Knowledge, Callbacks and Prenotes. Oh My!

If business e-mail compromise (BEC) feels like a three-ring circus, that’s because it is. There are acrobats (hackers slipping past defenses), clowns (fraudsters in disguise) and ring masters (threat actors timing and directing the show). But unlike the big top, this circus isn’t entertaining – it’s costly, disruptive and extremely dangerous. 

The good news? With the proper defenses, your organization doesn’t have to be taken in by the show!

The Circus Act of Business E-mail Compromise

The Clown: Fraudsters disguise themselves, impersonating executives, vendors, customers and even co-workers with convincing e-mails designed to trick staff into sending money or revealing sensitive details, such as who can send wires and who is out of the office.

The Magician: Using sleight of hand, fraudsters intercept and alter legitimate invoices or make subtle changes to e-mail domains, hoping the changes slip past an overworked employee.

The Ring Master: Timing is everything when putting on a good show. Sometimes the ring master preys on urgency – you receive a call saying your payment is late and no more product will ship until it’s resolved. Other times, they lie in wait for the right time to strike – the boss’s e-mail has a sudden influx of activity about a new property purchase, which is just the opening a fraudster needs to swoop in and find wire instructions to alter.

Your Defenses: Knowledge, Callbacks & Prenotes

Knowledge: Like the spotlight in the big top, knowledge is the keystone to a solid defense against fraud. Employees cannot defend against threats they don’t know exist. A robust education program is essential.

Callbacks: They say never judge a book by its cover, and when it comes to BEC, you should never judge a request based on who sent it, how they sent it or how urgent the request is. It may look like a duck, quack like a duck, and it might really be a duck – but it might also be a Trojan horse.

A callback – the process of verbally verifying a request with a trusted contact – is the safety net that protects your business from a fall.

Prenotes: Think of testing new payment instructions as a dress rehearsal. Like performers practicing their routines before the real show begins, a prenote – a $0 test transaction sent through the ACH network before issuing a live payment – is your opportunity to confirm the payment details and ensure it reaches the right party. Learn more about the prenote’s role in preventing BEC fraud.

The Keys to a Solid Business E-mail Compromise Plan

Educate your employees.

Employees need to know the risks associated with sending money and understand it is ok to be suspicious. QUESTION EVERYTHING when it comes to sending money! 

A written BEC policy is your pre-show plan, clearly articulating your expectations for all staff. Organizational leaders must understand and adhere to these policies, too – making yourself unreachable during a round of golf or scolding an employee for calling while you’re on vacation puts pressure on employees to break protocol.

Get Started - These sample BEC policies may provide a solid foundation and helpful reference as you develop your BEC policy: Sample General Business; Sample from Google AI; Sample from FRSecure.

Verify before you buy.

When sending money to a third party for the first time or receiving new payment instructions from an existing trade partner, always verify by calling a trusted number. Never take the e-mail or voicemail at face value, and never call the phone number listed in an e-mail.

Trust procedures, not pressure.

Your BEC policy should outline how to handle urgent payment requests. If nothing your business does is ever urgent, a sudden demand should be a red flag to employees that something is wrong and they need to slow down. If, however, urgent payments are a norm, establish a simple routine for secondary authentication, such as a text message or phone call from the boss. For extra protection against deepfakes, consider a code word for voice confirmations.

Prenotes should be a required step in your payment procedures. They catch fraud attempts and human errors before real money is at stake. Learn more about the prenote’s role in preventing BEC fraud.

Finally, no BEC policy is complete without clear steps for responding should the unthinkable happen and a fraudster gets through all your defenses. Like a well-trained acrobat who slips from the bar, you have to lean into, learn from and recover from the mistake. You will recover faster when following the plan. Time lost to panic is the fraudster’s best ally.

BEC scams thrive on theatrics – disguise, urgency and manipulation. But a proactive plan built on knowledge, callbacks and prenotes can block the fraudster’s act, keeping the circus under the big top and out of your inbox!