The Twelve Frauds of Christmas – Payment Diversion Fraud

James Hubner

Gary Warner

Payment Diversion Fraud is a type of fraud where criminals target an individual to divert payments to criminal-controlled bank accounts.  This is typically accomplished through Business Email Compromise (BEC) which targets companies via their email communications in order to obtain financial gain or company information. Phishing emails related to BEC scams often begin by a malicious actor emailing a company employee pretending to be a customer, coworker, manager, or another associated company. A criminal will attempt to gain the employee’s trust before beginning to obtain payment or company information of some kind from the victim. These emails often ask for financial payment in the form of wire transfers, invoice notices, gift card purchase, and more. They could also gain access to the business network via malware downloaded from a file they shared to the victim or even simply by obtaining an employee’s credentials through social engineering. Once the criminal has accessed the business network and systems, they can also create malicious mail forwarding rules that allow the criminal to receive email communications, even after the employee changes their password. With these additional accesses, threat actors have information about their target which they can use in order to appear more legitimate when communicating with a potential victim.

FBI Safety Resource: Business Email Compromise 

Threat actors use a variety of techniques to make their BEC emails appear legitimate. They may spoof the company’s domain or use look-alike domains to make the email appear to be from a trusted source. They may also research the company and its employees online and on places like LinkedIn to find new hires or employees in finance or HR, who may be more likely to fall for the scam. By targeting these individuals, the attackers can increase their chances of success and steal sensitive information or money from the company.

BEC attacks often target new employees who may be eager to impress and willing to help with tasks that may seem mundane or routine. For example, an attacker may pose as a boss or manager and ask for help logging into an account, or request changes to billing information or payment addresses. In some cases, attackers may even ask for gift cards to help them out of a supposed “sticky situation,” such as a lost card or wallet. New employees may be more likely to fall for these scams, as they are eager to show that they are valuable members of the team.

While all forms of BEC are still active, from “the boss wants you to buy gift cards” to “the CEO wants you to wire this money urgently” the greatest losses are currently in the form of Invoice Redirection Fraud. The most common form is that a trusted business partner, such as a vendor or contractor, with whom you have an on-going relationship, will inform your financial department that they have a new bank account and need their regular payments to be credited to the new account. They will often do so while replying to an email that their victim sent and may refer to things that could only be known by the vendor or contractor. The credibility factor is very high because of this.  How could they possibly know so much about your business dealings?

They are reading your email.  Or in most cases, the email of your contractor or vendor. 

Consider the case below. An employee of a small business clicked on a phishing email that allowed the criminals to create EMAIL FORWARDING RULES in his email application.  Even after the employee realized he had been phished and changed his password, because he was unaware of the forwarding rules, the criminals were still able to receive emails containing the words “wire transfer,” “wire instructions,” “payment,” and “invoice.”  This allowed the criminals to intercept emails containing banking and payment information, and then by spoofing the company’s domain, correspond with customers or vendors to redirect their payments.

Screenshot of actual forwarding rules created by BEC criminal

It isn’t only the Finance and Accounting departments that are targeted.  Human Resources (HR) employees may not be directly involved in the transfer of money, but they can still be targeted for documents about employees, including tax statements, forms, and PII such as addresses, phone numbers, and Social Security numbers. This information can be used for a variety of purposes, including identity theft and fraud.

FBI May 2022 – BEC: The $43 Billion Scam

In 2021, the IC3 indicated BEC fraud had the most financial losses compared to all other computer-related crimes. Business Email Compromise caused over $2.39 Billion in losses, even though BEC crimes were only the 9th most common internet crime type reported by victims.

FBI Internet Crimes Report 2021 Page 22-23

BEC losses per IC3 Data
Number of BEC Victims

Most large companies require regular information security training, which typically includes information about phishing.  Since phishing emails can be difficult to spot, it is important you know what to look for. When you do, phishing emails become much easier to identify.

Here are a few tips for spotting phishing emails:

  • Check the sender’s email address to make sure it is from the person or organization it claims to be from.
  • Be suspicious of any email that asks for personal or confidential information, such as your password or bank account details.
  • Look closely at the hyperlinks in the email. They may use a domain that looks similar to the actual domain in order to trick you into visiting a fake website.
  • If you’re unsure about the legitimacy of an email from someone unknown to you, reach out to your management or IT security team. In instances where emails pose as known contacts, you can reach out to that contact via a secondary contact method to verify the email.
  • If a customer or vendor requests payment in a different format or to a different account than they have historically used, always verify the change by calling their published number – not the number provided in the email requesting the change.
  • Trust your instincts. If anything about the email seems off or suspicious, it’s better to be safe and reach out through a secondary contact method to confirm the email.