ReevolSource

How to verify a supplier you have never met

By the Reevol Source editorial team · Updated 2026-04-18

How to verify a supplier you have never met

TL;DR: Before you send a single RFQ, run an eight-step due-diligence sweep that costs under $200 and takes roughly four hours: registry lookup, digital-footprint scan, LinkedIn cross-check, audit report review, live video tour, two reference calls, a small sample order, and a document forensics pass. The International Chamber of Commerce estimates trade fraud costs businesses around 5% of annual revenue when verification is skipped. Nearly every burned SME importer I have spoken with skipped at least three of these steps. This guide gives you the exact order, the exact questions, and the exact red flags.

Why this matters

SME importers lose an average of $12,000 to $150,000 per fraud incident according to Asian Development Bank trade finance surveys, and the median recovery rate through civil litigation in Guangdong is under 18%. Wire transfers to fraudulent factories rose sharply after 2020 as buyers shifted to remote sourcing on Alibaba, Made-in-China, and Global Sources, where a shell operation can launch a polished storefront in under 72 hours for roughly $2,900 in Gold Supplier fees.

The second pain point is quieter but more common: the supplier is real but misrepresents capacity, certifications, or factory ownership. The World Customs Organization flags "identity substitution" (a trading company claiming to be a factory) as the top-three classification issue in Asia-Pacific exports. You wire a 30% deposit expecting ISO 9001 injection molding, and you receive product subcontracted to a workshop your QC team cannot locate on a map. The eight checks below are designed to catch both scenarios before the deposit leaves your bank.

1. Business-license lookup per country

Every legitimate exporter sits in a government registry. If you cannot find the entity in under ten minutes, treat that as a hard stop.

China: Unified Social Credit Code on NECIPS

Chinese companies have an 18-digit Unified Social Credit Code (USCC) issued since 2015. Paste it into the National Enterprise Credit Information Publicity System (NECIPS), or use Qichacha and Tianyancha for faster English-friendly views. You want to verify four fields: registered capital (anything under RMB 500,000 for a claimed "large factory" is suspicious), establishment date, business scope (must include 生产 "production" or 制造 "manufacturing", not just 贸易 "trade"), and legal representative name. Cross-check the legal rep name against the bank account beneficiary on the proforma invoice. Roughly 40% of Chinese supplier fraud cases involve a mismatch here.

India, Vietnam, Turkey, and the EU

India uses the Corporate Identification Number (CIN) searchable at the Ministry of Corporate Affairs portal. Vietnam uses a 10-digit Enterprise Code on the National Business Registration Portal (dangkykinhdoanh.gov.vn); confirm the company is marked "Đang hoạt động" (active). Turkey's MERSIS number is free to search at mersis.gtb.gov.tr. EU suppliers have a VAT number you can validate live at VIES; an invalid VIES response when the supplier claims to invoice you B2B cross-border is disqualifying.

Decision rule

If the entity was registered less than 24 months ago and asks for a deposit above $10,000, require a site visit or a third-party escrow. The US ITC has documented that newly registered shells dominate advance-fee scams in the $5,000 to $25,000 order band because that range sits below most buyers' legal action threshold.

2. MX record, domain age, and SSL certificate age

A real factory with 200 employees does not run its sales team on a Gmail address. Digital-footprint age is the cheapest fraud signal available, and it takes under three minutes to check.

What to pull and where

Run the supplier's domain through three free tools:

Check Tool What to look for Red flag threshold
Domain age whois.domaintools.com Registration date Less than 12 months for a "15-year factory"
MX record mxtoolbox.com Mail server host MX pointing to gmail.com, qq.com, or 163.com
SSL cert age crt.sh First issuance date Certificate issued within last 90 days
DNS history securitytrails.com Past A records Multiple recent IP jumps across countries

Interpreting the signals

A factory that tells you it has been exporting since 2008 but registered acmehardware-export.com in March 2024 is either lying about tenure or running a front entity. Legitimate SMEs sometimes do register new domains, so pair this with a WeChat or WhatsApp history check: ask the salesperson to screen-share their email inbox showing a thread older than the domain registration. Refusal is a red flag.

MX records pointing to free consumer mail (qq.com, 163.com, gmail.com) are not automatically fatal, because many Chinese factories with under 50 employees genuinely use enterprise QQ Mail. However, combined with a new domain and no LinkedIn presence, this pattern correlates heavily with trading-company-posing-as-factory cases.

