Business Email Compromise Still Works, Trade Payments Are Still Vulnerable


Business email compromise (BEC) fraud continues to plague commercial trade payments despite the best efforts of banks and software service providers to stem the flood of spoofed emails and risky looking transactions. The FBI reported that in 2021, BEC-related losses added up to over US$1.8 billion. This type of fraud generally targets the staff of a commercial enterprise and persuades them to make a seemingly legitimate payment which ends up going to a fraudster.

Business Email Compromise

Most conversations, solutions, and controls emphasize blocking or suspending spoofed emails that contain some element of a phishing attack. Banks have significantly improved fraud-detection systems and accelerated loss prevention techniques, preventing and/or recovering untold millions.

However, these efforts only address half the problem; they only look at one of two common ways that fraudsters effectively execute a BEC attack:

  • The first, as previously described, is for the fraudster to send staff an email with payment instructions within a convincing narrative. They make the email look like it came from an authorized person by spoofing or faking the email address. In some rare cases, fraudsters hack an executive’s email account and originate the request from within the legitimate account. Either way, it has the effect of pre-authorizing a payment. This entry point rightfully drives demand for email/phishing and laptop protection software that seeks to block spoofed emails and compromised machines.
  • The second, and less commonly discussed, attack vector originates from a legitimate vendor which performs an authorized service and submits an accurate invoice by email to Accounts Payable staff. Everything might look good, except nobody knows that the vendor’s email was hacked by the fraudster. Along with a legitimate invoice, the fraudster provides revised payment instructions. Accounting staff process all incoming invoices and dutifully make sure they’re not going to pay the vendor more than they should. They double check every price, item count, and charge to verify that it matches the approved Purchase Order. After it is matched, it is paid.

The likelihood of success for vendor-originated BEC fraud is determined by the practices and controls in place between the receipt of the new payment instructions and when accounting staff update the vendor master table. Since there are no telltale signs that a vendor’s email may have been hacked, Accounts Payable has one small window of detection and prevention: Staff need verification from the true vendor that the change request was real.

This seems simple enough. However, when accounting staff support a decentralized operation and receive thousands of invoices each month by hundreds of vendors, they rarely know the vendors firsthand and cannot easily contact them. Fraudsters count on the fact that staff continually do this rote work, and they are kind enough to offer their help by including their new phone number along with the new payment instructions. Of course, when staff call the friendly vendor to verify the new instructions, they eagerly say, “Yes, that’s us!”

Solving this is more complex than a phone call.

Since internal controls at publicly traded firms are typically stronger than those at private firms, it pays to make an effort and help your customers address this topic. It will be especially meaningful if you focus on how they handle their vendor master file and payment templates.

Here are a few suggestions you can offer:

  • Include language within vendor agreements that places responsibility on the vendor for keeping their email communications secure, such that any trade loss tied to their email becomes their liability.
  • Encourage all new vendors to receive payments electronically.
  • Introduce dual control whenever modifying information in the vendor master file, especially payments, contact, and address data.
  • Introduce dual control over payment template modifications.
  • Socialize a message within the company making it a priority to help accounting whenever they need to verify vendors or contacts.

Many companies have employed a variety of controls to protect themselves from this type of fraud, some more effective than others. What we know is that helping customers implement multiple layers will help. For more information on this topic, please reach out to me directly at [email protected].