landline phone

This article was originally published in Commercial Banking’s magazine, Cybersecurity: Technology and Tactics.

Criminals frequently impersonate chief financial officers, chief executive officers or known vendors in spoofed or compromised emails to convince employees to send money to bank accounts that the criminals control. Your company is liable for all losses incurred for payments that originate by using the security credentials of an authorized user. Unfortunately, if one of your employees releases a payment to a criminal, there’s no guarantee that you’ll be successful in recovering the funds. That’s why the callback process is such a vital step.

Developing a strong callback process reminds employees to authenticate a request before sending funds. By training employees to recognize potential schemes and validate suspicious activity—such as new bank account numbers for a known vendor—companies can often stop fraud before it’s too late.

Here are some best practices to follow:

  • Always contact an email sender or trusted vendor (in person or by using a known telephone number) when you receive instructions to change bank account information. Never rely on contact information sent in an email or respond to the email request directly.
  • Establish a tiered confirmation process to reduce vulnerability. For example, if an employee doesn’t perform the callback and instead asks another employee or manager to validate, they should follow a verification process to ensure protocols were followed.
  • Never assume that the callback process was performed as expected—always confirm.
  • Never release funds if you can’t validate the request, even if it’s marked urgent or time sensitive.
  • Develop escalation protocols to use if an employee performs a callback but remains suspicious.
  • Work with vendors to create shared protocols for validating email requests.