount at risk; if the vendor itself is fabricated, that capped amount can still be collected.

Frequently asked questions

Do I still need to verify a new vendor if I pay by single-use virtual card?+
Yes. A capped card controls how much money is at risk once you pay; it says nothing about whether the vendor is genuine. Verify their identity first, through a channel you already trust, and let the card handle the dollar exposure.
What if the vendor asks me to send future payments to a different bank account?+
Treat any changed banking, billing, or contact detail as a signal to verify independently before you act on it, regardless of which payment method you use. Requesting a change like this, right before or after a first payment, is one of the more common tactics in vendor impersonation fraud.
How is vetting a new vendor different from just capping the card at the invoice amount?+
The cap limits how much a padded or fraudulent invoice can take from you. Vetting confirms the vendor and the invoice are genuine in the first place. They solve different problems, so use both together.
Does a single-use card stop business email compromise?+
No single control stops business email compromise (BEC) on its own. BEC remains the most common payments fraud type organizations report, so a capped card limits your exposure while your independent verification step is what actually catches an impersonated vendor before you pay.
Can I reuse the same single-use card for the same vendor's next invoice?+
No. The card is scoped to one invoice; cancel it once that charge settles. For the vendor's next bill, create a fresh capped card, or move to a reloadable card once the relationship is established.
Where do I keep a record of the vendor check I ran?+
Add it to the vendor's payee profile, where their contact details, company information, and full transaction history already live, so the check travels with the record instead of sitting in an inbox somewhere.