Protecting yourself from Business Email Compromise (BEC) schemes
It is increasingly common for cybercriminals to use a tactic called Business Email Compromise (BEC) to commit payments fraud. In this scheme, criminals use email systems to:
- Impersonate an employee or executive requesting that payments be made to an illegitimate vendor or bank account
- Impersonate an existing vendor via email to provide illegitimate bank account information for future payments.
With BEC becoming an increasing threat, we'd like to be able to help you understand this threat and warn you if we see any red flags. We will show a warning banner on a vendor record and bills page if:
- There has been a change to a private (manually entered bank account) vendor’s bank account information within the past 30 days, an epayment to them is over $10K, and a payer processes a single payment or a bulk payment
- There has been a change to a private vendor’s email address within the past 30 days or the email domain is less than 30 days old, an epayment to them is over $10K, and a payer processes a single payment or a bulk payment
These banners will suggest verifying the bank information with the vendor before sending payment.
To help you learn how you can protect yourself and your business from BEC losses, here are some topics to review:
- 5 ways to help guard against BEC
- Other best practices and precautions
- Additional BEC risk mitigation resources
5 ways to help guard against BEC
Here are some recommended best practices and Bill.com features designed to help you protect your business from BEC fraud losses:
- Watch out for impersonators: If you receive payment instructions from an employee or an executive by email, or if you receive bank account number updates to bank from a vendor by email, be sure to follow up with them or a trusted contact by phone to verify their instructions. Never rely on email alone, as it may have been compromised.
When updating the bank account for a vendor within your Bill.com account, a message is shown reminding you to verify the authenticity of the bank account number if the information was received by email.
A similar message is displayed when paying bills for which the vendor’s bank account information has been updated or if we’ve identified a new vendor’s email address as potentially risky. For example, the email address might have been created recently or could be from an untrusted domain.
- Implement bill approval workflows: Establish a standard bill approval policy and process within Bill.com specifying when two or more users must review and approve each bill before scheduling a payment. Having trusted team members involved will add another layer of scrutiny, and ensure that all bills and payments are legitimate.
- Require bill images for all payments: Submit bill images into your Bill.com Inbox so they can be reviewed by approvers and payers for accuracy and authenticity.
- Invite vendors to join our Bill.com Payments Network: Rather than gathering and updating sensitive vendor bank account information within your Bill.com account, invite your vendors to join our Payments Network so they can safely and securely update their payment information on their own.
- Watch for unusual payment requests: Be extra vigilant with first-time vendors and international payments. Also be wary of rushed or urgent payment requests—don’t cut any corners just to meet a deadline.
Using fraud prevention best practices and processes can help protect your business and reduce the risk of loss. Unfortunately, we cannot guarantee recovery of a funds after fraud or error has occurred. As we explain in our Terms of Service, you may be liable for unauthorized or fraudulent payments originated using an authorized users' security credentials.
Other best practices and precautions
Below are additional suggestions for protecting you and your business from BEC:
Watch for bogus email messages disguised to appear as real: Fraudsters commonly spoof legitimate email domains with ones that look similar (e.g., email@example.com or firstname.lastname@example.org instead of email@example.com). Hover over or reply to an email address to make sure it isn’t being masked as something it’s not. Be suspicious of request for secrecy or pressure to take action quickly. Immediately report and delete unsolicited email from unknown parties.
Provide basic training and advanced education for employees to recognize BEC and phishing schemes. Be careful what you post to social media and company websites, especially job duties and descriptions, staff hierarchy information, and out-of-office details. Make sure temporary staff covering for your payments employees understand that criminals may pose as employees or vendors to try and manipulate them. Create intrusion detection system rules that flag emails with extensions that are similar to company email. Register all company domains that are slightly different than the actual company domain.
What if I’ve been targeted?
If you believe you’re a victim of a BEC attack, report it to your bank and to local law enforcement immediately. You can also submit a report to the FBI’s Internet Crime Complaint Center (IC3). If the fraud amount is significant, contact your local FBI field office.
If you believe that your Bill.com account has been compromised, please contact our Support team immediately.
If you want to learn more about BEC and other best practices, here are several articles for more information:
- FBI Public Service Announcement
- Short PSA video from the FBI on BEC
- FBI article regarding BEC
- Better Business Bureau article on BEC
The information provided in this article is intended only to be a resource to help Bill.com users protect themselves against cyberfraud. It does not provide a comprehensive list of all types of cyberfraud activities, or identify all types of cybersecurity best practices. Bill.com does not represent or warrant that using the best practices or other recommendations contained in this article will prevent BEC or any other type of payment fraud or cyberfraud.