Business Email Compromise and Vendor Impersonation Fraud: What You Need to Know

Financial institutions and business entities should be alert to Business Email Compromise and Vendor Impersonation Fraud, which can be either cyberattacks or social engineering schemes used to convince authorized personnel to submit payments to improper accounts or individuals.

Sound Business Practices to Mitigate Risk

Business Email Compromise and Vendor Impersonation Fraud, through stealing either a business’s email credentials or by impersonating a legitimate business via email, phone, fax or letter, represents a risk to ACH Network participants even though the roots of this criminal activity are not in banking systems themselves. In other words, Business email Compromise and Vendor Impersonation Fraud are about compromised credentials or gaps in processes or procedures; not about a direct compromise of the ACH Network or other payment systems.

With Business Email Compromise, legitimate business email accounts are compromised and used to send payment instructions to personnel authorized to conduct financial transactions for the business. The criminal entity will often compromise one of the businesses’ officers and monitor their account for patterns, contacts and information. The criminal will often wait until the officer is away on business to use the compromised email account to send payment instructions. This makes the payment instructions more difficult to verify and, at the same time, seemingly more legitimate. The payment instructions will send money to an account controlled by the criminal.

In instances of Vendor Impersonation Fraud, criminals impersonate a legitimate vendor or contractor and contact businesses or public-sector entities requesting to update account information. Contact can come in the form of an email, telephone call, fax, or traditional letter. In each case, the vendor account information is updated with the account number and routing information of an account owned by the fraudster. When a legitimate invoice is received, the entity processes a payment to the criminal account resulting in a loss to the entity. Social engineering techniques have grown more sophisticated over time. Fraudsters may create email addresses that are similar to the actual email address making it difficult to spot; written correspondence may appear to be printed on legitimate letterhead or stationery.  

Although any business entity could be the target of this form of social engineering, public-sector entities seem to be specifically targeted because their contracting information is typically a matter of public record. Fraudsters use information from such public records to impersonate legitimate contractors more convincingly.

Sound Business Practices

Each financial institution should evaluate its risk profile with regard to Business email Compromise and Vendor Impersonation Fraud, and develop and implement sound business practices to mitigate the associated risks. Such a plan should be appropriate to the unique circumstances of the financial institution’s business and clientele. Examples of sound business practices for financial institutions include:
  • Recommend to your originators that they use dual control for payment file initiation.
  • Encourage the use of value-added services like positive-pay, debit blocks, and tokens to enhance account security.
  • Educate business clients and consumers on prevention, detection and reporting measures.
  • Encourage daily review of accounts.
Likewise, each business or public-sector entity should evaluate its risk profile with regard to Business Email Compromise and Vendor Impersonation Fraud. Examples of sound business practices for businesses and public-sector entities include:
  • Initiate files using dual control — for example, file creation by one employee and file approval and release by another employee on a different computer.
  • Authenticate requests to make a payment or change payment instructions by vendors and independently verify change in payment instructions. Use known contact information rather than confirming via contact information provided on the change request.  
  • Never provide password, username, authentication tools or account information when contacted. Financial institutions will not ask for this information. If in doubt, use a known contact list or publically available contact information to confirm the validity of the contact.
  • Don’t provide other non-public information. Seemingly innocent information can be used to make a fraudster believable when they contact others within the same organization. 
  • Make ACH payment/information forms available only via secure means.
  • Calls received from the business’s financial institution questioning the legitimacy of a payment should be taken seriously.