A Case of Diverted Payments: Cybersecurity Lessons

3 Mins
13/02/2025
  1. Home
  2. Resource Center
  3. Blog
  4. Compliance
  5. A Case of Diverted Payments: Cybersecurity Lessons

I’d like to share a real story about how easy it can be to fall victim to fraud schemes.

In the Accounts Receivables process, fraudsters can spot countless opportunities to target your business. In this instance, we have a large company fall victim to a payment diversion scheme that could have had them send a fraudulent payment of $750,000 and nearly ruined their relationship with one of their largest customers.

Always confirm potential customers are legitimate

Enter a company name to view a free business credit report

Chapter 1

Could your business be vulnerable to business email compromise?

The company had been working with a long-standing customer who they communicated with via email. Invoices, purchase orders and payment confirmations all came through business email accounts, which unfortunately created the perfect opening for a sophisticated cybercriminal group.

The attackers executed the following business email compromise (BEC) scheme.

  • The fraudsters gained access to the email account of an Accounts Receivable employee through a phishing email disguised as a legitimate internal IT alert.
  • Once inside the account, the attackers monitored email exchanges for weeks, learning the company's processes, payment schedules and even the tone and language used in the emails.
  • When it was time to pay an invoice, the attackers struck. They sent an email to the customer mimicking the Accounts Receivable employee with a slight change to the email address, instructing them to send the payment to a new bank account—one controlled by the fraudsters.
  • The customer, who was familiar with the employee and the tone of the communication, saw no reason to doubt the request. He sent the payment. Thankfully, his treasury team did a review of the bank account information and determined it was for an offshore account. They were able to stop the payment – but if they hadn’t, that account could have become untraceable within hours.
Phishing email
Chapter 1

How to protect your business from business email compromise

First of all, you should be asking yourself what causes BEC scams? In this – and many other – cases, it was mainly caused by a combination of two mistakes.

  • Lack of email security: The company hadn’t enabled multi-factor authentication (MFA). That means it was easier for attackers to access the email account with stolen credentials.
  • Employee awareness gaps: Falling for phishing scams is more common than we’d like to think. But if your employees aren’t properly trained in spotting and avoiding them, they could miss the often-subtle signs of fraud. In this case, the employee didn’t recognize the phishing attempt and clicked the link that was sent to them without doing their due diligence. 

The customer, after being alerted by their treasury team, reached out to the company and informed them that their email account had been spoofed and an attempt was made to change the lockbox information. The incident created a full-blown investigation within the company to determine if there were any other emails that were compromised by the phishing attempts. 

Business education

So, what steps should a company take to prevent something like this from happening again?

  • Enhance email security: All employee email accounts should be required to use MFA. Advanced spam and phishing filters should also be installed to block suspicious emails in advance.
  • Implement dual verification processes: Companies should adopt a strict policy requiring any changes to payment details to be confirmed through a secondary communication method such as a phone call to a known, verified contact. You should also check the company’s business credit report – there, you’ll be able to see if anything has recently changed in the company information.
  • Increase employee awareness: Introduce regular cybersecurity training to help employees identify phishing attempts, suspicious requests and other fraud risks.
  • Review and update vendor management processes: Require vendors to confirm their banking information through secure portals, rather than via email.
  • Deploy fraud detection tools: Implement software solutions to monitor for unusual activity in payment systems. This can include things like changes in bank account details or irregular transaction patterns.
  • Take out cybersecurity insurance: Companies should obtain cybersecurity insurance policies to mitigate financial risk in the case of future attacks.

Through these measures, both parties not only rebuilt trust, but also became more resilient to future attacks. The incident served as a stark reminder of how seemingly minor oversights can lead to major losses and highlighted the importance of proactive cybersecurity practices.

This story underscores the importance of vigilance, layered security and continuous training in preventing payment fraud. By addressing both technical vulnerabilities and human factors, businesses can protect themselves and their partners from devastating financial losses.

When fraudulent payment diversion occurs, determining who is responsible for the financial loss depends on several factors, including the contractual terms between the parties, negligence and the specific circumstances of the fraud. 

Chapter 1

Who is at risk if a BEC scam transfer occurs?

Contracts between companies often specify who is liable in cases of fraud. For instance, if the customer was instructed to verify banking details before making payments and failed to do so, they may bear responsibility. If there’s no explicit agreement about such scenarios, legal principles and practices come into play.

If the customer failed to confirm the bank account change through a secondary communication channel (e.g., a phone call), this could be considered negligent. Most financial best practices require independent verification of significant changes. The customer’s diligence in this example thwarted the efforts of the bad actor, but if they failed to follow due diligence when transferring funds, they could be held liable. 

On the other hand, the company may be partially responsible if they failed to secure their internal systems. If their lack of cybersecurity is what allowed the attackers to compromise their email accounts, enabling fraud, they could be held partially responsible for contributing to the loss.

And you can’t forget that this isn’t a strict one-to-one transaction. Depending on local regulations, the bank (or banks) involved in the transaction could bear some responsibility, too. This is especially the case if they failed to detect red flags in the fraudulent payment. However, most banking systems operate under a “good faith” assumption when processing transactions. That means recovering funds from a bank is unlikely unless the bank could be considered grossly negligent. 

Frustrated businessman

Sometimes, the liability of BEC scams could depend on whether your business was complying with industry standards of cybersecurity. If the company in our example didn’t use multi-factor authentication, some jurisdictions would consider them negligent. Depending on the jurisdiction, you could even be held liable for falling victim to a BEC scam if you ignored obvious red flags, like changes in the sender’s email address or rushed instructions. That’s why making sure everyone in your company has been properly trained in how to spot and prevent fraud is so crucial. 

Your goal should be to avoid disputes over liability if BEC fraud happens to you. To prevent confusion, you should:

  • Clearly define fraud and payment-related responsibilities in contracts. Outline exactly who would be responsible in the event of a BEC fraud transfer and what both companies need to be doing to prevent it.
  • Mandate secondary verification for any financial or banking changes. While sometimes a company’s payment information changes for perfectly legitimate reasons, the risk of fraud is too high to take changes at face value. Both companies should speak directly to each other in the event a change is necessary, not rely on emails. 
  • Maintain robust cybersecurity measures for both parties. Remember, this example started because fraudsters were able to access login information for an employee at one of the companies. If both companies had secure, up-to-date cybersecurity policies, this whole thing might have been avoided before it became a problem.
  • Perform customer due diligence before signing new business. Always check that a new company you’re considering working with is legitimate. Many fraudulent businesses can seem perfectly legitimate on the surface – that's why it’s your job to dig deeper. 
Mike Bevilacqua

About the Author

Mike Bevilacqua, Chief Content & Education Officer, Credit Research Foundation

Mike Bevilacqua is the Chief Content & Education Officer at the Credit Research Foundation (CRF), shaping educational content for Fortune 1000 leaders in Commercial Credit Risk and Accounts Receivable. He specializes in innovative tools that enhance Revenue Cycle Management, leadership, and change management.

Confirm a company's financial information is accurate

Enter a company name to view a free company verification report.

Related articles...

Blog

Technology's Role in Preventing Procurement Fraud

Read more

Blog

Actionable Tips to Prevent Invoice Fraud

Read more

Research Study

Battling Vendor Fraud

Get report