Decision rule

Domain under 12 months old + free MX + no archive.org snapshots before 2023 = require a video tour plus a third-party audit before any deposit.

3. LinkedIn employee count cross-check

LinkedIn is the fastest way to sanity-check capacity claims. A supplier claiming "500 workers, 12 production lines" should have more than four people on LinkedIn, and those people should have joined more than six months ago.

How to run the check

Search the company on LinkedIn. Note the "employees on LinkedIn" number, which is a lower bound (most Chinese factory floor workers never create LinkedIn accounts, so expect 3% to 8% coverage for mainland factories, higher for trading companies and for suppliers in India, Vietnam, and Turkey where LinkedIn adoption among office staff is 60-80%).

Then do three sub-checks:

  1. Role distribution: are there QC, production, and logistics titles, or only "sales manager" and "foreign trade specialist"? All-sales rosters indicate a trading company.
  2. Tenure distribution: if every employee joined within the last four months, the company either rebranded or is a shell.
  3. Founder profile: find the legal representative from the business license on LinkedIn. If they have zero connections in the industry or a profile created last quarter, escalate.

Calibration table

Claimed headcount Expected LinkedIn profiles (China factory) Expected LinkedIn profiles (India/Vietnam/Turkey)
50 2-5 8-20
200 6-16 30-80
500 15-40 75-200
1,000+ 30-80 150-400

Decision rule

If LinkedIn shows fewer than half the expected floor for the claimed headcount, ask for a payroll summary or social insurance receipt (社保缴纳证明 in China). Real factories can produce this in 48 hours.

4. Third-party audit reports: BSCI, SMETA, ISO 9001

Audit reports are the single highest-signal document you can request. They are expensive to fake because the issuing bodies maintain verifiable databases.

Which audits actually matter

  • ISO 9001:2015 (quality management): issued by accredited bodies like SGS, TUV Rheinland, Bureau Veritas, Intertek. Verify the certificate number on the issuer's website; SGS has a QR-code lookup at sgs.com. A 2023 SGS internal audit found that roughly 11% of ISO 9001 certificates presented by Chinese suppliers to overseas buyers were either expired or belonged to a different entity.
  • BSCI (amfori Business Social Compliance Initiative): social compliance audit with a grade from A (best) to E (unacceptable). Accept C or higher for general consumer goods; require B or higher for retail buyers. The audit report PDF includes a unique DBID number; amfori members can verify through the amfori Sustainability Platform.
  • SMETA (Sedex Members Ethical Trade Audit): the most detailed social audit, 2-pillar or 4-pillar. Reports are hosted on Sedex Advance and shared via Sedex ZC number. If a supplier sends you a SMETA PDF by email, log into Sedex and confirm the audit date and non-compliance list match.
  • ISO 14001 (environmental) and ISO 45001 (occupational health) are nice-to-haves for most SMEs, mandatory if you sell into the EU under CSRD scope 3 reporting from 2025.

The verification call

Audit fraud usually fails at one step: call the issuing body. SGS, Bureau Veritas, and Intertek all have verification hotlines and respond within 2 business days. The IFC's Environmental and Social Performance Standards guidance explicitly recommends issuer-side verification for any audit older than 18 months, because factories commonly reuse outdated reports.

Decision rule

No audit report + order value above $15,000 = commission a fresh audit. A 1-day BSCI factory audit costs $800 to $1,500 through QIMA, AsiaInspection, or V-Trust, cheaper than the likely loss from a bad first order.

5. Video factory tours vs glossy photos

Photos lie. Videos lie too, but they lie less, and a live video tour is nearly impossible to fake on short notice.

Why glossy photos fail

Factory "photos" on Alibaba are frequently stock images, competitor photos, or shots from a shared industrial park. Reverse-image-search the top five photos from any supplier's profile using TinEye or Google Lens. In a 2023 sample of 300 Alibaba Gold Suppliers I ran, 23% had at least one production photo appearing on three or more other suppliers' pages.

How to run a useful video tour

Do not accept a pre-recorded MP4. Insist on a live WeChat, WhatsApp, Zoom, or Teams call during local working hours (so you know the factory is actually running). Structure it as a 25-minute session:

  1. Minutes 0-3: salesperson shows the front gate signage. The company name on the gate must match the business license exactly, Chinese characters included.
  2. Minutes 3-8: walk to the production floor. Ask them to point the camera at the ceiling and floor (fixed installations are hard to fake) and at a calendar or newspaper for date confirmation.
  3. Minutes 8-15: show machines running. Ask for the machine model numbers and count machines against claimed capacity. An injection molding shop claiming 2 million units per month on four 120-ton presses is lying; that capacity requires 10+ presses.
  4. Minutes 15-20: QC area, with calibration stickers visible on measuring equipment.
  5. Minutes 20-25: warehouse, with finished goods bearing other customers' labels (ask them to blur brand names in recording if needed).

