BEC Verification Finance Team Desk Reference | Valydex

BEC Verification — Finance Team Desk ReferenceValydex · IC3-aligned · February 2026 · valydex.comSection 1 — Trusted Callback Protocol

Page 1 of 4

Team: _______________________

Reviewed: ___________________

Core ruleNever validate a payment request through the same channel that initiated it. Always initiate a new, independent communication session using contact information from a pre-verified system of record.

3-step callback procedure

Pause

Halt transaction execution immediately. Mark the request as pending verification before any approval or release action.

Source

Retrieve contact information from internal directory records, validated vendor master data, signed contracts, or prior verified invoices. Do not use contact details from the suspicious request.

Verify

Call the contact and read back exact account details, amount, purpose, and required timeline. Log date/time, verifying party, and channel in the transaction record.

Out-of-band challenge for voice and video calls

Challenge-response phraseFor executive wire requests, use a pre-agreed offline verbal phrase known only to authorized parties. AI voice cloning technology renders audio authenticity checks unreliable — video presence alone is not sufficient confirmation. If the caller cannot provide the correct phrase, end the call and escalate.

Callback log — complete for every exception transaction

Request date/time

YYYY-MM-DD HH:MM

Requestor name / role

Name and title

Request channel

Email / Phone / SMS / Video

Contact source used

Vendor master / Contract / Directory

Callback number dialed

Number used for verification

Verified by (name)

Employee who completed callback

Details confirmed

Account, amount, purpose, timeline

Approval authority

Name and timestamp

valydex.com/guides/spot-the-fake-bec-verification-guideFBI IC3 2024 Annual Report · Free to use and adapt · Review quarterly

BEC Verification — Finance Team Desk ReferenceValydex · IC3-aligned · February 2026 · valydex.comSection 2 — Red Flags & Risk-Based Approval Thresholds

Page 2 of 4

Team: _______________________

Reviewed: ___________________

Mandatory callback triggers — any one condition is sufficient

Callback must not depend on individual judgment. Trigger it automatically when any condition below is present.

Payment urgency that bypasses normal approval timing
Request for secrecy or limited internal visibility
New beneficiary details or remittance-account changes
Executive request from an unusual channel or context
Legal/compliance pretext that lacks normal documentation
Voice note, SMS/text, or call requesting immediate release of funds
Invoice or payment-change request using a QR code as the primary action path

Risk-based approval thresholds

Threshold design should match transaction risk, not only transaction amount. Reassess quarterly.

Risk	Typical pattern	Minimum controls
Low	Recurring approved vendor, no banking changes, standard timeline	Standard approval and documentation check
Medium	Off-cycle request or unusual urgency with otherwise known parties	Callback verification and manager acknowledgment
High	Bank-detail change, executive wire request, or first-time transfer pattern	Callback verification, dual approval, and finance-lead release authority
Critical	Multiple fraud indicators or suspected account compromise	Immediate hold, incident escalation lane, and bank/security coordination

Payment rail warningWires on FedNow or RTP settle instantly and are effectively irrevocable. Funds converted to crypto after transfer have near-zero recovery prospects. Pause before release — not after.

valydex.com/guides/spot-the-fake-bec-verification-guideFBI IC3 2024 Annual Report · Free to use and adapt · Review quarterly

BEC Verification — Finance Team Desk ReferenceValydex · IC3-aligned · February 2026 · valydex.comSection 3 — Verification Decision Tree & Documentation

Page 3 of 4

Team: _______________________

Reviewed: ___________________

Payment exception decision tree

Apply this path to every payment exception. Do not skip steps under time pressure.

Decision point	If Yes	If No
Is this a new payee, bank change, or urgent/off-cycle payment?	Trigger callback verification workflow	Continue standard approval path
Was identity confirmed on a known, independent channel?	Proceed to dual-approval check	Escalate and hold payment
Do verified details match the request exactly?	Complete documented approval	Escalate to finance/security incident lane
Is this above the high-risk threshold?	Require second approver before release	Release per standard documented process

Vendor master file — security controls

Restrict write access to a named, minimal set of users with documented approval authority
Require a second reviewer to approve any banking-detail change before it is saved
Enable change-log auditing on the vendor master table — review monthly
Alert on any modification to a vendor's bank account, routing number, or primary contact within 24 hours
Periodically reconcile vendor master records against original signed contracts

Exception transaction documentation — required fields

Original request artifact (email, message, or call log reference)
Source of trusted callback contact data (vendor master / signed contract)
Callback date/time and verifying employee name
Exact account details read back and confirmed by counterparty
Approving authorities and approval timestamps
Exception rationale if standard policy path was changed

valydex.com/guides/spot-the-fake-bec-verification-guideFBI IC3 2024 Annual Report · Free to use and adapt · Review quarterly

BEC Verification — Finance Team Desk ReferenceValydex · IC3-aligned · February 2026 · valydex.comSection 4 — Incident Response & Quarterly Governance

Page 4 of 4

Team: _______________________

Reviewed: ___________________

BEC incident response — first steps

Prioritize payment interruption, account security, and evidence preservation in that order.

Step	Action	Owner
Contain	Contact your bank fraud desk immediately to request hold/recall actions. Document all reference numbers.	Finance lead / AP manager
Notify	Escalate to security operations to secure affected accounts, reset credentials, and review mailbox forwarding rules.	IT / Security operations
Report	Preserve email headers, logs, and approval artifacts. File an IC3 complaint the same day if possible (ic3.gov).	Finance lead + Legal

Reporting requirementFile an IC3 complaint at ic3.gov as soon as possible — preferably the same day. Coordinate with your financial institution on any available recall process. Maintain reference numbers from every escalation contact.

Control ownership summary

Role	Primary responsibility
AP/AR & Finance ops	Enforce callback policy; reject urgency-based bypasses; preserve logs
Finance leadership	Set dual-approval thresholds; review near misses monthly
IT / Security ops	Monitor sign-ins and forwarding rules; enforce MFA; coordinate on compromise indicators

Quarterly governance checklist

Each review should produce named action owners, due dates, and measurable outcomes.

Confirm risk thresholds still match payment volume and vendor profile changes
Review all policy exceptions and identify repeated bypass causes
Validate dual-approval coverage for high-risk transfer classes
Audit callback logs for completeness and quality, not just completion counts
Review sign-in and mailbox-rule incidents involving finance-related accounts
Verify onboarding controls for newly added or recently modified vendors
Update training scenarios based on current impersonation patterns
Confirm challenge-response phrases are current and known only to authorized parties

Training cadenceMonthly 15-min role-specific simulation for AP/AR and approvers · Quarterly cross-functional tabletop with finance, security, and leadership · Post-incident mini-drill within 2 weeks of any near miss

valydex.com/guides/spot-the-fake-bec-verification-guideFBI IC3 2024 Annual Report · Free to use and adapt · Review quarterly