Spot the Fake: BEC Verification Guide

What is BEC verification?

BEC verification is a control process where finance teams authenticate payment requests through a secondary, trusted communication channel.

Treat every unexpected payment request, bank-detail change, or off-cycle approval as unverified until confirmed. Validating identity through the same channel that initiated the request does not provide independent confirmation.

Why do finance teams need BEC verification?

BEC verification prevents unauthorized funds transfers by stopping social engineering attacks that exploit approval speed and authority dynamics.

The FBI IC3 2024 Annual Report lists 21,442 BEC complaints and approximately $2.77 billion in adjusted losses for 2024. IC3's September 2024 PSA separately reports $55,499,915,582 in exposed BEC losses from October 2013 through December 2023, underscoring the continuing scale of both attempted and successful fraud activity.

The 2024 IC3 report also notes that BEC proceeds are increasingly converted through cryptocurrency exchanges and third-party payment processors, which significantly reduces recovery prospects once funds leave the originating account. Instant payment rails compound this: a wire that settles on FedNow or RTP and is immediately converted to crypto is effectively unrecoverable.

Insurance requirements vary by carrier and policy wording, so finance teams should confirm social-engineering control expectations with their broker before an incident occurs.

The 4-Stage Attack Sequence

Modern BEC attacks follow a four-stage sequence: reconnaissance, account/domain abuse, social engineering, and rapid execution.

IC3 advisories in 2024 and 2025 (including a May 2025 PSA on senior official impersonation and a December 2025 follow-up campaign update) note continued use of AI-generated text and voice impersonation, including smishing and vishing pretexts. Process verification is therefore more reliable than perception-based trust, especially when payment rails can settle instantly and irreversibly.

Executing a Trusted Callback Protocol

A trusted callback initiates a new communication session using verified contact information from an internal system of record.

How-To: Trusted Callback Verification

If the request originates by phone, SMS/text, or voice note, end the session and initiate a new call using a known, pre-verified number.

Out-of-Band Challenge for Voice and Video

For executive-wire scenarios, consider defining an offline verbal challenge-response phrase that must be answered correctly during callback verification. AI voice cloning technology renders audio authenticity checks unreliable, so video presence alone is not sufficient confirmation. As an additional check during suspicious video calls, ask the requester to turn their head side-to-side or briefly pass a hand across their face; unexplained visual artifacts are a reason to escalate. For a broader look at deepfake defense techniques, see the deepfake and AI manipulation defense guide.

Which red flags should trigger mandatory callback every time?

Mandatory callback should not depend on individual judgment alone. Trigger it automatically when any of these conditions appear:

• payment urgency that bypasses normal approval timing
• request for secrecy or limited internal visibility
• new beneficiary details or remittance-account changes
• executive request from an unusual channel or context
• legal/compliance pretext that lacks normal documentation
• voice note, SMS/text, or call requesting immediate release of funds
• invoice or payment-change request that relies on a QR code link as the primary action path

Standardizing these triggers removes reliance on individual judgment and makes the verification step consistent across the team.

Defining risk-based approval thresholds

Threshold design should match transaction risk, not only transaction amount.

Reassess thresholds quarterly so policy keeps pace with vendor, staffing, and transaction-pattern changes.

What should the verification decision tree include?

Use this deterministic path for every payment exception:

Preventing BEC during vendor onboarding

Prevention at onboarding reduces downstream exception risk.

• Verify legal entity identity and banking details before first payment
• Use a controlled vendor-master update process with segregation of duties
• Require two-person review for first payment setup and any account change
• Record verified callback contact points during onboarding, not during incident pressure
• Revalidate critical vendors periodically and after any merger, ownership, or banking change

Securing the vendor master file

The trusted callback protocol depends on the integrity of your vendor master file (or ERP vendor directory). Attackers who gain access to an internal account or recruit an insider can quietly alter banking details before submitting a fraudulent payment request, making the "trusted" number itself the attack vector.

To protect the system of record:

• Restrict write access to the vendor master to a named, minimal set of users with documented approval authority
• Require a second reviewer to approve any banking-detail change before it is saved
• Enable change-log auditing on the vendor master table and review it monthly
• Alert on any modification to a vendor's bank account, routing number, or primary contact within 24 hours
• Periodically reconcile vendor master records against original signed contracts and onboarding documentation

What documentation should be retained for auditability?

Complete, consistent records make verification defensible during audits and incident investigations. Include the following in each exception transaction record:

• original request artifact (email, message, or call log reference)
• source of trusted callback contact data
• callback date/time and verifying employee
• exact account details read back and confirmed
• approving authorities and approval timestamps
• exception rationale (if standard policy path changed)

Retention requirements should align with finance compliance obligations and internal incident-response requirements.

Who should own each control?

AP/AR and finance operations

• Enforce callback policy for all exception payments
• Reject urgency-based bypass attempts regardless of requestor title
• Preserve complete logs for every verification event

Approvers and finance leadership

• Set dual-approval thresholds by risk class
• Require written exception rationale with accountable owner
• Review near misses and policy exceptions monthly

IT and security operations

• Monitor suspicious sign-ins and mailbox forwarding-rule changes
• Enforce MFA and account hardening for finance-adjacent users; consider Proton Business Suite for teams that want encrypted email with built-in MFA support
• Coordinate with finance promptly when account compromise indicators appear

What are the first steps in BEC incident response?

