It’s a business scenario that looks innocent enough. An email from a vendor or executive with a change to payment instructions on an outstanding invoice. The problem is the email had been hacked and the payment you sent has gone to a fraudster, instead of where you intended.{mprestriction ids="1,3"}
In a world of online billing and email distribution, companies large and small are falling victim to business email compromise (BEC), which happens when a fraudster poses as someone you know, submitting an invoice or asking to update bank account information. The latest survey from the Association for Finance Professionals showed that 82 percent of companies were targets of payments fraud last year. The percentage of organizations falling prey to BEC scams has increased from 64 percent in 2014 to 80 percent in 2018.
These fraudsters prey on the trust. They hack email systems, monitor the traffic, and then when the time is right, falsely personalize the situation to make you, or a colleague, want to help them — like changing an account number for a payment.
Unlike other kinds of fraud, BEC can be difficult to detect because the transactions made on your account are consistent with regular payments and are made by authorized personnel. However, there are key steps you can take to help reduce your risk of BEC.
1. Always verify payment requests and changes to payment instructions. If you receive a request from a vendor or executive to change payment details such as account or invoice information, always make sure the request is authentic. Verify payment requests and changes with the requestor using a different method of contact. For example, if the vendor contacts you by email, confirm the information by phone. Be sure to use the information you have for the contact on file, not in the request, as that may be fraudulent as well.
2. Implement dual custody. Dual custody is one of the most effective deterrents against fraud and it’s free and easy to implement. It requires two users on different devices to initiate and approve payments, providing a second chance to spot fraud from both internal and external sources before it ever occurs. To be effective, both the payment initiator and approver must pay close attention to payment details — no rubber-stamp approvals.
3. Monitor accounts. Always reconcile bank accounts daily. Imposter fraud may go unnoticed for up to 30 days so it’s important to pay close attention to your account activity. It also enables you to detect anything out of the ordinary.
4. Educate employees and vendors. They are all targets of BEC too so it’s important to train them to recognize fraudulent activity. Instruct them to question new payment requests or account changes, even from executives. Define and implement a process to communicate payment and account changes and how those changes should be verified both internally and externally. This is one situation where it never hurts to over-communicate.
5. Be aware of other warning flags. As fraudsters become more sophisticated, they are finding ways to change the BEC landscape to create new situations to potentially compromise payments. Here are other scenarios to be on the lookout for as you look to protect your business:
• If you have sent a payment to a vendor and they later contact you asking about the status, immediately call the vendor to confirm the account instruction. Time is of the essence with BEC.
• If a payment to a new account is returned, this could be a warning sign that the account information is fraudulent. Again, always call the requestor with the phone number on file, not in the request, to verbally verify the account information.
With business email compromise an ongoing and serious risk, companies large and small need to stay up-to-date on the threat landscape and strengthen their defenses against fraud. Whether you’re a vendor, executive, accountant or employee, you need to be educated on the potential threats of fraud that lurk in email and the risks that could impact your company and its partners. Through awareness, process implementation, and education, you can take the right steps to safeguard your business.
Dan Maurice is the senior vice president and Southwest Division manager for Wells Fargo Treasury Management in Utah.{/mprestriction}