Compromised Email Accounts Can Lead to Payments Fraud

Primary Source of Fraud: Business Email Comprise

Email communication plays a major role in how many businesses conduct their daily operations. Fraudsters continue to adapt their business email compromise (or “BEC”) schemes, as well. While they may target an entire organization, they often focus their efforts on Accounts Payable departments.

According to the 2023 AFP Payments Fraud and Control Report, the number of organizations falling victim to BEC fraud has slightly increased in the last year, as has the number of organizations that have experienced financial loss due to BEC.

This type of fraud targets business emails, authorizing various payments to accounts managed by criminals. The payments often appear to be legitimate transactions, making BEC difficult to identify. Businesses of all sizes are targeted and 71% of companies were targeted by BEC in 2022.

BEC Fraudster Tactics

Below are ways scammers infiltrate organizations:

• Unauthorized use of online meeting platforms
  Through social engineering and with the use of a legitimate business email account, fraudsters request fund transfers using a still image of an executive and “deep fake” audio. They might claim their video/audio isn’t working properly and then follow up via email or chat to request a fund transfer.
• Spoof of an email account or website
  In hopes the employee isn’t paying close attention, scammers will send an email from an address that is slightly different from a legitimate address. For example: abby@abccompany vs. abbey@abccompany – and look out for email addresses using a capital I in place of a lower-case L or an “r n” in place of an “m”.
• Spear phishing emails
  These messages appear to be from a trusted sender to fool specific victims into releasing confidential information or clicking on an attachment with malware. This information is used by scammers to plan out BEC attacks.
• Use of a compromised email account
  Fraudsters will typically use compromised email accounts to send changes to payment instructions in hopes the target will follow the new, fraudulent instructions.
• Use of malware
  Malicious software is used to obtain confidential information like billing requests and invoices. The scammer then uses this information to time requests or to send messages so that accounts and financial officers don’t flag the requests. Malware can also give scammers undetected access to data such as passwords and financial accounts.

BEC Payment Targets

As ACH credits are being targeted less, wire transfers are now becoming a primary target of BEC fraud attacks. However, ACH fraud remains a concern for businesses. ACHs are low cost and quick to execute, making them a great payment method for organizations – and very attractive to fraudsters.

Departments Under Attack

Although Accounts Payable departments are often the primary target for BEC attacks, other departments are still susceptible to BEC.

Protecting Your Business

Many companies continue to implement procedures and controls to better safeguard their transactions from BEC. Below are just a few of the procedures companies reported using to limit their exposure:

Financial loss isn’t the only cost of a successful BEC attack. The loss of confidential information could also cost the company their customer and/or vendor relationships.

Organizations identified a few key strategies they use to safeguard their payments and their reputations:

Employing fraud mitigation best practices, products, and services such as Check and ACH Positive Pay, commercial and/or virtual Cards, account blocks and more can validate payments and help mitigate the risk of fraudulent transactions

Contact a banker today to discuss payment strategies that will better protect your business.

For more tips on how to protect your business from fraud, Fraud Prevention Guide.

Source: Association for Financial Professionals: 2023 Payments Fraud and Control Survey Report

As with all serious financial topics or decisions, be sure to consult with a trusted financial advisor beforehand. The content here is for educational purposes only and is not meant to serve as any sort of advice or endorsement.