The Situation

Earlier in 2019, a local business owner received a PDF invoice emailed from their vendor “ABC Corporation” totaling $333,900 for services rendered, which also included Automated Clearing House (ACH)/wire payment instructions.

Eleven days later, the business received a second email that appeared to come from the same vendor, ABC Corporation, with included new, updated bank information for the payment. The second email contained an identical PDF invoice – only the bank routing and account number within the ACH/wire instructions were changed.

Two days after receiving the second invoice, the business initiated an ACH electronic payment to ABC Corporation using the updated routing and account number. Unfortunately, the client didn’t realize the payment was fraudulent until they received a past-due inquiry from ABC Corporation, which hadn’t received the payment.

Upon further investigation, they discovered the email address on the second spoofed email message was sent from (the original email address without a second “c” in it). Because the payment happened weeks earlier, most of the funds were removed already from the account at the receiving bank. At the time of this report, there was about $9,800 remaining, which will return to the business, however their overall loss stands at about $324,100 on this fraud instance because they authorized the ACH electronic payment. They filed a report with the Federal Bureau of Investigation, local law enforcement, federal law enforcement agencies, and the FBI’s Internet Crime Complain Center:

Adding salt to the wound after the fraud loss, the business began experiencing check fraud. First Business Bank fraud prevention solutions, such as Payee Positive Pay, prevents fraudulent checks from clearing accounts. As a best practice, after an account has experienced check fraud, we work with clients to close the original account and open a new account with all fraud prevention tools in place to mitigate fraud risk on the new account.

Key Take-Aways

We can’t stress this enough. If your vendor sends an email or invoice with updated bank payment instructions, ALWAYS perform out-of-band authentication. Do not reply via email as it may have been compromised. Instead, call the vendor using a phone number in your contract or from a company system, such as an accounts payable application. Never call back using a readily available phone number that is included in an email, on an invoice, or other attached documents. Reach out to us for more about implementing the latest fraud prevention solutions at your business.