Business Email Compromise is rampant and yet easy to prevent

November 14, 2022

There are three primary types of Business Email Compromise attacks: Fake CEO schemes, redirected vendor payment schemes and real estate title company impersonation. Each involve impersonation either by compromising email account credentials or “spoofing” a trusted person’s email address. The sender then either induces the recipient to send a wire or ACH payment under the belief it is for a legitimate business purpose at the instructions of a senior executive of the company or the title company associated with the purchase of a home. In the case of redirected vendor payment schemes, the attacker knows the name of some if not all of your vendors and then resends an altered version of an otherwise legitimate invoice by changing the payment instructions directing a wire payment to an account under their control.

All three schemes are very preventable. Identify all people in your organization who are authorized to make wire transfer and ACH payments, educate them about the scheme and instruct them not to send payments based upon email instructions alone. Instead, look up the person requesting the wire in your company directory and don’t send the wire until you speak to them on the phone and confirm the request. Make it difficult to make changes to payment instructions for vendors or other third parties in your accounts payable system without it first being reviewed by a senior member of the finance team and never send a wire in connection with a home purchase without first speaking to the title company (or other requester) by looking up their number from your records (not from the inbound email). Assume any change to payment instructions or requests for wire payments from senior people are suspect. You may irritate the your colleagues who are legitimately asking you to send a wire but just imagine how irritated they will be if you send a $1 million to Hong Kong because you were worried that you might annoy someone.

Leave a comment

Your email address will not be published. Required fields are marked *