Part of our series on Security for Medium Businesses.
Basics of the Scam
One of the most common sources of successful business fraud is redirected payments in a trusted relationship. In this situation, a scammer impersonates a business partner to one of their customers and asks to change the payment details to an account within their control. They then wait for the next standard payment to post, launder the redirected funds through a network of money mules, and disappear into the night. If it takes too long for the trusted parties to notice that the normal payment is missing, the banks cannot recover the funds and the thief gets away with it. The partners are out the money, but often the resulting loss of trust can be more damaging: arguments about which party is at fault for the theft can poison an otherwise strong relationship.
There are several common variations. Instead of waiting, the thief can request an extra payment immediately. This is a common request for direct suppliers, who deliver products on just-in-time variable basis, bill a standard, average, recurring amount, then use periodic true-ups to correct the account.
The thief can also work in the opposite direction, impersonating customers. Usually, this is to buy time as part of a larger fraud. If the thief manages to change the payment details for a vendor, they may impersonate the customer to the vendor, saying the payment will be late, requests patience, and even promise generous interest in return. This extends the time before detection, and improves their chances of success.
Why it works so well
Because this scam leverages an existing trust relationship, everyone’s guard is down. There is no “extra” charge that would raise suspicion on the customer side – the books look normal, and the critical change is to the destination account number, which is not included on balance sheets. For vendors, missed payments are a fact of life and usually do not arouse suspicion. Most vendors don’t immediately complain for fear of angering customers, and use automated workflows to notify and escalate on overdue invoices. It may be months before either party realizes the fraud, which is too late.
How it starts
Thieves attempt these scams in two ways: unauthorized access and phishing. Phishing is much cheaper for them and is more common: they send an email to one of the partners from an address pretending to be the other. There are many ways to reduce this threat, we’ve discussed some before.
Unauthorized access is more expensive for scammers, but more reliable. If they break into the email account, they can view, send, and even delete emails as that person. They can send convincing communications invisible to technical phishing protection, even emulating the writing style of the person. If they get access to the account of the right executive or accountant, it might be easy for them to change or persuade others to change payment details.
Unauthorized access to payment platforms allows direct adjustment of payment details. If a company sends payments with an accounting platform like QuickBooks Online, access to that platform would allow a scammer to steal money. While setting up a new vendor and paying them would raise flags, changing the payment details for an existing vendor may not.
You can make this scam a lot harder to pull off with a couple simple adjustments to the way you run your business.
Along with adding vendors or making one-off payments, changing payment information is a high-risk activity. You can reduce the risk of fraud through those channels through two approaches:
Prevention: making it hard for the wrong people to do.
Detection: quickly learning when someone is doing it and shouldn’t be.
While there are some specific technical fixes that can help, consider how your company pays and gets paid. Does everyone email Pam? Do people log into a central system like an ERP, accounting app, or the bank?
Whatever it is, consider how hard it would be to fake your way into those processes. Does Pam say ok to everyone? How many logins are there to your ERP and how bad are the passwords?
Likewise, think about how easy it would be to fake your way into your customers’ Accounts Payable. Would they think twice about someone claiming to be from your company? Is there anything you can do to help them know when it’s a scammer?
Further, the more consistent you are, the easier it will be to detect someone trying to pull a fast one.
Anything you can do to reduce the impact of phishing helps. Correctly-used password managers, a high-quality email provider, and phishing training work wonders. You can also add a technical forgery-protection feature called DKIM to reduce the chance of scammers impersonating you. It’s free, takes maybe a couple hours to do, and a decent MSP should probably have already done it for you. You can encourage your key partners to do this as well. We’ll talk about how to do it yourself in the next post.
Account Compromise Prevention
The easiest way to stop people from breaking into your accounts is (once again) a correctly-used password manager and a high-quality email provider. You can dial up the protection by requiring a second factor; good email providers encourage you to do this as well.
This extends beyond email: if you make payments in a platform, ensure that these protections apply to everyone who can change payment details.
You can also add detection rules: high risk activities like logins from new devices may quickly alert you that someone bad has gotten in. Some payment platforms let you get automatic notifications for high-risk changes such as new vendors, but this is not yet common.
Impersonating trusted business partnerships can be an easy way to defraud a business. Luckily, preventing it isn't hard. Have you payments diverted? Drop us a line.