If there’s one thing payment companies of any caliber are familiar with watching out for, it’s Business Email Compromise—also known as BECs.
Business Email Compromise occurs when a fraudulent party gains access to a company’s systems and email. If they’re successful, they gather information on the company and its suppliers, including payment cadences. They masquerade as legitimate businesses to change contact and banking information, ultimately re-routing funds to their own accounts.
It’s a subtle process that preys on a person’s willingness to give others the benefit of the doubt. With businesses simultaneously facing other, more direct attacks, BECs can be difficult to detect and nearly impossible to reverse.
Fraudsters specialize in writing convincing emails. With accounts payable folks moving fast and trying to maintain good supplier relationships, it’s easy to fall for one of these schemes. But by slowing down and scrutinizing these requests, there are often tells that can alert you to the sender’s legitimacy.
Here are some of the most common techniques that fraudsters take advantage of:
- Email address anomalies. Take a good look at the email address of incoming requests. There are all kinds of ways to spoof an email address, and you may find minuscule changes compared to the email you already have on record. For example, the email might vary by a single character. It might be the same address but end in something other than “.com.” Slow down and look carefully, and you’ll eradicate a good portion of potentially fraudulent requests.
- The fake cc. Fraudsters will sometimes cobble together a convincing email string by cc’ing other parties—a fake approver, manager, etc.—using real names they’ve gathered, along with spoofed email addresses. They may even mention that they’ve copied someone to try to demonstrate authenticity. Inspect email addresses of cc’d parties just as carefully as the sender’s email.
- Odd voice or tone. Many of these attacks originate offshore and are written by people who are not native English speakers. If you’re dealing with a US supplier, even slight errors in vocabulary, spelling, grammar, or sentence construction may be red flags. That’s not to say every legitimate person you interact with will have immaculate grammar, so pay attention to tone as well. If it’s a supplier you work with frequently, check for subtle changes from your normal communication with the supplier. If something feels off, pick up the phone and call the number on their website before communicating further by email.
- Wrong vernacular. Vernacular is often very localized, and another good way to alert you to a potential issue. For example, in the U.S., “check” is spelled just so. If a U.S. supplier uses the British English “cheque,” it’s worth looking closer at the request before moving forward.
- Urgency. These requests are usually urgent. They will tell you they need to have their bank account information changed immediately. There are all kinds of rationales—bank accounts closing or overdue payments—and they typically put a lot of pressure on you to help them out by getting it done right away. It’s another way fraudsters play into our desires to help one another. Take a moment to slow down. If you truly believe the business is in dire straits, call them to discuss further.
- Erroneous invoice numbers. Since all payments are associated with an invoice number, fraudsters often include numbers in their emails to make the request look more legitimate. The numbers may be from older payments, guessed from past invoice patterns, or even made up. You should always make sure the invoice numbers match other payment information. If the number is outdated, not mapping to the right customer, or otherwise incorrect, it’s best to look into the matter before providing further information to the email sender.
- Incorrect amount. A real supplier is going to know the invoice number and the exact amount of payment. A counterfeit supplier may be guessing numbers from payment patterns they’ve identified—or misidentified.
- Doctored checks. When suppliers provide a voided check with their update request, it should be scrutinized. Some may be more obviously doctored, but others are quite convincing. Take a good hard look at the MICR line, supplier logo, address, and even the bank, to identify discrepancies.
If you know you will be handling updates to supplier information, it’s prudent to have technology in place to prevent your systems from being breached. Never take action on banking change requests without performing several verification steps, including calling the supplier at the phone number already on file to confirm the update with them. However, a sense of urgency combined with a convincing story can sometimes get people to forgo their usual validation steps and release funds to fraudsters. By the time you realize what’s happened, it can be difficult to get your money back. That’s what fraudsters are counting on.
A banking change request should always put your accounts payable team on high alert. Such requests are often legitimate, but never let your guard down. New fraud schemes are emerging all the time, so even if you can’t quite put your finger on what’s wrong, pay attention to your gut feeling. When in doubt, double or triple check the request and compare their information to what you already have on file. Send the email in question to your security team to review—they often have more experience looking for signs of a spoofed message. Pick up the phone and call the supplier. Tell them you understand the urgency, but you need to follow process and protocol for everyone’s protection. At the end of the day, a legitimate supplier will thank you for protecting their business and yours.