Just last month, a small company quickly lost $7,000 to payment fraud. What's noteworthy isn't that it happened—Business Email Compromise is a billion-dollar drain on our economy—but how it occurred. The attack didn't involve sophisticated technical exploitation. Instead, the fraudster emailed the company's accountant, impersonating a vendor, and requested a payment for license renewals.

Understanding the Vulnerability

It's late Friday afternoon. You receive a call from someone identifying themselves as a member of the finance department. They explain that a critical vendor payment needs updating immediately. Shortly after, you receive a legitimate-looking email with "updated" account details. Under pressure to complete end-of-week tasks, you process the change.

This simple sequence represents how most payment fraud succeeds—by targeting human decision-making rather than technical systems.

“Social Engineering” (Someone is Lying to You)

When perpetrating payment fraud, whether through wire transfers or ACH payments, fraudsters employ calculated psychological tactics.

Real-Life Payment Fraud Tactics to Watch For

ACH Redirect Scams

"Hi, this is John from Vendor X. We've updated our banking details for ACH payments. I'll send you an email with the new information. Could you update it in your system for our next payment?"

Executive Impersonation

Phone rings "This is Melissa from the CEO's office. She's in an emergency board meeting but needs you to process this ACH payment right away. She said you'd understand the urgency. I'll email you the details now."

Vendor Impersonation

Phone rings "This is Jason from Vendor A. Your license is expiring soon and I’ll help you process the ACH payment to prevent interruption. I'll email you the details now."

Fake Invoice Updates

Email arrives that looks exactly like your regular vendor communications "Please note: Our banking details have changed. Please update your records for all future payments. See attached invoice with new payment instructions."

Effective Countermeasures (Trust, But Verify)

The most effective defense against payment fraud is not necessarily more sophisticated technology, but strategic human interaction:

Verify changes through multiple channels for any payment change request. When someone emails about changes to their banking details, do not respond to that email. Instead, call the requester using contact information from your established records, never using contact details provided in the potentially fraudulent communication.

Establish mandatory dual control for payment information changes. No single employee should have the authority to modify payment routing information without secondary verification.

Utilize video conferencing for verification of significant changes. Visual confirmation significantly reduces the effectiveness of impersonation attempts.

Ways to Verify

Always Verify

• ANY changes to bank or payment information
• Financial transactions exceeding established thresholds
• Requests that bypass normal approval channels
• Unusual requests for computer access or passwords

Verification Methods

• Call back on work-registered or public phone numbers. Remember: Caller ID can be easily spoofed
• Verify that the email address matches previous correspondence exactly
  • Check for subtle differences like similar domains (example@company-inc.com vs example@companyinc.com)
• For high-value transactions, confirm via phone, get secondary verification, or double-check face-to-face or through video meeting
• If direct contact is not immediately possible, use challenge questions:
  • Verify details from the last legitimate interaction
  • Request employee or vendor ID plus another identifier

When You Receive a Payment Change Request

When someone asks you to change payment information or process an unusual payment, follow these straightforward steps.

1. Buy yourself time - "Thank you for this request. I'll need to process this through our verification system."
2. Check for pressure tactics - Is the person creating unnecessary urgency? "This must be done immediately" is often a red flag.
3. Explain your process - "Our policy requires me to verify all payment changes through our established channels."
4. Get a second opinion - Consult with a manager or colleague about the request before proceeding.

Any legitimate vendor or colleague will understand why you need to verify payment changes. Anyone who pushes back against verification should be treated with caution.

Information Security Principles

Never Share (over the phone or email)

• Passwords or account credentials
• Complete account numbers
• Social security numbers
• Protected health or financial information

Trust, But Verify

• Trust your professional instincts—if a request feels unusual, it warrants additional scrutiny
• It is better to delay a legitimate transaction than to expedite a fraudulent one
• Exercise caution about what information you share, particularly when you did not initiate the conversation

Immediate Response Protocol

If you suspect fraudulent payment activity has occurred

1. Escalate to a manager. Bring in additional support.
2. Prioritize immediacy over organizational hierarchy. Time is critical, especially if money has been moved.
3. Contact your financial institution immediately. Funds may be recoverable if reported promptly.
4. Document all details of the incident while the information is current.
5. Notify security personnel and relevant partners with your documented information.

Organization-Wide Responsibility

Payment fraud protection extends beyond finance departments. Fraudsters commonly:

• Approach administrative and reception personnel to gather organizational intelligence
• Research employee information through professional networking platforms to craft convincing impersonations
• Compile fragmented information from multiple sources to create a comprehensive deception

Every employee plays a critical role in maintaining payment security integrity.

Strategic Perspective

Payment fraud—whether perpetrated through wire transfers or ACH systems—should be understood as a challenge in human psychology rather than a technological vulnerability. This understanding necessitates human-centered countermeasures.

Investing a few minutes in verification procedures can prevent significant financial losses and the operational disruption that often follows successful fraud attempts.

‍