How to Protect the AP Team
Picture this: You receive an email from one of your company’s vendors requesting an urgent update to their payment information. You have a strong relationship with this vendor, so you comply without a second thought — unaware that you’ve just fallen victim to a BEC (business email compromise) scam.
BEC is a form of cybercrime in which attackers impersonate or manipulate legitimate email accounts to deceive individuals from an organization into sharing sensitive information or transferring funds. BEC has emerged as one of the most financially draining online crimes, impacting businesses of all sizes across industries. From impersonating CEOs to infiltrating a vendor’s system, fraudsters are doing whatever they can to access companies’ sensitive data and payment information. Recent months have even seen a spike in BEC attempts related to the regional banking crisis that began earlier in 2023. In this article, we’ll answer who is most often targeted in BEC attacks and how companies can protect themselves.
While these scams continue to pose a major threat, organizations can prevent their employees from falling victim to BEC by implementing ongoing employee training and regular security checks.
What is BEC?
BEC is a type of social engineering attack that occurs when fraudsters gain access to an organization’s email system and impersonate a vendor, supplier, or senior executive to deceive an employee into providing sensitive information or transferring funds.
Unlike phishing attack emails that adversaries send to a wider audience, BEC emails are highly targeted and personalized, creating a sense of urgency. Accounts Payable (AP) teams remain a prime target for these scams because they have access to sensitive payment account information for vendors.
How do BEC Emails Work?
Scammers who impersonate vendors in BEC emails often request updates to bank account information, alongside a request for payment. If the target falls for the scam, that payment is then sent to the fraudster’s bank account instead of that of the legitimate vendor.
These emails are meticulously researched and often appear to come from someone in authority or a trusted vendor. Their one-to-one nature gives BEC emails a higher chance of bypassing email security measures. That’s especially true when the targeted organization relies on manual processes, which increases the risk of human error and unlocks a greater potential for fraudulent emails to slip through the cracks.
The State of BEC Emails
With the collapse of Silicon Valley Bank, some experts believe that new opportunities for scammers will arise. Hackers and scammers often take advantage of uncertainty in the marketplace, exploiting weaknesses they see. Ashley Alloca, an intelligence analyst at Flashpoint, told the Washington Post, “Financially motivated actors are always going to be opportunistically acting on targeting whatever that newsworthy event is, so there’s a blueprint that’s already in place.” As a result, companies must be vigilant in terms of their cybersecurity training, while ensuring tools such as automation can help mitigate risk across the organization.
Even before these new challenges, BEC attacks were already on the rise, increasing 81% in 2022 and 175% when compared with metrics from two years ago. Employees responded to 15% of these emails, creating concern for companies looking to secure themselves against invoice fraud and scammers.
Common Types of Fraudulent Email Scams
According to the 2023 Cybersecurity Assessment report from Bitdefender, one out of four executives wish that they could dispel the belief amongst employees that emails entering the corporate system are safe. BEC emails encompass a range of deceptive tactics used to trick employees into sending money or releasing sensitive information. Some common tactics include:
- Hijacking an email chain or correspondence: Fraudsters compromise legitimate accounts to gain access to ongoing email conversations and manipulate them to mislead recipients into making fraudulent payments.
- Sending a fake email with an email address similar to a real vendor’s: Attackers create email addresses that closely resemble those of legitimate vendors to trick recipients into transferring funds.
- Impersonating CEOs, executives, or lawyers: Scammers impersonate high-ranking executives or attorneys to coerce employees into initiating unauthorized transactions.
Who is Most Often Targeted in BEC Style Emails?
While conventional wisdom suggests that only large companies and high-level executives are targeted, the reality is that BEC scams can impact individuals at organizations of any size. However, small and mid-sized businesses (SMBs) are most commonly targeted due to their potentially less sophisticated security solutions and processes. Although the prospective payout may be smaller, fraudsters have a higher likelihood of success when targeting employees at organizations of this size.
Moreover, individuals with access to sensitive information or financial or payment systems — like AP personnel — are prime targets for BEC attacks. In fact, BEC was cited as the second most common source of payments fraud in the Association of Financial Professionals’ annual payments fraud survey, with over half of all respondents claiming their organization was targeted.
How BEC Emails Infiltrate Companies
Several factors contribute to the infiltration of BEC emails into companies:
Employees may unknowingly fall victim to BEC scams due to a lack of awareness or training. BEC preys on humans as the weakest link, and because the emails are individualized they can often bypass security filters.
Lack of automation
Manual processes increase the risk of errors and make it easier for fraudulent emails to go undetected or payment details unverified.
