Combating Business Email Compromise (BEC) Attacks: Best Practices and the Role of Self-Service Supplier Portals

BEC attacks growing

By Phil Binkow, CEO, Financial Operations Networks (FONS)

Organizations are under siege from bad actors determined to commit payment fraud. 

Among these threats, Business Email Compromise (BEC) attacks have emerged as a particularly insidious form of payment fraud, targeting organizations of all sizes and across all industries.

According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks cost US businesses over $2.9 billion in 2023 alone – an increase of nearly 7 percent year over year.  These schemes accounted for more than 21,000 reported incidents and remain one of the costliest forms of cybercrime.  And no organization is immune.

In early 2024, the San Bernardino County Sheriff’s Department lost over $1.1 million after cybercriminals tricked an employee into redirecting payments via a fraudulent email – a textbook example of BEC in action.  With the number and sophistication of BEC attacks continuing to rise, the threat landscape is growing more dangerous by the day.

Organizations must implement best practices and automated tools to mitigate risk and protect against financial losses and data breaches. Here’s how to combat BEC attacks.

What are BEC attacks?

Business Email Compromise (BEC) attacks

Every accounts payable (AP) professional wants to do their part to keep their organization’s supply chain moving.  And that’s what the fraudsters committing BEC schemes are counting on.

In a BEC scheme, bad actors use email to impersonate a member of an organization’s executive team, a vendor, or other trusted entity to trick recipients into taking actions that benefit the attackers.  BEC attacks can take various forms, including invoice scams and phony bank account change requests.

Worse, fraudsters continuously adapt their tactics to bypass security measures. Successful BEC attacks can result in financial losses, data breaches, and operational disruption.

BEC Characteristics

Here are five key characteristics of BEC attacks:

  • Impersonation.  BEC schemes involve a fraudster impersonating a supplier, CFO, or other senior executive via email, text, or telephone call to trick a recipient into complying with their request to initiate a payment or change the bank account details on file.  Bad actors are counting on AP professionals not questioning requests from suppliers or higher-ups.    
  • Fraudulent requests.  The phony emails, texts, and telephone calls in BEC attacks typically contain instructions to initiate wire transfers to a bank account controlled by the fraudster or to provide sensitive information such as login credentials or supplier information.
  • Email spoofing.  Bad actors often spoof email addresses to make it appear as though an email is coming from a legitimate supplier or other trusted source.  To make emails look convincing, fraudsters will spoof a domain or display name (e.g., with a single character changed).   
  • Targeted individuals.  BEC attacks target AP professionals and other employees who handle sensitive data, initiate financial transactions, or have access to payment systems. 
  • Social engineering.  The most successful fraudsters manipulate a recipient’s emotions by creating a sense of urgency or importance in the email content.  By doing this, fraudsters hope to get an AP professional to act quickly without verifying the legitimacy of the request.

These tactics can be hard to detect and harder to recover from, if successful.

How do you prevent BEC attacks?

Organizations need a combination of employee training, clearly defined procedures, and automation to avoid falling victim to BEC attacks.  Here are six strategies for thwarting BEC attacks:

6 ways to prevent BEC
  • Training.  AP staff are critical to mitigating fraud.  Establish protocols for verifying the identities of suppliers before engaging in financial transactions with them.  Regularly educate staff about the latest BEC schemes.  Teach employees how to recognize suspicious emails and what they should do when they encounter one.  And impress upon staff the importance of never clicking on links or downloading attachments from unknown or unverified senders.
  • Verification.  In many organizations, there are lots of people involved in collecting and verifying supplier information and bank account details.  Things are likely to slip through the cracks if just one person in the process doesn’t follow the organization’s procedures.  That’s why it’s important to create a culture of fraud mitigation.  Ensure that everyone understands their role in mitigating the risk of payment fraud.  Have clear document processes for verifying bank account change requests and investigating suspicious requests.  And create a way to share examples of fake bank account change requests that your team identifies.  
  • Authentication.  It’s easy for busy AP professionals to fall victim to spoofed emails.  Email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can reduce the risk of spoofing and help verify the authenticity of email senders. Also, consider implementing email filtering solutions that can detect and block suspicious emails, including those with spoofed sender addresses or phishing attempts. 
  • Multi-Factor Authentication.  Make it harder for fraudsters to gain unauthorized access to your sensitive banking and finance systems by requiring multi-factor authentication (MFA).  MFA adds an extra layer of security beyond passwords for performing high-risk transactions.
  • Monitoring.  Regularly monitor your organization’s email traffic for anomalies such as unusual login locations or other patterns indicative of BEC attacks.  Early detection of changes in email behavior can help mitigate the potential damage of fraud schemes.  
  • Review.  To address evolving threats, regularly review and update your policies and procedures for supplier onboarding and bank account change request verification.

These measures can significantly reduce the risk of falling victim to BEC attacks.

But the most effective safeguard against BEC schemes is to automate the way your organization onboards suppliers and verifies changes to supplier bank account details.

How do bank account ownership verification solutions prevent BEC?

Automating the verification of bank account ownership adds an extra layer of security to vendor master data management, reducing the likelihood of fraudulent payments to phony bank accounts.

The best self-service portals for supplier onboarding and vendor master database management include built-in capabilities for automatically verifying bank account ownership. 

Here’s how bank account verification solutions help prevent falling victim to BEC schemes:

BEC solutions
  • Account ownership.  Bank account verification solutions use a global database to verify the owner’s name on a bank account.  The solutions can also determine the location of the account, whether the account is open, and whether any flags are associated with the account.  Any bank account change requests with discrepancies or issues are flagged for review by the operator.
  • Real-time validation.  The best bank account verification solutions perform near real-time validation of bank account information provided by the recipient. 
  • Integration.  Automated bank account ownership verification solutions can be integrated with existing security protocols or technologies to enhance the overall security posture of financial transactions and reduce the risk of unauthorized access or fraudulent payments.
  • Tracking.  Automated bank account ownership verification solutions provide auditing and compliance features that allow organizations to track and review transaction activities, maintain compliance with regulatory requirements, and demonstrate adherence to security standards. This helps organizations of all sizes strengthen their defenses against ever-evolving BEC attacks by ensuring transparency and accountability in financial transactions.

This is how automated bank account ownership verification can help organizations mitigate the risk of BEC attacks, enhance the security and integrity of transactions, and detect fraudulent activity.

Final Thoughts

The growing threat of BEC attacks underscores the importance of implementing robust security measures and best practices to protect against cyber threats.  By educating employees, implementing email authentication protocols, and leveraging the bank account verification capabilities in self-service portals, organizations can strengthen their defenses, mitigate the risk of BEC attacks, and safeguard their financial assets and sensitive data against unauthorized access and fraudulent activity.

About the Author

Phil Binkow

Phil Binkow is CEO of Financial Operations Networks (FON), developer of VendorInfo, InvoiceInfo and the Vendor Information Management Center of Excellence, a leading suite of software-as-a-service platforms that allow finance teams to onboard, verify and manage suppliers with confidence, reduce cost and risk and strengthen compliance.

Prior to founding Financial Operations Networks, Phil served as CEO of PayTECH, a leading electronic invoice processing, disbursements, and spend analytics platform that supported companies such as Oracle, Cisco, The Gap, Charles Schwab, J.P. Morgan Chase, and NCR. Under Phil, PayTECH grew to process and pay over 100 million invoices annually.

In 2002, FON founded The Accounts Payable Network (TAPN), which grew to become the world’s largest accounts payable training and certification organization.

Recent PaymentsNEXT news:

From Bottleneck to Business Driver: Transforming the Payments Back Office into a Profit Center