fbpx

< Back to Thought Leadership

Payment Re-Direct and Business Email Compromise Fraud Schemes

By Luke Pierce, CPA, Manager, at Blue & Co.

What is a payment re-direct and business email compromise scheme?

A payment re-direct and business email compromise scheme is when a cybercriminal impersonates a company vendor and requests payments to be re-directed to a fraudulent bank account. Not-for-profit businesses have become a frequent target for payment re-direct and business email comprise schemes. These fraud schemes can result in significant financial losses for their victims.

What does this fraud scheme actually look like?

In its simplest form, this fraud scheme may appear as an email from an address that closely mirrors that to which the fraudster is attempting to replicate. For example, accountspayable@microsoft.com may be the email from which organizations usually receive a monthly invoice from Microsoft; the cybercriminal may attempt to impersonate Microsoft using an email address such as accountspayable@microsft.com.

Payment re-direct and business email compromise schemes can also be much more elaborate. Perpetrators of this fraud scheme will often try to initially breach an organization’s information technology system via phishing emails. Once the cybercriminal gains access to entity information, they will then monitor emails and other information exchanges, unbeknownst to the victim. They then use the information they gathered to impersonate an organization’s vendor. This guise can be so elaborate that the victim might receive an invoice that looks exactly like the one they usually receive within an email that’s worded identically to the usual emails from that vendor.

The cybercriminal may also attempt to impersonate an organization employee, business partner, or government agency. In these fraudulent emails, the cybercriminal will request a change in payment information. Once that payment information is updated and the wire transfer made, that money is then irreversibly lost.

Payment re-direct and business email compromise fraud seen by Blue & Co.

A local not-for-profit was recently the victim of a payment re-direct and business email compromise scheme. In this instance, the cybercriminal hacked into the organization’s IT system and gathered information. After a while, the hacker sent an invoice and a change in payment information request form from an address that appeared to be a vendor’s email. The Controller then submitted the invoice and change in payment information request form to the Executive Director. The Controller quickly received a response back from the Executive Director’s email address instructing him to update the payment information and pay the invoice ASAP.

It was not discovered until after the payment information was updated and the wire sent that the email approving the payment and change in vendor information was not sent by the Executive Director, despite it having come from the Executive Director’s actual email address. In this instance, the not-for-profit lost approximately $300,000.

What went wrong in this situation? First, the not-for-profit’s IT security system was insufficient in that a hacker was able to gain access to their system and go undetected. Second, the not-for-profit did not reach out directly to their vendor via phone call or other offline means to verify the legitimacy of the change in payment information request. Lastly, an unwarranted sense of urgency in an email should raise a red flag and follow-up questions should have been asked offline prior to the payment having been made.

How can this type of fraud be prevented?

  • Enhanced IT security
    • Businesses should ensure they have advanced email filtering solutions that can detect and prevent phishing attempts. Strong firewalls should also be in place. Organizations are often hesitant to invest as heavily in IT security as they should; however, IT security is a necessary investment in today’s business environment.
  • Segregation of duties
    • Changes in vendor payment information should be approved by a second individual at the organization prior to any disbursements being made to that vendor and there should be a segregation of duties between the individual who has the ability to modify vendor information and the individual responsible for authorizing vendor payments.
  • Verify change in payment information requests
    • Organizations should verify all change in payment requests with the vendor via offline methods through a known and trusted communication channel, such as a phone call with the account representative at a vendor. Notably, organizations should avoid using contact information included in an email that requested a change in payment information.
  • Educate employees
    • Organizations should train employees to look out for telltale signs of phishing emails, such as unusual attachments, hyperlinks, and words that imply a sense of urgency. This training should occur at time of hire and at least annually thereafter. Many organizations and companies send fake phishing emails to their employees to gauge their workforce’s ability to detect phishing attempts.
  • Monitor and audit transactions
    • Automated monitoring systems can instantly flag transactions it deems to be unusual, allowing businesses the opportunity to prevent a transaction from being executed before it’s too late. Businesses should also perform a manual review of their check register on at least a monthly basis and investigate any unusual disbursements.
  • Use secure payment methods
  • Develop a disaster response plan
    • Organizations should develop a written process plan that details what steps to take in the event they fall victim to a payment re-direct and business email compromise fraud scheme. Freezing bank accounts, notifying banks and vendors, and investigating how the fraud occurred should be components of the disaster response plan.

How Blue & Co. can help

Blue & Co. has recently formed a partnership with Pioneer Technology, LLC to form Blue Pioneer Consulting. Blue Pioneer Consulting specializes in IT assessments, IT support, cybersecurity, data analytics, and technical professional services.

Please visit https://bluepioneerconsulting.com/ for additional information on how Blue Pioneer Consulting can assist with your IT security needs. Blue & Co. can also perform a review of internal control processes to help ensure internal controls are properly designed and implemented to detect and prevent fraud attempts. Contact your local Blue & Co. advisor if you would like to learn more about these services.

office building

Blue & Co., LLC Announces Expansion with Stokes & Housel, CPA

Bedford, Ind. (December 16, 2024) – Blue & Co., LLC, a top-60 accounting and advisory firm with offices in Indiana, Kentucky, Ohio, and Michigan is expanding into Bedford, IN. Effective December […]

Learn More

Benefit Briefs: Navigating Forfeitures in Defined Contribution Plans: Compliance, Usage, and Regulatory Considerations

By Debbie Herbert, CPA, Director at Blue & Co. If your defined contribution plan has a vesting schedule for employer contributions, you may be familiar with the term ‘forfeitures.’ In […]

Learn More
ACH payment

Essential ACH Policies and Controls for Not-for-Profit Organizations

By Karen Dringenburg, CPA, Senior Accountant and Andrew Brock, CPA, Senior Manager at Blue & Co. Are you a not-for-profit entity considering implementing ACH transactions? Or are you wondering if […]

Learn More