Security9 min readJun 6, 2026

I Got Duped by a Fake Supplier. Here's the 5-Minute Check I Do Now.

Jon Komet shares the story of being deceived by a fake supplier, what made the clone convincing, and the practical verification checklist he now runs before every new vendor relationship.

Terminal-style supplier verification checklist showing the five-step fraud prevention process. — SUPPLIER VERIFICATION / 5-MINUTE CHECK

Personal story

I sent money to a supplier that did not exist

A short note from Jon Komet, founder of VibeLeak.

I was sourcing a component for a product run. The supplier had a clean website, a domain that looked right, a sales rep who answered questions fluently, and a price that was slightly below market. I did not think much of it — I had ordered from dozens of suppliers and this felt normal. The wire transfer left my account on a Tuesday. By Friday, the sales rep had stopped responding. By the following week, I had confirmed what I already knew: the website was a clone, the domain was days old, and the person I had been talking to had probably never existed.

The lesson

I was not careless. I was just not systematic. I had no checklist for verifying a new supplier. VibeLeak exists partly because that incident made me think harder about how people verify things on the internet — and how often they skip the check because the surface looks professional.

Anatomy of the con

What made the fake supplier convincing

The clone was not a rough knockoff. It was a professional reproduction that was clearly built to target buyers like me.

Domain name was a close misspelling of a real supplier I had used before — one letter changed, same TLD.
Website design matched the original supplier's site closely enough that I did not second-guess the URL.
Sales rep had a LinkedIn profile with a photo, job history, and connections that looked real.
Pricing was slightly below market — good enough to justify the decision, not so low as to be suspicious.
Email came from the domain, not a free provider — which I had been told to watch for.

The detail that should have caught it: the domain was registered less than 30 days before my first contact. But I did not know how to check that, and I did not think to ask. That single fact would have ended the conversation immediately.

Aftermath

The cost was not just financial

The wire transfer was the obvious loss. But there were other costs that were harder to measure.

Direct loss

$4,200

Wire transfer to the fake supplier. Not recoverable.

Production delay

3 weeks

Had to source the component again from a verified supplier.

Reputation risk

Unquantified

If I had passed the fake supplier contact to other businesses, the damage would have cascaded.

AI complaints

22k+

AI-related complaints reported to FBI IC3 in 2025.

AI losses

$893M+

Reported losses tied to those AI-related complaints.

AI BEC loss

$30M+

AI-involved business email compromise losses called out by IC3.

The number I keep coming back to

The FBI's 2025 IC3 report defines business email compromise around the same supplier and wire-payment workflow this story describes. My loss was small compared with the reported market, but the failure mode was the same: a professional-looking surface, a normal-feeling conversation, and no verification checkpoint before money moved.

The system

The 5-minute supplier verification check

Before I send a wire transfer, place a first order, or share sensitive business information with a new supplier, I run this check. It takes five minutes. It has caught red flags twice since I started using it.

WHOIS lookup

Check domain age and registration details at whoisxmlapi.com or who.is. A domain registered within 60 days of first contact is a red flag. Registrant name, organization, and country should match what the supplier claims.

VibeLeak scan

Run a scan on the supplier's website URL. A trust grade below C, missing security headers, or an exposed file should end the conversation. The scan takes 30 seconds and tells you a lot about whether the site is run by a real business.

Google Business Profile check

If they claim to be a local business, search for them on Google Business. A real supplier with a physical location will usually have a GBP entry. No entry, or an unverified one, is a yellow flag.

LinkedIn reverse lookup

Search the sales rep's name on LinkedIn. Confirm the company they claim to work for, their job title, and how long they have been there. A cloned profile will often have a generic headline, few connections, and a job history that does not quite add up.

Video call before wire transfer

Any real supplier will agree to a 15-minute video call before a first wire transfer. If they make excuses, decline, or go silent, treat that as a confirmation. This single step has caught every fake supplier attempt I have made since.

Why this works

The asymmetry that makes these checks effective

A fraudster can clone a website. They can fake a LinkedIn profile. They can register a similar domain. But they cannot easily fake a domain age of three years, a real VibeLeak trust grade, a verified Google Business Profile, and a real person on a video call.

The practical rule

Any supplier that scores below a C on VibeLeak, has a domain younger than 90 days, and refuses a video call before a wire transfer is a fraud until proven otherwise. You do not need to prove they are fake — they need to prove they are real. That is the asymmetry that protects you.

Five minutes saved me $4,200 once. It has also given me a repeatable process I can hand to my team, my partners, and anyone else who is sourcing new vendors. The checklist is not paranoia — it is the minimum viable due diligence for any business relationship that starts with a wire transfer.

FAQ

Questions about supplier verification and B2B fraud prevention

The practical answers for anyone who wants to build a verification habit.

What made the fake supplier convincing?

Three things: a professional website that looked established, a domain similar to a real supplier I had used before, and a sales process that felt normal. I did not find out it was a clone until the wire transfer did not produce the goods I ordered.

What is the 5-minute supplier check?

It is a five-step verification: WHOIS lookup to confirm domain age and registration details, VibeLeak scan to get a trust grade and check for red flags, Google Business Profile verification if they claim to be a local business, LinkedIn verification of the actual contact person, and a video call before any first wire transfer.

Does this work for international suppliers?

Yes, with adjustments. WHOIS and domain verification work globally. VibeLeak scans any public URL. The LinkedIn step may require more digging for international contacts. The key addition for international suppliers: ask for a video call before any wire transfer. A real supplier will agree. A fraudster will make excuses.

Next action

Run the scanner against your own site

The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

Start scan

More field notes

Back to blog Top

Launch Ops

The Small Business Trust Checklist: 10 Things Customers Check Before Buying

Before a customer buys from you, they run a mental checklist. Most of it happens in under 30 seconds. Here are the 10 signals that decide whether they stay — and how to verify each one.

Open article

Security

Why Your 'Secure' Badge Might Be Lying to Your Customers

Security seals can help, but a badge image is not proof by itself. Here is what common trust signals actually verify, what they leave out, and what real domain-bound proof looks like.

Open article

Workflow

47% of Customers Won't Use You Without 20 Reviews. Here's What Actually Works Instead.

The review threshold has crossed 20. 47% of consumers now say they will not use a business with fewer than 20 reviews, and 31% filter to 4.5+ stars only. Here is the honest playbook for getting there — and what to do if you are starting from zero.

Open article