Fake acquired-vendor rebrand / change-of-accounts (CoA) lure — "Vendor X is now Vendor Y, please update bank details on file." Mimics legit M&A churn; vendor-name change is the tell. Real vendor M&A bank-detail changes flow through the AP-system change-notification process with verbal verification through a known phone contact, never via a single inbound email demanding wire-redirect on a deadline. Sender NOT on the merchant / bank canonical-allowlist (stripe.com, paypal.com, amazon.com, apple.com, visa.com, mastercard.com, americanexpress.com, discover.com, klarna.com, adyen.com, square.com, squareup.com, shopify.com, wise.com, revolut.com, jpmorgan.com, chase.com, bankofamerica.com, wellsfargo.com, citi.com, hsbc.com, barclays.com, deutsche-bank.com, bnpparibas.com, ing.com, santander.com, rabobank.com, nordea.com, seb.se, swedbank.com, handelsbanken.com). Distinct from R6/R7/R8 generic vendor / merchant spoofs — this signal is specifically the M&A-rebrand bank-detail-redirect variant, an AP-fraud / wire-redirect precursor that bypasses FP-control on standard merchant-spoof signals because the framing is "we changed banks because of acquisition" rather than "your payment failed." Source: Red-Team R8 multi-agent council S2 (social-engineering specialist).

Fake acquired-vendor rebrand / change-of-accounts (CoA) lure targeting AP (accounts-payable) staff, CFO + finance team, controllers, and vendor-management contacts. The phish narrative arrives as: "We are pleased to inform you that ACME Corp has been acquired by Globex Industries. Following the acquisition, please update your accounts payable bank details on file to the new account number. Wire all future invoice payments to the updated routing / IBAN provided in the attached document," or "Following our recent merger, we have changed our company name and our banking details have been updated. Please remit all outstanding invoices to the new account / new routing number / new SWIFT code. Update your AP system within 7 days to avoid payment-routing errors." Mimics legit M&A churn — vendor-name-change rebrand notifications ARE a real AP workflow that AP staff handle multiple times per year, especially at companies with large vendor pools. The vendor-name change is the tell: attackers research the target's real vendors (often via LinkedIn-scraping the AP team or via prior breaches), then craft a rebrand notice that looks plausible enough that AP staff update banking details without verbal verification. Real vendor M&A bank-detail changes flow through the AP-system change-notification process with verbal verification through a known phone contact at the original vendor (NOT a phone number provided in the email), audited by both AP and finance leads, with the change typically NOT effective until the next invoice cycle. Sender NOT on the merchant / bank canonical-allowlist (stripe.com, paypal.com, amazon.com, apple.com, visa.com, mastercard.com, americanexpress.com, discover.com, klarna.com, adyen.com, square.com, squareup.com, shopify.com, wise.com, revolut.com, jpmorgan.com, chase.com, bankofamerica.com, wellsfargo.com, citi.com, hsbc.com, barclays.com, deutsche-bank.com, bnpparibas.com, ing.com, santander.com, rabobank.com, nordea.com, seb.se, swedbank.com, handelsbanken.com). Distinct from R6/R7/R8 generic vendor / merchant spoofs (account-suspension / payment-decline pretexts) — this signal is specifically the M&A-rebrand bank-detail-redirect variant, an AP-fraud / wire-redirect precursor that bypasses FP-control on standard merchant-spoof signals because the framing is "we changed banks because of acquisition" rather than "your payment failed." Fires when body references acquired by / acquisition (by/of) / merger (with/of) / merged with / post-merger / recent (merger/acquisition) / rebrand(ed/ing) / company name (change(d)/has changed) / vendor (name) (change/rebrand) / formerly known as / now known as / new entity / new legal name / spin-off / carve-out / due to (our) (merger/acquisition) AND update (your) (bank (account) details/banking details/payment (account) details/wire instructions/routing/IBAN/SWIFT/sort-code/account (number/details)/payee (details/info)) / change (of) (bank (account) details/banking/account/accounts/payee) / new (bank account/account number/routing number/IBAN/SWIFT/sort-code/wire instructions/payee) / change of accounts / CoA (change/update) / remit (all/future/outstanding) (invoices/payments) AND wire / ACH / SEPA / invoice(s) / accounts payable / AP / remit / remittance / payment(s) / outstanding invoice / pay (future/all/outstanding) / new account / new routing / update (your) AP context. Excludes the canonical merchant / bank domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S2 (social-engineering specialist).