Protect Your Finances: Preventing Fraud Stemming from Vendor Email Compromise
Blog
April 28, 2025
by
Paul Abramson
In our increasingly digital world, cybercriminals are constantly evolving their tactics to exploit unsuspecting victims. One of the most alarming trends is the rise in external payment fraud stemming from compromised or impersonated email accounts, scams that can lead to significant financial losses. A common scheme leveraging this tactic involves cybercriminals pretending to be a business’s supplier and sending payment instructions to remit an invoice. The strategy relies on social engineering and is often achieved using a newly registered, compromised, or spoofed email account. This article and our previous guide on protecting yourself against business email compromise (BEC) will equip you with the knowledge and resources to protect yourself and your business from these deceptive practices.
The Growing Threat of Email Compromise
Email account compromise has become a major concern in recent years. In fact, at American Riviera Bank we’ve had multiple reports from business clients experiencing vendor impersonations in 2025. The FBI’s Internet Crime Complaint Center (IC3) estimates losses for business email compromise scams to be as much as $50 billion based on filings with financial institutions between October 2013 and December 2022.
Understanding the Tactics¶
Fraudulent emails can often look convincing, mimicking the appearance and tone of legitimate communications from familiar businesses. Fraudsters often employ clever techniques to manipulate their targets:
- Account Takeovers: By hijacking employee email accounts, scammers send fraudulent invoices or redirect genuine invoice payments.
- Fake Invoices: Invoices can be crafted to mirror genuine vendor invoices, making detection challenging.
- Vendor Impersonation: Registering domain names similar to legitimate vendors, scammers can generate invoices that, on initial inspection, seem genuine.
- Vendor and Employee Fraud: This involves sending duplicate legitimate invoices, subtly tweaking payment amounts.
- Email Sender Name Spoofing: Fraudsters register email accounts that appear to come from legitimate sources, often mimicking the style and tone of trusted businesses. By manipulating the email from name, scammers can create the illusion that a message originates from a trusted vendor or colleague. They might also craft an email address that closely resembles the domain they aim to impersonate, often differing by a mere character.
- Research and Personalization: Leveraging that research, they craft emails that instill a sense of urgency to push victims into making hasty decisions.
Signs of Fraudulent Emails¶
Being aware of the common signs of fraudulent emails can help you identify potential scams. Look out for the following red flags:
- Urgent or Unusual Requests: Scammers often create a sense of urgency to pressure recipients into acting quickly. Be cautious of emails demanding immediate payments or changes to payment instructions without prior notice.
- Suspicious Email Addresses: Verify the sender's email address. Fraudulent emails may come from addresses that are similar but not identical to legitimate ones.
- Formatting and Language: Pay attention to the email's formatting and language. Poor grammar, spelling errors, and unusual formatting can indicate a scam.
- Links and Attachments: Avoid clicking on links or downloading attachments from unknown or suspicious emails. These could contain malware or lead to phishing sites.
Verification is Key¶
To safeguard against these scams, it is crucial to verify any changes to payment instructions before transferring funds. Follow these crucial steps to verify the authenticity of payment instructions:
- Do Not Trust Email Alone: Ensure the email domain address is associated with the business it claims to be from. While emails are a convenient form of communication, they should not be solely relied upon for verifying payment instructions. Scammers can easily manipulate email content to deceive recipients.
- Avoid Clicking on Links: The FBI warns against clicking on any links provided in emails, instead, type in the URL/domain of the source directly or better yet, use a reputable search engine to search for the company and use the official link
- Educate Employees to Always Call to Verify: Employees in charge of transferring funds or making payments should be trained to directly call the vendor’s main phone line to confirm any change in account numbers or payment procedures using a phone number known previously or obtained through reputable sources rather than calling numbers provided in the email. This step is crucial to confirm the legitimacy of the payment instructions.
- Use Official Sources: When verifying a phone number, use reputable search engines or official websites to obtain contact details. Do not rely on phone numbers provided in the suspicious email.
- Cross-Reference Past Communications: Refer to previous communications or invoices to compare the payment instructions. If there are discrepancies, contact the sender directly to clarify.
What to Do If You Suspect Fraud
If you suspect that your business has received a fraudulent email or have fallen victim to a scam, take immediate action:
- Report the Incident: Inform your financial institution right away if you suspect fraud. Attempting to recover funds can be difficult if more than 72 hours have passed since the transfer occurred. You should also file with the FBI Internet Crime Center at IC3.
- Document Everything: Keep records of all suspicious communications and transactions.
- Monitor Your Accounts: Regularly check your accounts for any unauthorized transactions. Report any suspicious activity immediately.
In an era where digital transactions are the norm, protecting yourself from payment instructions fraud is more crucial than ever. By staying informed, remaining vigilant, and following best practices, you can significantly reduce your risk of falling victim to these scams. Remember, when it comes to your financial security, verification is not just important—it is essential.
Recommendations for Minimizing Risk to your Business¶
- Consider configuring dual approval within your digital banking profile to ensure that no one employee can both initiate and approve an outgoing payment or changes to existing payment templates.
- Never accept changes to payment instructions through email or unverified incoming phone calls or text messages.
- Train your employees to recognize the warning signs and how to effectively verify requests.
- Review your insurance policies for cyber coverage and ensure you have implemented the required controls.
Any company can fall victim to BEC attacks, with small and medium-sized businesses particularly vulnerable due to simpler approval processes. While attackers target organizations broadly, certain individuals face heightened risk:
C-Suite Executives¶
Executives possess both authority and public profiles that make them valuable targets. Criminals research their background to craft convincing impersonations or directly target them with issues requiring executive action—creating pathways to finance and HR departments.
Finance Team Members¶
These employees control payment systems and sensitive financial data. Their routine handling of wire transfers and vendor payments makes them prime targets for fraudulent payment requests, invoice schemes, and payroll diversions.
HR Leaders¶
HR departments store valuable personal information including Social Security numbers, personal identifiable information (PII), and payroll details. Attackers target HR to harvest this data for sale on dark web markets or for future attacks.
New Employees¶
Recently hired staff often lack familiarity with internal procedures and communication norms. This makes them susceptible to unusual requests and less equipped to recognize when something doesn’t follow established protocols.
Previous: Insights from Condoleezza Rice
Next: Understanding the Rate Landscape
