Business E-Mail Compromise Attacks: Another Reason to Automate AP

Posted by Thomas Nappi on Jan 30, 2020 2:31:30 PM
Thomas Nappi

Watch Out! Accounts payable departments like yours are falling prey to an insidious new fraud scheme - Business E-Mail Compromise.

Business E-Mail Compromise (BEC)

Business E-mail Compromise (or BEC) attacks are schemes where fraudsters impersonate legitimate suppliers and trick businesses into making payments into a bank account that the fraudster controls.

It used to be that fraudsters would spend hours sending phishing emails to numerous random e-mail addresses.  It didn’t take much for businesses to easily identify these e-mails as spam, so the phishing e-mails were rarely successful (apologies if you fell victim to them!).  The bad guys figured this out.

Nowadays, fraudsters do some research on a target first before launching an e-mail attack.

The fraudsters select the business on which to launch a BEC attack, then use social engineering to determine who their key suppliers and senior executives are (ensuring that they have their exact names).  The fraudsters then decide who their victim will be within the business.  They will usually select someone in the finance department who manages money, or an accounts payable leader.

The fraudster then sends an e-mail impersonating a supplier or the target’s CEO or CFO.  The goal is to trick the person in treasury or accounts payable to initiate one or more electronic payments.  In many cases, the e-mail will refer to the need for fast payment for expedited shipment of goods.

Once the money is deposited into the fraudsters account, it is quickly whisked away, typically to banks in a faraway country where the funds are harder to track and recover.

The financial losses can be massive.  And fraudsters are targeting companies of all sizes.

Many fraudsters try to trick companies into paying via wire transfer.  But BEC attacks also are impacting ACH payments, which have long been perceived as being secure.  ACH debit fraud has increased to record levels and continues its upward trend, per the Association for Finance Professionals (AFP).  There has been a steady increase in ACH credit fraud since 2012.

Here’s the good news: accounts payable automation can help you identify and avoid BEC attacks.

  • e-mail servers can be configured to identify e-mails that originate from outside your domain – making it easier to spot cases where someone is impersonating a CFO or other senior executive
  • intelligent workflows can ensure that invoices go through proper channels for payment
  • business rules for high-dollar invoices can be pre-set to require senior management approval
  • intelligent workflows can out-sort any e-mails that aren’t associated with a PO in your ERP
  • a portal empowers vendors to make changes to bank account information themselves, providing a clue to accounts payable staff that e-mail requests to change bank information may not be legitimate
  • business intelligence can highlight unusual trends in a supplier’s invoicing activity, such as a sudden spike in invoice volume or a large increase in the amount of money being invoiced
  • a vendor management system can house complete contact information for a supplier contact to confirm changes to bank account information or unexpected invoices regarding fast shipment
  • a vendor management system can help accounts payable staff quickly identify anomalies in e-mails requesting prompt payments, enabling staff to confirm bank account changes via phone

Don’t be duped by fraudsters.

The combination of vigilance and the capabilities in an automated accounts payable solution can help your business mitigate the significant risks of the growing threat of BEC attacks.

Tags: Accounts Payable, Invoice Processing, AP Automation, AP Transformation