Identifying vendor email fraud to help protect your business

Learn how to identify scam attempts proactively to help protect your business and your finances.

In today's increasingly interconnected and digital world, businesses are vulnerable to the threat of Business Email Compromise (BEC) scams. This common type of B2B payment and business fraud exploits the trust businesses place in reputable entities by cybercriminals who impersonate them, deceiving victims into transferring funds through wire transfers, automated clearing houses (ACH), or checks to fraudulent accounts.

Donny Hoye, a senior vice president at Capital One who leads the treasury sales team, adds that “victims involved in vendor BEC scams are tricked into believing they are engaged in legitimate business transactions with trusted contacts, only to discover later that the vendor’s email was hacked after the fact.” The aftermath can be devastating, resulting in substantial financial loss. This article will help you understand BEC scams, identify warning signs and implement preventive measures to help protect you and your company from cybercrime.

Understanding VEC scams

Vendor email compromise (VEC) scams are highly-sophisticated schemes employed by cybercriminals who deceive individuals and businesses through email communication. During a VEC scam, fraudsters masquerade as trusted entities, such as executives or financial institutions, to trick victims into performing unauthorized fund transfers. 

Cybercriminals can use one of several strategies to deceive victims and gain unauthorized access to their funds and sensitive information. According to Hoye, “It’s critical to stay ahead of fraudsters—they are getting sophisticated in their tactics every day, so it's important that teams implement regular training and strict policies to quickly spot and report potential scams before they become a major problem.”

The most common BEC tactics are listed below.

BEC scheme Description

C-Suite executive impersonation

Cybercriminals will impersonate high-level executives, such as CEOs or CFOs and compromise or spoof their email addresses. They will direct employees to transfer funds to fraudulent accounts.

Account compromise

Cybercriminals will compromise an employee's email account and use it to initiate unauthorized fund transfers to fraudulent bank accounts and leverage existing connections and relationships for credibility.

Vendor email compromise

Fraudsters will pose as trusted suppliers, compromising their email systems or sending spoofed emails. They will request payments to fraudulent accounts and exploit established relationships.

Ransomware

Malicious software hidden in an email link encrypts the victim’s files or entire system, at which point the attacker demands a ransom payment in exchange for the decryption key. In 2022, ransomware attackers extorted at least $456.8 million from victims, according to a report by Chainanalysis.

W2 form /data theft

Cybercriminals will target a company's HR department to obtain W-2 tax forms or personally identifiable information. Stolen data is used for identity theft or future spear-phishing attacks. Executives are frequently targeted in this type of scheme.

The magnitude of BEC scams

BEC scams have become increasingly common in recent years. The number of reports and accompanying losses has also increased. The following statistics from the FBI's Internet Crime Complaint Center (IC3) report shed light on the magnitude of this issue.

  • The financial losses attributed to BEC scams reached $1.8 billion in 2020, marking a significant increase from $263 million in 2015. This represents a 584% increase over that period.
  • The cumulative losses from BEC scams between 2018 and 2020 exceeded $4.9 billion, demonstrating the persistent and escalating threat posed by these scams. 

Identifying and reporting VEC scams

Identifying and reporting signs of VEC scams are critical steps in mitigating possible financial loss and helping to protect your business from online crime. Stay alert and report suspicious activity immediately to help safeguard your business from the financial damage caused by these scams.

Below, we’ve provided ways to identify and report suspicious activity.

How to identify VEC scams

Here are characteristics to look for when identifying VEC scams:

  • Misspelled or unnecessary characters in the email address
  • Strange phrases, syntax, fonts, or date formats
  • Signs of email manipulation or alteration
  • Discrepancies in communication platforms and email addresses
  • Last-minute changes in payment instructions or recipient details
  • Unexplained urgency in payment requests
  • Requests for email-only communication
  • Requests for advance payment or changes in direct deposit

How to report VEC scams

Here are options for reporting VEC scams:

Hoye adds to “look for anything that changes how vendor payments are being made compared with past payments (e.g., new payment method, changing the name of the company they are remitting payment to, changing the contact person at the vendor company) as a critical first step.”

By taking the proper precautions before and after accepting payment requests, individuals and companies can stay vigilant and help reduce their risk of becoming fraud victims. Consider the recommendations below to help protect against BEC scams.

Tips for managing payments

Here are a few ways to help manage vendor payments:

Setup recommendations:

✔Implement dual approval requirements, both for adding users and for making payments.

✔ Limit number of authorized individuals for fund transfers.

✔ Establish intrusion detection rules for identifying suspicious email addresses.

✔ Set up callback thresholds and information verification with trusted sources.

Managing payment requests:

✔ Perform callbacks to known client/vendor numbers, not those provided in the request. Do not use the phone number on the email itself.

✔ Scrutinize incoming materials (emails, links, and attachments) especially those involving new payment instructions.

✔ Obtain secondary sign-off for any changes to payment requests.

✔ Establish firm policies and procedures with the entire team. Ensure regular meetings include updated procedure.

 

There is no shortcut to payment security. Although users commonly rely on payment methods like ACH to combat potential VEC or BEC scams, Hoye warns that these payments are not necessarily as secure as they are commonly thought to be. “Stop putting so much faith in ACH fraud protections—they are only as perfect as the people handling them,” he said. Capital One recommends this summary for more information on what ACH payments are and how they work before making any transactions.

“There is no perfect tool capable of stopping all instances of fraud,” Hoye concludes. Capital One’s trusted professionals, however, are trained in helping report VEC scams when they occur. In doing so, they help business owners take strong action to combat cybercrimes more effectively.

If you are a Capital One business customer and suspect you have become a victim of BEC or VEC fraud, it is critical to take action. Contact your relationship manager at Capital One and report the incident immediately.