Both individuals and organizations can fall victim to third-party email compromise fraud, also known as Business Email Compromise (BEC). In 2018, third-party email compromise incidents resulted in $1.3 billion in losses. Fraudsters often target third parties you work with in an attempt to redirect payments to their accounts. Third-party email compromise fraud occurs when fraudsters exploit trusted relationships between you, your business, and vendors or third-party service providers. They may compromise the third party’s email system and send genuine-looking invoices to deceive you or your business.
To help reduce the risk of third-party email compromise fraud, consider the best practices below:
1. Consider implementing an approval strategy within your organization for larger invoices.
2. Establish a designated point of contact at the third party or vendor to whom you or your business makes regular payments; raise all invoice issues and concerns with this person.
3. Verbally confirm the banking details with the third party before the payment is initiated; verbally inform the vendor or supplier after an invoice has been paid, and request confirmation of payment.
- Ensure employees responsible for processing payments remain vigilant for changes to payment instructions.
- Be vigilant for spoofed emails that appear to be from a known and trusted source. This can be done by modifying the header in a malicious email to pose as a trusted sender—for example, @deancoLLC.com can appear similar to a known vendor @cleancoLLC.com.
- Periodically review your accounts for unauthorized activity, and report fraudulent charges or withdrawals immediately.
4. Protect your personal and business information
- Fraudsters often conduct extensive online and offline research to identify vendors and third parties with whom you work.
- Consider removing extraneous information from your website, social media and other publicly available materials.
- Be prudent in what you share about your role and responsibilities via social media.
- Never leave sensitive material such as invoices, account information and client data unattended.
We can help
If you believe you or your business have been a victim of third-party email compromise fraud, speak with your J.P. Morgan team member immediately.