Sophisticated cybercriminals continue to steal large sums of money from organizations of all sizes using business email compromise (BEC) schemes. Once the fraudulent payments are approved and transferred to the criminal’s accounts, they are very difficult to recover—and the targeted organization is liable for the resulting losses. Therefore, it’s vital to create a robust callback process to validate payments or change in payment instructions before they are released.
A proper callback process requires an employee, typically a payments staff member, to pick up the phone and validate new payment requests, requests to establish a new bank account, changes to payment instructions and changes to contact information.
Callbacks should be made to the actual person making the request using a phone number retrieved from a system of record.
Callback numbers obtained from an email, text or voicemail should not be used since they may originate from fraudsters.
When it comes to callbacks, you can train your employees to:
- Follow controls for the validation of new or revised payment information.
- Understand how BEC scams work and what they can do to help prevent them.
- Never trust email, texts or unsolicited phone calls alone to authorize payment requests or change contact information.
- Escalate any concerns if a payment seems suspicious—even after performing a callback.
- Be very suspicious if a vendor offers vague reasons for changes to a new account, such as tax audits or current events. E.g., “Due to COVID-19, we need to update our payment information…”
- Be wary of vendors who frequently change payment instructions. Fraudsters will sometimes provide several different accounts to victims during a BEC fraud attempt.
- If you receive a call from your financial institution asking you to validate a suspicious payment, take it seriously. It could be your last chance to stop a fraudulent payment before it’s too late.