This seems like a place where physical security keys could've be useful.
Any invoice would be expected to be signed using a physical security key. The University or a trusted third party would have a list of vendor keys, signed by the university's master key.
Any request to change account details or for payments would require a new signed invoice. Then any user receiving such an email could easily see if the invoice had been signed by a person who can cryptographically prove they have a key that is trusted to be in the vendor's possession.
Any invoice would be expected to be signed using a physical security key. The University or a trusted third party would have a list of vendor keys, signed by the university's master key.
Any request to change account details or for payments would require a new signed invoice. Then any user receiving such an email could easily see if the invoice had been signed by a person who can cryptographically prove they have a key that is trusted to be in the vendor's possession.