B2B Payments Fraud: 2020 Edition

While the coronavirus pandemic is disrupting businesses all over the world, there’s one industry that’s booming: B2B payments fraud.

The State of B2B Payments Fraud Today

During a pandemic there’s no such thing as “business as usual.”

We are all figuring out how to stay productive while we stay at home, and dealing with the stress that comes with a global health crisis.

It’s this combination of disrupted business routines and deep anxiety that creates a perfect environment for scams.

Chaos-induced opportunism is not new.

Predatory behavior always spikes in the confusion that follows disaster. The FBI and other experts on fraudsters who target businesses warn that COVID-related scams are already proliferating. Fraudsters are out to take advantage of businesses struggling to cope in this economy.

For example, the healthcare industry is an expected target during this crisis. In fact, just a few weeks ago, someone posing as a legitimate medical equipment supplier scammed a pharmaceutical company out of £6.6M.

Business Email Compromise is On The Rise

Here’s a universal truth. At their core, every fraudster is an opportunist using B2B payments fraud to capitalize on the vulnerable state of many organizations right now..

Fraudsters are looking for existing weaknesses in a vendor management process that they can use to gain access to a payment system.

One of the most common ways bad actors commit B2B payments fraud is by way of business email compromise (BEC).

What is BEC and How Does it Work?

BEC is a type of cybercrime that occurs often within the context of vendor management. It uses social engineering, or the purposeful manipulation of humans to get them to divulge confidential information and/or perform harmful actions unknowingly. It involves unauthorized individuals gaining access to or impersonating a legitimate business email account–in order to deceive vendors into diverting funds or providing sensitive information.

Typically, scammers will use fake email accounts to reroute legitimate payments. Some scammers are really, really good at this. And unfortunately, they’re getting better all the time.

Graphic of fraudster committing supplier fraud via business email compromise

Sample BEC Email

Vendor desk staff must be on high alert for BEC scams, as fraudulent emails can look simple, benign, and legitimate. Here’s a sample of what a BEC email might say:

Subject: Payment for Invoice URGENT–change of banking information

Hi [Your Name],

Do you have a moment? I wanted to update you because our banking information has changed and needs to be updated. Can you update our records in your system to reflect our new account and routing numbers below?

Account Number: xxx

Routing Number: xxx

Thank you!
[Name of Seemingly Legitimate Person You Probably Know At That Vendor Company]

Busy vendor desk staffers may not take the time to confirm this banking update with the vendor. That’s exactly what fraudsters count on–vendor management staff being too stressed out and busy to confirm the legitimacy of the impersonated emails, and so they update the banking information and route funds to the fraudsters.

Clearly, BEC poses significant risks. It leads to financial loss, compromised data, and reputation damage.

Implementing strong authentication measures, training employees on BEC awareness, and establishing secure communication protocols are crucial for mitigating the risk of BEC attacks in vendor management.

Spikes in B2B Payments Fraud With BEC Cases

Under normal circumstances, your team is likely aware of the risk of BEC scams. You’ve probably even been trained to spot them.

But these aren’t normal circumstances. Standard operating procedures have had to be reworked or replaced in short order to accommodate stay-at-home restrictions.

And when your team members aren’t sure of a new process, they are more likely to make errors in judgment. This uncertainty provides an opportunity for scammers to strike.

At PaymentWorks, we’re hearing from our customers about how this scam “spike” is affecting them.

Just last week, we saw a fraudster attempt to divert funds from one of our customers. The fraudster impersonated a legitimate company by employing a slightly different email address than the real one. They were using real names, real invoice numbers, and other compelling details to try and reroute a payment worth more than $200K.

The week before that, a customer told us about a vendor email compromise that they noticed when they got an email that seemed to come from one of their vendors. The fraudster attempted to change the bank account on file.

Fortunately, this customer always verifies the identity of anyone they need to pay, so the attempt was foiled. No one lost any money.

But here’s the thing. These kinds of attacks happen every day to businesses who may or may not have any fraud detection skills. B2B payments frauds are real, they are devastating, and they are happening everywhere.

How to Mitigate Vendor Email Compromise

The success of payments fraud schemes depends on human error by someone responsible for sending payments.

You can relieve the pressure of decision-making from your individual team members by providing more structure around the payments process.

First, if you aren’t already, you need to enforce strict protocols and implementing review bottlenecks.

Then, you need to leverage technology partners to protect users and verify information. Give payees the ability to manage their own information through a secure system. This entirely circumvents the need for managing sensitive information, such as bank account numbers and personal data, through vulnerable email accounts.

Lastly, adding validation to the payee submitted information before you pay is absolutely critical to preventing payments fraud schemes.

The most urgent reason to do so in a period of increased risk, such as during the current pandemic, is to provide certainty to those employees who are tasked with handling personal information and payments.

Don’t let there be any question as to whether business payments are reaching the intended payee.

Your accounts payable and vendor desk staff are already overworked with manual vendor management processes.

Don’t add to their workload–and put your organization at risk–by putting the entire responsibility of identifying and mitigating B2B payments fraud on them. That responsibility is department- and organization-wide.