Hand on phone

Business email compromise (BEC) continues to be a big problem for companies of all industries and sizes. The FBI found that BEC led to nearly $2.7 billion in adjusted losses in 2022.

Typically, cybercriminals operating a BEC scheme impersonate a known party over email and ask for a change in payment instructions. It’s absolutely vital that your business verify these payment instructions whenever there is a change, or when new instructions are initially given. That means physically calling the requestor using a trusted number from a company directory to ensure the party is who they say they are. Under no circumstances should a number provided in an email be used for a callback.

Be careful, however, because callbacks can fail without formal and standardized procedures. Understanding how things go wrong can help your business implement stronger controls that protect against BEC.

4 callback mistakes

1. Relying on an inbound phone call

  • Don’t: Ask that a vendor call you to validate instructions or rely on an inbound phone call to update vendor contact information.
  • Do: Always conduct an outbound phone call to the party to confirm they are genuine.
  • Why? Fraudsters may know that a callback is part of your payment controls if they’ve taken over a vendor’s email. They may then try to circumvent your defenses by placing an inbound call to advance the scheme.

2. Trusting the number provided

  • Don’t: Use a phone number from an email thread, invoice or documentation provided to you via email or mail.
  • Do: Use a known and trusted number from a system of record.
  • Why? Criminals will provide phone numbers that, when used, result in the victim speaking with the fraudster—who will be all too happy to validate the transaction.

3. Not speaking directly with the requestor

  • Don’t: Speak to just any employee at your vendor regarding the change in payment instructions.
  • Do: Speak to the person who is personally accountable to the change in instructions.
  • Why? Fraudsters will exploit emails between two parties. For example, say you call an accounting employee regarding a payment change and they email their CFO for validation. But— the CFO’s email has been hacked already. This would allow the criminal to get around your callback controls.

4. Assuming internal controls have been followed

  • Don’t: Presume a callback was performed as expected if your bank flags a transaction.
  • Do: Confirm controls were executed as intended and none of the above mistakes were made.
  • Why? Human error happens. Minimize these risks by actively ensuring procedures have been followed as they were laid out.

How JPMorgan Chase can help you fight fraud

JPMorgan Chase is dedicated to fighting fraud, and we have a number of tools, products and resources to help protect your business.

Reach out to your banking relationship team to learn more about how we can help you improve cybersecurity and anti-fraud protections.


© 2023 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.