Your A/P staffers are experts at managing your organization’s payments. However, their work also makes the company vulnerable to business email compromise attacks, which are getting harder to detect.
In fact, there were nearly 20,000 reported incidents of business email compromise scams in 2021 – with adjusted losses at nearly $2.4 billion, according to the FBI Internet Crime Complaint Center.
Fraudsters often try to either impersonate a vendor or a company executive to change a legitimate vendor’s payment information to their own personal account.
And because payments can be transferred to cryptocurrency wallets and quickly dispersed, it makes recovering funds that were sent to a criminal by mistake even more difficult.
Due diligence for stopping business email compromise
Here are some best practices being used by A/P teams at other firms to fight back against business email compromise fraud:
- Train your team. Conduct periodic cybersecurity training so your entire workforce will be alert for fraud.
- Flag any address change requests for review. Fraudsters may attempt to divert payments to a different mailing address.
- Email and call the vendor. After receiving any payment change request, email the trusted contact you have on file to confirm it’s real. Then make a phone call to the vendor’s controller using a previously used, legitimate number (if necessary, get it from an invoice that’s at least six months old). Ask the controller to verify the bank name and the last four digits of both the old and new accounts.
- Attach original paperwork. When sending payment change request confirmation to a vendor’s controller, attach all the documentation submitted with the request. The controller will either validate it or let you know it’s a fraud attempt. Also, ask the controller to identify the last four payments they received from your firm.
- Only accept a custom change form that your trusted vendors already have. Create a personalized form the vendor must complete to request a change and get it in your vendors’ hands. Explain why you’re making this change.
- Request two signatures. Require signatures of two financial officers from a known vendor before making any initial ACH setups or changes to banking information.
If you suspect that you’ve been a victim of payment fraud, you need to notify your bank right away and file a report at ic3.gov.