It is increasingly common for cybercriminals to use a tactic called Business Email Compromise (BEC) to commit payments fraud. In this scheme, criminals use email systems to:
- Impersonate an employee or executive requesting that payments be made to an illegitimate vendor or bank account
- Impersonate an existing vendor via email to provide illegitimate bank account information for future payments.
To help you learn how you can protect yourself and your business from BEC losses, this article outlines:
- 5 ways to help guard against BEC
- Other best practices and precautions
- Additional BEC risk mitigation resources
Here are some recommended best practices and Bill.com features designed to help you protect your business from BEC fraud losses:
- Watch out for impersonators: If you receive payment instructions from an employee or an executive by email, or if you receive bank account number updates to bank from a vendor by email, be sure to follow up with them or a trusted contact by phone to verify their instructions.
- Never rely on email alone, as it may have been compromised.
- When updating the bank account for a vendor within your Bill.com account, a message is shown reminding you to verify the authenticity of the bank account number if the information was received by email.
- If you are removing an existing bank account from a vendor in your account, you must check the confirmation box on the warning popup to continue with the change
- A similar message is displayed when paying bills for which the vendor’s bank account information has been updated or if we’ve identified a new vendor’s email address as potentially risky.
- For example, the email address might have been created recently or could be from an untrusted domain.
- Implement bill approval workflows: Establish a standard bill approval policy and process within Bill.com specifying when two or more users must review and approve each bill before scheduling a payment. Having trusted team members involved will add another layer of scrutiny, and ensure that all bills and payments are legitimate.
- Require bill images for all payments: Submit bill images into your Bill.com Inbox so they can be reviewed by approvers and payers for accuracy and authenticity.
- Invite vendors to join our Bill.com Payments Network: Rather than gathering and updating sensitive vendor bank account information within your Bill.com account, invite your vendors to join our Payments Network so they can safely and securely update their payment information on their own.
- Watch for unusual payment requests: Be extra vigilant with first-time vendors and international payments. Also be wary of rushed or urgent payment requests—don’t cut any corners just to meet a deadline.
Using fraud prevention best practices and processes can help protect your business and reduce the risk of loss. Unfortunately, we cannot guarantee recovery of a funds after fraud or error has occurred. As we explain in our Terms of Service, you may be liable for unauthorized or fraudulent payments originated using an authorized users' security credentials.
Below are additional suggestions for protecting you and your business from BEC:
- Watch for bogus email messages disguised to appear as real:
- Fraudsters commonly spoof legitimate email domains with ones that look similar (e.g., firstname.lastname@example.org or email@example.com instead of firstname.lastname@example.org).
- Hover over or reply to an email address to make sure it isn’t being masked as something it’s not.
- Be suspicious of request for secrecy or pressure to take action quickly.
- Immediately report and delete unsolicited email from unknown parties.
- Provide basic training and advanced education for employees to recognize BEC and phishing schemes.
- Be careful what you post to social media and company websites, especially job duties and descriptions, staff hierarchy information, and out-of-office details.
- Make sure temporary staff covering for your payments employees understand that criminals may pose as employees or vendors to try and manipulate them.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email.
- Register all company domains that are slightly different than the actual company domain.
What if I’ve been targeted?
If you believe you’re a victim of a BEC attack, report it to your bank and to local law enforcement immediately. You can also submit a report to the FBI’s Internet Crime Complaint Center (IC3). If the fraud amount is significant, contact your local FBI field office.
If you believe that your Bill.com account has been compromised, please contact our Support team immediately.
- FBI Public Service Announcement
- Short PSA video from the FBI on BEC
- FBI article regarding BEC
- Better Business Bureau article on BEC
The information provided in this article is intended only to be a resource to help Bill.com users protect themselves against cyberfraud. It does not provide a comprehensive list of all types of cyberfraud activities, or identify all types of cybersecurity best practices. Bill.com does not represent or warrant that using the best practices or other recommendations contained in this article will prevent BEC or any other type of payment fraud or cyberfraud.