- Review procedures for updating account and payment information. All internal and external requests for payments or changes to account information should be validated through a different method than the original inquiry.
- Don’t rely on email alone for payment information. Pick up the phone and contact the appropriate person to verify or question changes to payment instructions.
- Separate duties for accounts and payments, and require dual approvals for any change to account or payment instructions.
- Contact the appropriate person by phone to verify vendor contacts and account information.
- Determine your risk tolerance and set up alerts for larger payments.
- Manage email account access and require multifactor authentication.
- Disable automatic forwarding and monitor the inbox rules.
- Ask employees with payment-making responsibilities to limit what they post on social media sites.
- Employees should also separate personal and professional email accounts and should not use the same password on multiple sites.
- Routinely train employees to recognize business email compromise threats and identify the various techniques. Provide in-depth training for employees most likely to be targeted such as the CEO, CFO and those in finance, payroll and HR departments.
- Update security software and operations systems, complete regular backups and use email filtering technologies.
