It is increasingly common for cybercriminals to use a tactic called Business Email Compromise (BEC) to commit payments fraud. In this scheme, criminals use email systems to:
- Impersonate an employee or executive requesting that payments be made to an illegitimate vendor or bank account
- Impersonate an existing vendor via email to provide illegitimate bank account information for future payments.
With BEC becoming an increasing threat, we'd like to be able to help you understand this threat and warn you if we see any red flags. You will see banners similar to the ones shown below:
When you see these banners, pay extra attention and validate the bank information and payment instructions before initiating the payment.
To help you learn how you can protect yourself and your business from BEC losses, here are some topics to review:
6 ways to help guard against BEC
Here are some recommended best practices and Bill.com features designed to help you protect your business from BEC fraud losses:
- Watch out for impersonators: If you receive payment instructions from an employee or an executive by email, or if you receive bank account number updates to bank from a vendor by email, be sure to follow up with them or a trusted contact by phone to verify their instructions. Never rely on email alone, as it may have been compromised.
- Implement bill approval workflows: Establish a standard bill approval policy and process within Bill.com specifying when two or more users must review and approve each bill before scheduling a payment. Having trusted team members involved will add another layer of scrutiny, and ensure that all bills and payments are legitimate.
- Require bill images for all payments: Submit bill images into your Bill.com Inbox so they can be reviewed by approvers and payers for accuracy and authenticity.
- Invite vendors to join our Bill.com Payments Network: Rather than gathering and updating sensitive vendor bank account information within your Bill.com account, invite your vendors to join our Payments Network so they can safely and securely update their payment information on their own.
- Watch for unusual payment requests: Be extra vigilant with first-time vendors and international payments. Also be wary of rushed or urgent payment requests—don’t cut any corners just to meet a deadline.
- If your account qualifies, use our new Dual Control feature. Dual Control provides extra security and control by requiring 2 people to approve an action. When Dual Control is enabled, a single user can initiate an action, but a second user is required to approve it.
Using fraud prevention best practices and processes can help protect your business and reduce the risk of loss. Unfortunately, we cannot guarantee recovery of funds after fraud or error has occurred. As we explain in our Terms of Service, you may be liable for unauthorized or fraudulent payments originated using an authorized users' security credentials.
Other best practices and precautions
Below are additional suggestions for protecting you and your business from BEC:
Watch for bogus email messages disguised to appear as real: Fraudsters commonly spoof legitimate email domains with ones that look similar (e.g., firstname.lastname@example.org or email@example.com instead of firstname.lastname@example.org).
Hover over or reply to an email address to make sure it isn’t being masked as something it’s not. Be suspicious of request for secrecy or pressure to take action quickly.
Immediately report and delete unsolicited email from unknown parties.
Provide basic training and advanced education for employees to recognize BEC and phishing schemes.
Be careful what you post to social media and company websites, especially job duties and descriptions, staff hierarchy information, and out-of-office details.
Make sure temporary staff covering for your payments employees understand that criminals may pose as employees or vendors to try and manipulate them.
Create intrusion detection system rules that flag emails with extensions that are similar to company email.
Register all company domains that are slightly different than the actual company domain.
What if I’ve been targeted?
If you believe you’re a victim of a BEC attack, report it to your bank and to local law enforcement immediately. You can also submit a report to the FBI’s Internet Crime Complaint Center (IC3). If the fraud amount is significant, contact your local FBI field office.
If you believe that your Bill.com account has been compromised, please contact our Support team immediately.
If you want to learn more about BEC and other best practices, here are several articles for more information:
- FBI Public Service Announcement
- Short PSA video from the FBI on BEC
- FBI article regarding BEC
- Better Business Bureau article on BEC
The information provided in this article is intended only to be a resource to help Bill.com users protect themselves against cyberfraud. It does not provide a comprehensive list of all types of cyberfraud activities, or identify all types of cybersecurity best practices. Bill.com does not represent or warrant that using the best practices or other recommendations contained in this article will prevent BEC or any other type of payment fraud or cyberfraud.