We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Treasury and Payments

Improve your working capital, reduce fraud and minimize the impact of unexpected disruptions with our treasury solutions—from digital portals to integrated payables and receivables—all designed to make your operations smoother and more efficient.

Learn more about our treasury solutions:

Commercial Real Estate

Get the strategic support to be successful throughout market and real estate cycles with insights, hands-on service, comprehensive financial solutions and unrivaled certainty of execution.

Learn more about our commercial real estate solutions:

International Banking

Global opportunities mean global challenges. But real success means understanding the local markets you serve—which is why we bring the business solutions, insights and market perspective you need. 

Learn more about our international banking solutions:

Cybersecurity and Fraud Protection

4 callback do’s and don’ts to protect against BEC

Callbacks are essential to rooting out payments fraud. But this validation process can still go wrong. Here’s what to do—and what not to do.

Business email compromise (BEC) continues to be a big problem for companies of all industries and sizes. The FBI found that BEC led to nearly $2.4 billion in adjusted losses in 2021.

Typically, cybercriminals operating a BEC scheme impersonate a known party over email and ask for a change in payment instructions. It’s absolutely vital that your business verify these payment instructions whenever there is a change, or when new instructions are initially given. That means physically calling the requestor using a trusted number from a company directory to ensure the party is who they say they are. Under no circumstances should a number provided in an email be used for a callback.

Be careful, however, because callbacks can fail without formal and standardized procedures. Understanding how things go wrong can help your business implement stronger controls that protect against BEC.


4 callback mistakes

1. Relying on an inbound phone call

  • Don’t: Ask that a vendor call you to validate instructions or rely on an inbound phone call to update vendor contact information.
  • Do: Always conduct an outbound phone call to the party to confirm they are genuine.
  • Why? Fraudsters may know that a callback is part of your payment controls if they’ve taken over a vendor’s email. They may then try to circumvent your defenses by placing an inbound call to advance the scheme.


2. Trusting the number provided

  • Don’t: Use a phone number from an email thread, invoice or documentation provided to you via email or mail.
  • Do: Use a known and trusted number from a system of record.
  • Why? Criminals will provide phone numbers that, when used, result in the victim speaking with the fraudster—who will be all too happy to validate the transaction.


3. Not speaking directly with the requestor

  • Don’t: Speak to just any employee at your vendor regarding the change in payment instructions.
  • Do: Speak to the person who is personally accountable to the change in instructions.
  • Why? Fraudsters will exploit emails between two parties. For example, say you call an accounting employee regarding a payment change and they email their CFO for validation. But— the CFO’s email has been hacked already. This would allow the criminal to get around your callback controls.


4. Assuming internal controls have been followed

  • Don’t: Presume a callback was performed as expected if your bank flags a transaction.
  • Do: Confirm controls were executed as intended and none of the above mistakes were made.
  • Why? Human error happens. Minimize these risks by actively ensuring procedures have been followed as they were laid out.


How JPMorgan Chase can help you fight fraud

JPMorgan Chase is dedicated to fighting fraud, and we have a number of tools, products and resources to help protect your business.

Reach out to your banking relationship team to learn more about how we can help you improve cybersecurity and anti-fraud protections.


© 2022 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.

Higher Education Healthcare Aerospace, Defense and Government Government Cybersecurity and Fraud Protection Phishing

Get in Touch and Stay Informed