Similar email characters
Attackers exploit the similarity between email addresses to deceive recipients into thinking the email is legitimate. For example: The email [email protected] looks similar to [email protected] when conducting a quick scan.
If a vendor’s email account is compromised, scammers can use the actual compromised email address to carry out fraudulent activities. Vendor fraud can be extremely difficult to detect and combat without the necessary tools in place.
What Are the Consequences of Falling for a BEC Email?
Falling for a BEC email can have severe consequences for organizations, including:
Unauthorized payments and fraudulent transactions can lead to significant financial losses due to legal expenses, direct monetary losses, regulatory penalties, reimbursement costs, and incident response and recovery.
Damaged vendor relationships
Successful BEC attacks can damage trust and strain relationships with both current and potential vendors.
Businesses that fall victim to BEC scams risk tarnishing their brand reputations, which can have long-term effects on customer trust.
These consequences can have a lasting impact on bottom lines at organizations of all sizes. But the good news is that there are proactive steps you can take today to protect your AP team and other employees from BEC emails.
11 Steps to Protecting the AP Team From BEC Emails
From educating employees about the risks of BEC emails to implementing the right automated controls, there are multiple ways you can ensure your organization is equipped to navigate even the most sophisticated BEC and invoice fraud scams.
1. Conduct Regular Employee Trainings
Conduct regular training sessions to educate AP team members about the risks of BEC emails, common red flags, and best practices for identifying and handling suspicious emails. Your Information Security team may even opt to send test emails and verify whether employees are savvy to BEC tactics and using any available tools to report suspected attacks.
2. Have a Strong Process for Enrolling Vendors
Strong internal controls in AP can help mitigate the risk of payment fraud attacks, which affected 71% of organizations in 2021. Implement a robust process for enrolling new vendors, including verifying their legitimacy and contact information, which helps mitigate the risk of falling victim to BEC scams.
An AP automation tool like MineralTree proactively notifies teams whenever payment information is changed in the platform. As a result, AP teams can quickly confirm changes if they see anything suspicious in the platform.
3. Cross-Check Vendor Information
Continuously compare invoice data with previous payments and information stored in your organization’s enterprise resource planning (ERP) system to identify any discrepancies or inconsistencies.
4. Implement Two-Factor Authentication
Implement two-factor authentication (2FA) for email accounts and other critical systems to add an extra layer of security. By requiring a second form of verification, 2FA significantly reduces attackers’ chances of gaining unauthorized access to sensitive emails and systems.
5. Verify Payment Requests
Establish a verification process for payment requests, with extra precautions for requests involving changes to banking information. This can involve confirming such requests through a separate communication channel or personally contacting the vendor.
6. Enroll Vendors in Electronic Payment Methods
Encourage vendors to use secure electronic payment methods, such as Automated Clearing House (ACH) transfers or virtual cards, which minimize the risk associated with sharing banking information.
7. Review Vendor Lists
Regularly review and update the vendor list to ensure accuracy and remove any inactive or suspicious vendors.
8. Monitor Email Accounts
Employ email monitoring tools that can detect and flag suspicious activities, such as unauthorized access attempts or unusual email forwarding.
It’s also important to review vendor email addresses before making payments. This can be done by validating email addresses manually or using a software to detect changes in an email address that may be difficult to discern with the human eye.
9. Leverage AP Automation
Implement AP automation solutions that can streamline processes, reduce manual intervention, and improve overall security by reducing the risk of human error.
10. Enable Proactive Notifications
Establish a system to proactively notify vendors of any changes in payment information, like new banking details, to ensure transparency and reduce the risk of fraudulent requests.
11. Alert the Vendor
In cases where vendor emails may have been compromised, it’s important to alert the supplier, so they can protect their business.
In today’s interconnected business landscape, BEC remains a formidable threat that organizations cannot afford to ignore. The methods employed by fraudsters are becoming increasingly sophisticated, making it crucial for businesses to stay one step ahead. By gaining a deeper understanding of the tactics used by attackers, educating employees about the risks and best practices associated with BEC, and implementing comprehensive protection measures, you can fortify your AP teams against the perils of BEC scams.
Ready to improve your organization’s AP process and more effectively prevent fraud? Request a demo of MineralTree today.
Frequently Asked Questions
What are common tactics used by attackers in BEC schemes that target the AP team?
Attackers often impersonate vendors, compromised executives, or attorneys to deceive AP team members into initiating unauthorized transactions or updating payment information.
What is the difference between BEC and EAC?
Business Email Compromise (BEC) involves fraudulent emails sent to deceive individuals and organizations, while Email Account Compromise (EAC) occurs when attackers gain unauthorized access to legitimate email accounts to carry out fraudulent activities, including BEC attacks.