What is BEC? Business Email Compromise (BEC) happens when cybercriminals pretend to be someone you know and ask you to change payment instructions. BEC is a major issue for companies of all types and sizes—leading to over $2.77 billion in losses in 2024 according to the FBI’s annual internet crime report.1
How can you protect yourself?
One simple way to fight BEC is by using a callback—a security step where you confirm requests by contacting the person or company directly using contact information you already know. This helps ensure the request is legitimate.
If you receive a suspicious call or text, hang up and call your relationship team using a trusted phone number.
Criminals can create fake websites and search results. Always check website addresses carefully before clicking, and don’t use search engines to find your bank’s website.
Callbacks can help stop payment fraud—but only if done correctly.
By following these tips and staying alert, you can help protect your business from BEC and keep your payments safe.
How will you know it’s us calling?
-
We will NEVER ask for:
- Your password, token code, Social Security number, or account number in their entirety
- You to click a link and enter your credentials
- Control of your computer or system
-
We may ask for:
- Basic client relationship, account, or transaction information
- How payment instructions were received
- Whether a callback was performed using a trusted number to validate payment instructions
4 callback mistakes
1. Relying on inbound calls
Don't: Ask vendors to call you to confirm instructions or rely on an inbound call to update contact information.
Do: Always make an outbound call to verify the person is genuine.
Why? Fraudsters might call you first to trick you—knowing that a callback is part of your payment controls if they’ve taken over a vendor’s email. They may then place an inbound call to advance the scheme.
Scenario: An accounts payable department receives an email and an inbound call from a vendor requesting a change in payment instructions. Trusting the call, they update the payment details, only to later discover it was part of a fraud scheme. They could have prevented this by making an outbound call to a trusted number to verify the request.
2. Trusting numbers from emails
Don't: Use phone numbers from emails or documents provided to you via email or mail.
Do: Use a trusted number from a system of record.
Why? If criminals have compromised a vendor’s email, any contact information in that email is likely controlled by the fraudster. Calling the provided number may connect you directly to the criminal, who will confirm fake instructions.
Scenario: A finance manager uses a phone number from an email to verify a large payment, unaware the email was sent by a cybercriminal. The payment is redirected to the fraudster’s account. Using a trusted number from a system of record could have prevented this.
3. Not speaking to the right person
Don't: Talk to just any employee about payment changes.
Do: Speak to the person responsible for the change in payment instructions.
Why? If a bad actor has compromised employee emails, they can monitor conversations and intercept verification attempts. Calling in may give them the opportunity to pose as the correct person or manipulate the conversation, increasing the risk of fraud.
Scenario: An employee calls a vendor’s accounting department to verify a payment change. However, the department refers to the CFO’s email for confirmation, and that email has been compromised. The bad actor, posing as the CFO, approves the fraudulent change, resulting in a loss. Verifying directly with the person responsible for the payment change—using a trusted contact method—would have revealed the fraud.
4. Assuming controls were followed
Don't: Assume everything was done right if your bank flags a transaction.
Do: Double-check that all procedures were followed.
Why? When your bank flags a suspicious transaction, it’s because something in the payment pattern or details triggered its fraud detection systems. Don’t rely solely on your team’s word that callback procedures were followed—verify each step. Confirm your team used a trusted number, then speak to the authorized person and validate the request independently. Missing a single step can lead to significant losses.
Scenario: A company dismisses a bank’s alert about a suspicious transaction, assuming all controls were followed. Later, they discover a junior staff member bypassed the callback procedure, resulting in fraud. Double-checking that all procedures were followed could have caught the error.
Recent cybersecurity insights
Staying informed about cybersecurity trends can help you better protect your organization. Here are a few key areas to focus on:
Evolving threats: Cybercriminals are always finding new ways to target companies like yours. Stay alert for unusual activity and keep your team informed about emerging risks.
Third-party risks: Make sure your vendors and partners follow strict security protocols. Stay in regular contact with them, keep up to date on their practices and maintain open communication so you’re informed of any changes.
Protecting sensitive information: Update your IT security policies regularly and ensure all employees follow best practices for handling confidential data.
How we can help
If you believe you’ve been the target of fraud, contact the GB Fraud Recovery Team at gb.fraud.recovery@jpmorgan.com.
Contact your banking team to learn more about improving your cybersecurity.
JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/commercial-banking/legal-disclaimer for disclosures and disclaimers related to this content.
