We are seeing alarming instances of fraud perpetrated on businesses, and, as a result, they are losing startling amounts of money — sometimes over $100,000 — to vendor and business email compromise fraud. Many of these scams involve payment-change requests from perpetrators posing as vendors or suppliers, so you can prevent the loss by implementing procedures and consistently training employees to follow them. An old-fashioned phone call can save your business thousands of dollars! Read on for other best practices.
This simple fraud starts with email and ends with a combination of vigilance, patience, and training. Business email compromise (BEC) is a general term that encompasses several different types of schemes perpetrated through email.
Once called “CEO fraud,” BEC started with CEOs targeted for email account takeover. Fraudsters accessed email accounts, posing as executives and demanding an urgent, fraudulent payment.
Now, however, with the COVID-19 pandemic and increase of electronic payments like Automated Clearinghouse (ACH) and wire transfer, BEC scams have multiplied. Recently, businesses are dealing more often with criminals posing as trusted vendors or suppliers.
What is Vendor Email Compromise Fraud?
Vendor email compromise (VEC) fraud can happen when your vendors’ email system is accessed through a phished email. Perpetrators also create fake online accounts pretending to be the vendor, often with an email and website address that closely mimic the legitimate business’s email and website.
In either scenario, your accounts payable department receives a legitimate-looking, but fake, email asking your employees to update electronic payment (ACH) or wire payment instructions — routing number and account information.
Don't Trust Until You Call
It’s absolutely critical to verify that payment-change requests are legitimate. To do this, use a trusted, previously existing method of contact – often a phone number you have on a previous contract or communication with the vendor. Do not use any phone numbers or contact information in the fraudulent email. If you don’t verify payment-change requests, you can lose thousands of dollars to the scammers. The nature of electronic payments makes it very difficult to recover the funds after they’re sent to an account because scammers often transfer funds immediately out of the account — usually within minutes. Sometimes businesses don’t discover the funds were paid to a scammer until they receive a late notice from the vendor and it’s often too late.
Scammers are counting on your business and employees not to take the extra time to verify the bank account change. It takes time to call a vendor and wait for return phone calls, but it’s very important to implement key procedures to avoid loss.
Tips for Preventing Vendor & Business Email Compromise Fraud
- Confirm payment changes via phone using a phone number in your system (not a phone number in the email), to verify details of the bank account change. Never reply directly back to the email to confirm information.
- Guard what you share online, including information that might be used to guess your passwords or security answers, such as children’s names, pet names, birthday dates.
- Be suspicious of any unsolicited email or text asking to update account information. Look up a phone number for the business that’s not in the email they sent and call the company to verify the request and information.
- Examine email addresses, website domain addresses, and spelling for errors that are similar to the actual business, such as substituting an l for 1 or adding extra punctuation.
- Do not open, click on, or download email attachments from people you don’t know or ones forwarded to you.
- Enable MFA (multi-factor authentication) whenever it’s available and use it.
- Set up a process to verify any account number or payment procedure changes by calling to make sure it’s legitimate.
- Slow down, especially if the payment seems urgent. It is more likely to be a fraudulent request if it’s time sensitive.
Source: Federal Bureau of Investigation
Vendor Email Compromise Fraud Real Examples
$100,000 Loss to Vendor Email Compromise
Before you write off this crime as one that happens to other businesses and not yours, check out these alarming real stories of businesses that lost money through VEC and BEC scams.
A local business received an email from a vendor, “ABC Inc.,” halting all check payments and requesting payments via ACH/direct deposit & wire transfer. The business opted to submit payments via ACH and received payment instructions via email. After submitting two payments, the business received a notice that ABC Inc.’s account was closed and payment was returned. So the business replied back to ABC Inc.’s email to verify the bank information. ABC Inc. replied they changed banks and provided updated payment instructions for a different bank. The business submitted another four payments to the new account before they received another email from ABC Inc. stating they were having problems with their new bank and provided updated payment instructions for a third bank.
First Business Bank contacted the business to confirm the repeated changes to ABC Inc.’s payment account and the business confirmed the changes as legitimate. The business submitted two additional payments to the new account before discovering the fraud, which took place all via a spoofed email account — ABCinc@email.net instead of ABCinc@email.com. Unfortunately, the total potential loss to the business is more than $100,000 in total. One phone call to a previously known number to confirm updated payment instructions could have prevented this loss.
Vendor Email Compromise Resulting In Wire Fraud
In yet another situation, a client contacted First Business Bank to report that a wire totaling more than $12,000.00 they sent a few weeks earlier was fraudulent. They discovered that an email account of a vendor’s employee was compromised, and the client received a fraudulent email to update their wire payment instructions. There was a slight change in the spelling of the vendor’s email and the scammer requested the wire go to an account at a different bank using a different beneficiary company name. First Business Bank contacted that receiving bank to determine if any funds from the wire could be recovered. In a fortunate recovery, First Business Bank was able to recover more than $10,000, lowering the total loss for the client.
Don’t Wait — Educate Employees on Fraud Prevention
To avoid becoming a fraud victim and losing money to BEC and VEC scams, it’s vital to stay ahead of them by regularly reviewing your internal processes, updating them with the latest best practices, and routinely educating your staff. Make sure to talk to your banker about best practices and new fraud prevention solutions the next time you meet.