• Review procedures for updating account and payment information. All internal and external requests for payments or changes to account information should be validated through a different method than the original inquiry.
• Don’t rely on email alone for payment information. Pick up the phone and contact the appropriate person to verify or question changes to payment instructions.
• Separate duties for accounts and payments, and require dual approvals for any change to account or payment instructions.
• Contact the appropriate person by phone to verify vendor contacts and account information.
• Determine your risk tolerance and set up alerts for larger payments.
• Manage email account access and require multifactor authentication.
• Disable automatic forwarding and monitor the inbox rules.
• Ask employees with payment-making responsibilities to limit what they post on social media sites.
• Employees should also separate personal and professional email accounts and should not use the same password on multiple sites.
• Routinely train employees to recognize business email compromise threats and identify the various techniques. Provide in-depth training for employees most likely to be targeted such as the CEO, CFO and those in finance, payroll and HR departments.
• Update security software and operations systems, complete regular backups and use email filtering technologies.

 

Learn more about email security.