BEC & Phishing Attacks on Merchants

On this page

• What Makes BEC Different
• The Attack Types
  • 1. Vendor Invoice Fraud
  • 2. CEO/Executive Impersonation
  • 3. Employee Payroll Redirect
  • 4. Credential Phishing
• The Numbers
• Prevention Framework
  • Layer 1: Process Controls
  • Layer 2: Technical Controls
  • Layer 3: Training
• Test to Run
• Response Playbook
  • If You Sent a Wire
  • If Credentials Were Compromised
• Where This Breaks
• Scale Callout
• Next Steps
• Related Resources

Prerequisites

Before diving into BEC/phishing, understand:

• Fraud types overview - Where this fits
• Account Takeover - Related but customer-facing
• Wire transfers - Primary BEC target

Most fraud content focuses on customers defrauding merchants. BEC and phishing flip the script: fraudsters target your employees, your vendors, and your payment operations directly. These attacks bypass your fraud rules because they manipulate people, not payment systems.

CP vs CNP

BEC and phishing attacks are not channel-specific. They target your back-office operations regardless of whether you're CP or CNP. Wire fraud, payroll redirect, and vendor impersonation work the same whether you run retail stores or an e-commerce site.

What Makes BEC Different

Traditional Payment Fraud	BEC/Phishing
Fraudster uses stolen card	Fraudster impersonates trusted party
Hits your checkout	Hits your email/phone
Blocked by fraud rules	Bypasses fraud rules entirely
Customer disputes afterward	You authorize the payment yourself
Chargeback possible	Wire is irrevocable

The key difference: In BEC, you authorize the payment. There's no chargeback, no dispute, no fraud rule that triggers. You voluntarily sent money to a fraudster.

---

The Attack Types

1. Vendor Invoice Fraud

How it works:

1. Fraudster monitors your vendor relationships (via breach, social engineering, or public info)
2. Creates convincing fake invoice from known vendor
3. Includes "updated banking information" for payment
4. You pay the invoice to the fraudster's account
5. Real vendor calls asking where payment is

Red flags:

• "Updated bank account" or "new payment details"
• Urgency: "Please update before next payment run"
• Email address slightly off (vendorname@vendor-inc.com vs vendor@vendor.com)
• Invoice format differs from usual
• Request to not call usual contact to verify

Scale callout: At $500K+ in vendor payments monthly, you're a target. The more vendors you pay, the larger your attack surface.

2. CEO/Executive Impersonation

How it works:

1. Fraudster researches your executive team (LinkedIn, website, press)
2. Creates spoofed email or compromises executive's account
3. Sends urgent request to finance: "Wire $47,000 to this account for confidential acquisition"
4. Emphasizes urgency, secrecy, and bypassing normal process
5. Employee complies to avoid seeming unresponsive

Common scenarios:

• Fake M&A deals ("confidential, don't discuss with team")
• Emergency vendor payments ("need this today")
• Gift card requests ("buy $2,000 in gift cards for client appreciation, send codes to me")
• Payroll adjustments ("add this contractor to next payroll run")

Red flags:

• Request to bypass normal approval process
• Unusual urgency
• Request for gift cards (always a scam)
• Emphasis on secrecy
• Sender is traveling or "in meetings all day"

3. Employee Payroll Redirect

How it works:

1. Fraudster impersonates employee via email
2. Requests HR/payroll change direct deposit to new account
3. Employee's next paycheck goes to fraudster
4. Real employee reports missing pay

Red flags:

• Email-only request (no phone confirmation)
• New email address or slightly altered sender
• Request shortly before payroll run
• Employee recently promoted or transferred (more plausible reason for changes)

4. Credential Phishing

How it works:

1. Employee receives email appearing to be from legitimate service (payment processor, bank, internal system)
2. Link goes to convincing fake login page
3. Employee enters credentials
4. Fraudster now has access to your payment systems

Targets:

• Processor admin portals
• Banking platforms
• Accounting software (QuickBooks, NetSuite)
• Internal expense systems
• Payroll platforms

Red flags:

• Unexpected login prompts
• URL doesn't match legitimate domain (paypa1.com, stripe-login.net)
• Request to re-enter credentials for "security verification"
• Threats of account suspension

---

The Numbers

Attack Type	Median Loss	Recovery Rate
Vendor invoice fraud	$125,000	30%
CEO fraud	$75,000	25%
Payroll redirect	$8,000	40%
Credential phishing	Varies	N/A (data theft)

FBI IC3 2023 data: BEC caused $2.9 billion in reported losses, making it the highest-loss category of internet crime. Actual losses are higher since many attacks go unreported.

