Why the first invoice from a new vendor is the riskiest one
Every vendor you pay regularly has a pattern: roughly the same amount, roughly the same schedule, the same bank details month after month. A new vendor has none of that. There is nothing to compare the first invoice against. That gap is exactly what fraud is built to exploit. A padded amount, an unfamiliar payment request, or an entirely fabricated vendor can all look like a normal first bill to someone approving payments quickly.
This is not a hypothetical risk. In AFP's 2026 Payments Fraud and Control Survey, 76% of organizations reported experiencing attempted or actual payments fraud in 2025, and business email compromise, the category that includes spoofed vendor emails and vendor impersonation, was the most common attack type, hitting 74% of organizations.
None of that means every new vendor is a threat. It means the first payment deserves a different process than your fifteenth payment to a supplier you have worked with for two years.
What actually goes wrong the first time you pay a new vendor
A few patterns show up again and again in a new vendor's first invoice:
- A padded amount with no history to catch it. There is no prior invoice to compare against, so an inflated first bill is easy to wave through.
- Bank or payment details that do not actually belong to the vendor. A convincing email claiming to be the new supplier, sent before or during onboarding, is a common vendor impersonation pattern.
- A "confirm your details" message that changes the payment info. A last-minute update to routing or billing details, timed right before the first payment, is a known warning sign rather than routine account maintenance.
- Card or account details saved and reused later. If you hand over your everyday company card, a new vendor's billing system can store and reuse it well beyond the invoice you meant to pay.
A short vendor-vetting checklist before the first payment
Run through this before the invoice gets approved. None of it takes more than a few minutes:
- Confirm the vendor's identity through a contact channel you already had, not a phone number or email printed on the new invoice itself.
- Match the invoice amount to a signed agreement, purchase order, or original quote before approving it.
- Confirm internally who brought this vendor in and why, so the relationship is verified, not assumed.
- Treat any "updated bank details" or "new payment info" message near the first invoice as something to verify independently, not act on directly.
- Add the vendor to the Payees module with their confirmed contact and company details, so the check has a record attached to it.
How a single-use virtual card limits the damage if something still slips through
Create one virtual Visa card for this vendor's invoice, fund it from your wallet, and cap it to the exact amount on the invoice instead of a rounded-up buffer, then hand the vendor that card instead of your everyday company card or bank details. A charge above the cap is declined on the spot, and once the vendor's charge settles you cancel the card, which is what makes it single-use in practice.
This article focuses on the vendor-vetting side of that first payment. For the full mechanic, including what settlement actually means and a worked invoice example, see the complete guide to single-use virtual cards for vendor payments.
Ready to pay a new vendor for the first time?
See the full cap-and-cancel mechanic, worked example, and FAQ for issuing a single-use vendor card.
Why a capped card beats handing over your everyday card or bank details
Here is the difference between the two ways most first payments to a new vendor actually go out.
The vendor gets the same number every other supplier has.
- No cap tied to this specific invoice, so a padded amount can clear.
- The number sits in a brand-new vendor's billing system indefinitely.
- If the vendor turns out to be fake, your main account was already exposed.
- A second, unapproved charge later looks like just another line on your statement.
The vendor gets a number scoped to this one invoice.
- A charge above the exact invoice amount is declined at authorization.
- Your main company card and bank details never touch a vendor you have not vetted twice.
- If the vendor turns out to be fake, the exposure is capped at one invoice, not your whole account.
- You cancel the card once the charge settles, so nothing about it can be reused later.
When to move a vendor off single-use cards
Single-use cards are for the first payment, not every payment. Once the vendor delivers what was agreed, the invoice matches the quote, and you expect to pay them again, a fresh one-time card for every bill becomes friction rather than protection. At that point, move the relationship to a reloadable card capped at the expected amount, or fold it into your regular vendor-payment workflow. The comparison in single-use vs reloadable virtual cards covers exactly when to make that switch, and how to pay vendors with virtual cards covers running that ongoing relationship day to day.
Keep the verification on record, not just the payment
A vetting check that only lives in someone's memory disappears the moment that person is out sick or has moved on. Use the Payees module to record the vendor's confirmed contact and company details, and note there what you verified and how. That way, the card, the invoice, and the check you ran to approve it all sit next to each other, with a per-payee transaction history you can pull if a payment is ever questioned later. Clean records are also what make an audit or a dispute fast instead of a reconstruction project.
Mistakes to avoid when paying a new vendor for the first time
Do not skip verification because the invoice looks professional. A polished layout and a real-looking logo are the easiest parts of an invoice to fake; they say nothing about whether the vendor or the bank details are genuine.
A cap set above the invoice amount is not a safety margin. It is headroom a padded invoice can spend into, so match the cap to the exact figure due.
Do not treat the card as full protection against a fake vendor. A capped card only limits the amount at risk; if the vendor itself is fabricated, that capped amount can still be collected.