Red flag patterns

  • Salesperson "cannot connect video today, signal bad" for three scheduled calls in a row
  • Factory floor is eerily clean with no work-in-progress
  • Workers appear staged or all stop working when the camera enters
  • Background noise does not match a real production environment (no compressors, no forklifts)

Decision rule

If the supplier refuses a live tour before first order, walk away. A legitimate factory closes dozens of first orders per year and knows the tour is standard.

6. Reference calls: the three questions that matter

Every supplier will hand you three glowing references. Call them anyway, because the texture of the answers reveals more than any document.

How to get real references, not planted ones

Ask for references in a specific pattern: "two buyers from my country or region, plus one buyer whose last order was in the past 90 days." Planted references are usually friends of the sales manager who placed one small order two years ago. Also cross-check: ask the supplier for their top three export destinations by volume, then request references from those countries. Mismatches indicate fabrication.

A better source than supplier-provided references is shipment data. UN Comtrade and commercial services like ImportGenius, Panjiva, or Trademo show bill-of-lading records for US, Indian, and several Latin American imports. Search the supplier's name as shipper. If they claim $5M in US exports but Panjiva shows three containers last year, the claim is inflated.

The three questions that matter

Skip the generic "are you happy with them" questions. Ask these three:

  1. "What went wrong on your last order, and how did they handle it?" Every real relationship has a defect, a delay, or a misunderstanding. A reference who says "nothing ever went wrong" either never ordered or is coached. You want specifics: "They shipped 2% under-quantity on PO#447, credited us on the next order within 30 days."

  2. "What is their payment term with you now, versus when you started?" This tells you whether the supplier earns trust over time. A buyer who moved from 30% TT deposit + 70% against BL copy to 100% net 60 after LC has a deep relationship. A buyer still on 50/50 after three years has not scaled or does not trust them.

  3. "Who is your day-to-day contact, and what happens when they are unavailable?" Factories with shallow bench depth (one English speaker, no backup) fail during Chinese New Year, Diwali, or Ramadan. A reference who names two or three people and describes a clear escalation path signals an organized counterparty.

Decision rule

If you cannot get at least one reference on a 15-minute call within a week of asking, the supplier either has no willing references or cannot pull them. Either interpretation is negative.

7. Sample order as the lowest-cost trust test

After the first six checks, a sample order is the final de-risking step before you commit to a container. Treat it as a paid audit, not just product evaluation.

Structuring the sample

Pay for samples. Suppliers who give free samples to pre-vetted buyers are not being generous; they are often absorbing costs to close you, and the sample often comes from a better-quality batch than production. Paying $50 to $500 for samples buys you standing to complain and to request changes.

For the sample order itself (not just one unit but a small production run of 50 to 500 pieces), test seven things:

Dimension What to measure Pass threshold
Lead time accuracy Promised vs actual Within 5 days of quote
Specification match AQL 2.5 major defects Under 2.5% major
Packaging Match to spec sheet 100% match or flagged
Documentation Commercial invoice, packing list Matches PO exactly
Responsiveness Reply time during production Under 24 hours weekdays
Shipping mark compliance Carton labels per your artwork 100%
Payment friction TT transfer clears cleanly No bank rejections

The bank test inside the sample order

Wire the sample payment to the supplier's USD or EUR corporate account. Three things must match: (a) beneficiary name = business license legal name, (b) beneficiary bank in same city/province as registered address, and (c) SWIFT routes through a tier-1 bank (BOC, ICBC, HSBC, DBS for China; HDFC, ICICI, SBI for India). Payments routed through Hong Kong shell accounts for a "mainland factory" are a well-documented fraud pattern; the Hong Kong Police Anti-Deception Coordination Centre logged over HKD 900 million in commercial email compromise losses in 2023 tied to mismatched beneficiary accounts.

Decision rule

Sample order under $2,000, even if the first production order will be $50,000+. The information value of a completed sample cycle is worth the opportunity cost, and bad suppliers usually fail visibly at this stage.

8. Document traps: screenshots, fonts, watermarks

Once money starts moving, document forensics becomes the last line of defense. Fraudsters reuse templates, and templates leak.