---

Prevention Framework

Layer 1: Process Controls

Control	What It Does
Dual approval for wires	Two people must approve wire transfers
Callback verification	Call vendor at known number (not from email) before changing payment details
Out-of-band confirmation	Verify unusual requests via different channel (call, Slack, in-person)
Payment change freeze	48-hour delay on banking detail changes
No gift card policy	Never buy gift cards for "business purposes" via email request

Layer 2: Technical Controls

Control	What It Does
Email authentication (DMARC/DKIM/SPF)	Harder to spoof your domain
External email banners	"[EXTERNAL]" warning on emails from outside organization
Link protection	Rewrite URLs to check reputation
MFA on all financial systems	Stolen password alone isn't enough
Conditional access	Block logins from unusual locations/devices

Layer 3: Training

Focus Area	Key Points
Recognize urgency manipulation	Legitimate requests can wait for verification
Verify before trusting	Call known numbers, not numbers from the suspicious email
Report, don't ignore	Better to report a legitimate email than miss an attack
Gift cards = fraud	No legitimate business request involves gift card codes via email

---

Test to Run

30-day exercise:

1. Audit your wire process - How many approvals required? Who can approve? What verification happens?
2. Review vendor payment changes - Check last 6 months. Were all verified via callback?
3. Check email security - Is DMARC enforced? Are external email banners on?
4. Run a phishing test - Send simulated phishing email to finance team. Measure click rate.

Success criteria: Zero single-approval wires. 100% callback verification on payment changes. Under 10% phishing click rate.

---

Response Playbook

If You Sent a Wire

First 30 minutes are critical. Wire recovery success drops sharply after the first hour.

1. Call your bank immediately (not email, not chat - phone)
2. Request wire recall
3. Provide fraudulent account details
4. File FBI IC3 complaint (ic3.gov)
5. Notify law enforcement
6. Document everything

Recovery odds:

• Within 24 hours: 30-40% partial recovery
• Within 72 hours: 10-20%
• After 1 week: under 5%

If Credentials Were Compromised

1. Reset all affected passwords
2. Revoke active sessions
3. Enable MFA if not already on
4. Review access logs for unauthorized activity
5. Check for unauthorized transactions, payment changes, or new users
6. Notify affected vendors/customers if their data was exposed

---

Where This Breaks

Remote/distributed teams: Harder to verify in person. "Just call them" doesn't work when you've never met the person. Build verification processes that work remotely.

High employee turnover: New employees don't know what's normal. Onboarding must include security training and clear escalation paths.

Vendor-heavy operations: More vendors = more attack surface. The plumber who invoices you once doesn't have sophisticated security. Fraudsters know this.

Executive override culture: If executives routinely bypass approval processes, employees learn to comply with "urgent" requests. Culture must support verification.

---

Scale Callout

Business Size	Focus
Under $1M revenue	Basic controls: dual approval on wires, external email banners, no gift card policy
$1M-$10M revenue	Add callback verification, DMARC enforcement, phishing training
Over $10M revenue	Dedicated security awareness program, regular phishing simulations, vendor security assessments

---

Next Steps

Setting up defenses?

1. Implement dual approval for all wire transfers - Single point of failure is unacceptable
2. Add external email banners - Simple, immediate impact
3. Train finance team on verification - Callbacks to known numbers

Already been targeted?

1. Review the attack for lessons - What failed?
2. Update processes - Close the gap that was exploited
3. Share anonymized details with industry peers - They're targets too

Building security culture?

1. Run phishing simulations - Measure, don't assume
2. Reward reporting - Make "I almost fell for this" a positive
3. No blame for verification delays - Better slow and safe than fast and defrauded

---

Related Resources

• Wire Transfers - Wire fraud context
• Account Takeover - Related attack pattern
• Fraud Types - Full fraud taxonomy
• PCI DSS - Data security requirements
• Identity Verification - Verifying who you're dealing with
• Vendor Management - Operational controls
• Survive Fraud Attack - Emergency response