How to Protect Against BEC Attacks — Part 1: Invoice Fraud

Business Email Compromise (BEC) is a social engineering attack designed to defraud a business. There are five prominent types of BEC attacks: Invoice Fraud, CEO Fraud, Account Compromise, Attorney Impersonation, and Data Theft.

Invoice Fraud is a nasty (and increasingly common) form of BEC typically directed at an individual authorized to process payments and transfer funds. In an invoice fraud attack, an attacker can take over or spoof the email account of a contact or vendor and send a fake invoice with false bank account routing information.

Here are a few best practices to help mitigate the threat of Invoice Fraud:

Verify Supplier Information. Always verify the legitimacy of new suppliers before conducting any business with them. Use reliable sources to cross-check their contact information.

Two-Step Verification Process. Establish a two-step verification process for invoice approvals and payments. This can involve requiring multiple individuals to confirm the legitimacy of an invoice before any payment is made.

Educate Employees. Train your employees to recognize common signs of invoice fraud.

Use Secure Communication Channels. Ensure that all communication related to invoices, especially changes in payment details, occurs through secure channels. Use encrypted email systems and avoid sharing sensitive information through unsecured platforms.

Regularly Update and Monitor Systems. Keep your financial systems and software up to date with the latest security patches. Additionally, consider consulting with your financial institution and cybersecurity experts (like Tier 3 Technology) to stay better informed. By combining these measures, you can significantly reduce the risk of falling victim to invoice fraud and continue to protect your organization’s financial assets.