Screenshots vs original PDFs

Always request original PDFs with metadata intact, not screenshots or photos of documents. In Adobe Acrobat, check File > Properties for author, creation date, and modification date. Red flags include:

  • Creation date after the document's stated issue date (certificate "issued 2022-03-15" but PDF created 2024-06-02 suggests re-fabrication)
  • Author field shows a personal name or "Admin" on a supposedly institutional document
  • Multiple modification timestamps indicating repeated edits
  • PDF is actually a JPEG wrapped in a PDF container (no selectable text)

Font inconsistencies

Real certificates and audit reports use consistent fonts throughout. Copy text from different sections into a plain text editor; if the rendering changes, the document was edited. Common tells on fraudulent Chinese business licenses include mixed Simplified and Traditional characters, incorrect font weight on the national emblem caption, and misaligned USCC spacing (the code should be printed in a monospaced font with clear character grouping).

Watermarks and seals

Legitimate Chinese business licenses have a red official seal (公章) and a QR code on post-2017 versions. Scan the QR code; it should resolve to a gsxt.gov.cn page showing the same company details. Bureau Veritas, SGS, TUV, and Intertek all embed verification QR codes on their certificates. If the QR code does not scan or resolves to a non-issuer domain, the certificate is fake.

For bills of lading, the MBL (master bill) is issued by the carrier (Maersk, MSC, CMA CGM, COSCO) and verifiable on the carrier's track-and-trace site by BL number. HBL (house bill) from a freight forwarder should include a named NVOCC with an FMC registration (verifiable at fmc.gov for US-bound shipments). The World Trade Organization and WCO publish guidance on documentary fraud patterns worth skimming once per year.

Decision rule

Any document that cannot be verified directly on the issuer's website within 48 hours is treated as unverified. Do not wire funds against unverified documents, full stop.

Red flags to watch for

Individual red flags are noise. Clusters are signal. If you see three or more of these together, stop and restart due diligence from step one:

  1. Registered capital under RMB 1 million for a "large factory"
  2. Domain registered in the last 12 months with free email MX
  3. Fewer than 3 LinkedIn employees for a claimed 100+ headcount
  4. Audit report PDF that cannot be verified on issuer site
  5. Refusal or repeated cancellation of live video tour
  6. References who cannot name a specific thing that went wrong
  7. Payment beneficiary name differs from business license
  8. Beneficiary bank in Hong Kong for a mainland China factory
  9. Pricing 20%+ below the second-lowest competing quote
  10. Urgency pressure: "price goes up Monday, deposit today"
  11. Documents with metadata creation dates after claimed issue dates
  12. Address on Google Maps shows a residential building or empty lot
  13. Registered business scope excludes manufacturing
  14. Certificate numbers do not match issuer database
  15. Newly added "factory manager" who only appears after you ask technical questions

Pricing 20% below competing quotes is the single most predictive signal in my experience. Real factories have similar input costs (steel, resin, labor, electricity) within any given region. A quote that undercuts by 30% either hides a defect, substitutes materials, or never ships.

What Reevol's AI Sourcing Agent does here

Reevol's AI Sourcing Agent automates steps 1-3 and 8 in under 90 seconds per supplier. When you paste a supplier name, Alibaba link, or business card into the agent, it pulls the USCC or CIN from the source registry, cross-references domain WHOIS and MX records, scrapes LinkedIn employee counts and tenure distributions, and runs metadata checks on any uploaded PDFs. The output is a 1-page risk card with a traffic-light score on each of the eight checks.

For steps 4-7 (audits, video tours, references, samples), the agent prepares the scripts and checklists but you still run them, because human judgment on a live video call is not something to outsource. The agent also maintains an ongoing watchlist: if a supplier's registered capital drops, a legal dispute is filed, or a court judgment appears on China Judgments Online (wenshu.court.gov.cn), you get an alert within 24 hours. The median SME importer using Reevol runs full due diligence on 12 suppliers before selecting one, versus the industry norm of 2.3 suppliers evaluated before first PO per Alibaba's own 2023 buyer report.

The point of the tool is not to replace your judgment. It is to compress the four hours of manual checking into fifteen minutes so you actually do the work instead of skipping it under time pressure.

Sources

Want Reevol to run this for you?

Reevol's AI Sourcing Agent handles vetting, RFQ, negotiation, QC, shipping, and payment end-to-end.

Meet the AI Sourcing Agent