• Review procedures for updating account and payment information. All internal and external requests for payments or changes to account information should be validated through a different method than the original inquiry.
• Don’t rely on email alone for payment information. Pick up the phone and contact the appropriate person to verify or question changes to payment instructions.
• Separate duties for accounts and payments, and require dual approvals for any change to account or payment instructions.
• Contact the appropriate person through predefined communications channels to verify vendor contacts and account information.
• Determine your risk tolerance and setup processes, such as alerts or dual approvers for payments deemed risky.
• Manage email account access and require multifactor authentication.
• Disable automatic forwarding and monitor the inbox rules.
• Ask employees with payment-making responsibilities to limit what they post on social media sites.
• Employees should separate personal and professional email accounts and shouldn't reuse the same password on multiple sites.
• Routinely train employees to recognize business email compromise threats and identify the various techniques. Provide in-depth training for employees most likely to be targeted such as the CEO, CFO and those in finance, payroll and HR departments.
• Keep software and systems up to date and protect your data with strong encryption and regular backups.

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is," with no guarantee of completeness, accuracy, timeliness or the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, qualities and fitness for a particular purpose. This material should be regarded as general information on security and IT consideration and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT systems or information security concerns, please contact your IT or information security advisor.