Both individuals and organizations can fall victim to third-party email compromise fraud, also known as Business Email Compromise (BEC). In 2018, third-party email compromise incidents resulted in $1.3 billion in losses. Fraudsters often target third parties you work with in an attempt to redirect payments to their accounts. Third-party email compromise fraud occurs when fraudsters exploit trusted relationships between you, your business, and vendors or third-party service providers. They may compromise the third party’s email system and send genuine-looking invoices to deceive you or your business.

To help reduce the risk of third-party email compromise fraud, consider the best practices below:

1. Consider implementing an approval strategy within your organization for larger invoices.

2. Establish a designated point of contact at the third party or vendor to whom you or your business makes regular payments; raise all invoice issues and concerns with this person.

3. Verbally confirm the banking details with the third party before the payment is initiated; verbally inform the vendor or supplier after an invoice has been paid, and request confirmation of payment.

  • Ensure employees responsible for processing payments remain vigilant for changes to payment instructions.
  • Be vigilant for spoofed emails that appear to be from a known and trusted source. This can be done by modifying the header in a malicious email to pose as a trusted sender—for example, @deancoLLC.com can appear similar to a known vendor @cleancoLLC.com.
  • Periodically review your accounts for unauthorized activity, and report fraudulent charges or withdrawals immediately.

4. Protect your personal and business information

  • Fraudsters often conduct extensive online and offline research to identify vendors and third parties with whom you work.
    • Consider removing extraneous information from your website, social media and other publicly available materials.
    • Be prudent in what you share about your role and responsibilities via social media.
    • Never leave sensitive material such as invoices, account information and client data unattended.

We can help

If you believe you or your business have been a victim of third-party email compromise fraud, speak with your J.P. Morgan team member immediately.