Immediate response should prioritize payment interruption, account security, and evidence preservation.

For qualifying transfers, coordinate with your financial institution and law enforcement on any available recovery processes. Maintain reference numbers and contact logs from every escalation action. For a full incident response framework, see the cybersecurity incident response plan guide.

Real-world example: defeating a deepfake video call

In early 2026, a mid-market manufacturing company's AP manager received a video call from what appeared to be the CFO, requesting an urgent $340,000 wire to a new vendor account. The video and voice quality were convincing. Rather than approving the transfer, the AP manager invoked the company's offline verbal challenge-response phrase—a short, pre-agreed code word known only to the real CFO and a small group of approvers.

The caller could not provide the correct phrase. The AP manager ended the call, retrieved the CFO's verified mobile number from the vendor master, and called back directly. The real CFO confirmed no such request had been made. The incident was escalated to IT security, which identified a compromised executive email account used to schedule the call.

What worked: The challenge-response phrase created a verification step that the deepfake could not pass. The AP manager's training gave her the confidence to pause a high-pressure request from an apparent senior executive. No funds were transferred.

How much does verification actually cost?

Finance teams sometimes resist adding verification steps because of perceived workflow friction. The table below compares the realistic cost of a trusted callback against the cost of a successful wire fraud incident.

The 3–5 minutes a callback requires is the lowest-cost fraud prevention control available to a finance team. The friction is intentional—it is the control.

90-day implementation plan

Days 0-30

• Publish callback and escalation policy
• Classify high-risk transaction types
• Train finance, executive assistants, and approvers

Days 31-60

• Enable mailbox-rule and sign-in anomaly monitoring
• Run role-specific simulation drills
• Add verification logging to payment workflow

Days 61-90

• Audit compliance and exception patterns
• Tune thresholds and escalation criteria
• Present KPI results and corrective actions to leadership

How should we run training and simulations?

Policy quality depends on repetition under realistic conditions. Short scenario drills are more effective than a single annual awareness session.

Recommended cadence:

• monthly 15-minute role-specific simulation for AP/AR and approvers
• quarterly cross-functional tabletop with finance, security, and leadership
• post-incident mini-drill within two weeks of any near miss or confirmed event

Simulation scenarios should include executive impersonation, vendor account changes, and voice-based urgent requests. Platforms like KnowBe4 offer phishing and BEC simulation tools purpose-built for this type of role-based training.

How do we measure control effectiveness?

Track monthly quality indicators:

• Callback completion rate for in-scope transactions
• Exception requests with full documentation
• Escalation-to-decision median time
• Near-miss detection rate before payment release
• Repeated bypass attempt patterns by request type

A mature program is measured by consistent execution quality, not only by absence of alerts.

Common implementation mistakes

• Treating callback as optional for senior-requestor scenarios
• Allowing undocumented "one-time" exceptions during time pressure
• Failing to connect security alerts to finance workflows
• Training all teams with generic content instead of role-based drills
• Closing incidents without updating policy language and thresholds

Each of these patterns tends to create gaps that repeat. Reviewing exceptions monthly helps identify which areas need additional training or tighter controls.

Quarterly governance checklist

Quarterly governance keeps the verification program aligned with real transaction behavior and current threat patterns.

Use this review checklist:

• confirm risk thresholds still match payment volume and vendor profile changes
• review all policy exceptions and identify repeated bypass causes
• validate dual-approval coverage for high-risk transfer classes
• audit callback logs for completeness and quality, not just completion counts
• review sign-in and mailbox-rule incidents involving finance-related accounts
• verify onboarding controls for newly added or recently modified vendors
• update training scenarios based on current impersonation patterns

Each review should produce named action owners, due dates, and measurable outcomes. That accountability loop is what keeps the policy current as transaction patterns and threat techniques change.

For teams with limited resources, start by prioritizing controls around vendor bank-detail changes and urgent wire requests. Those two transaction classes tend to carry the highest financial impact and usually deliver the fastest risk reduction when verification quality improves.

If leadership can only sponsor one additional improvement after baseline rollout, monthly exception-review meetings with finance and security together tend to improve escalation speed, policy clarity, and control adoption quality. The NIST CSF 2.0 guide provides a broader framework for structuring these governance reviews.

Sources (reviewed February 2026)

• FBI IC3 2024 Annual Report
• IC3 PSA (2024): Business Email Compromise: The $55 Billion Scam
• IC3 PSA (2024): Criminals Use Generative AI to Facilitate Financial Fraud
• IC3 PSA (2025): Senior US Officials Impersonated in Malicious Messaging Campaign
• IC3 PSA (2025): Senior U.S. Officials Continue to be Impersonated in Malicious Messaging Campaign
• FedNow Service Innovation Spotlight (Federal Reserve Financial Services)
• RTP Network FAQs (The Clearing House)
• U.S. Secret Service: Business Email Compromise
• CISA: Avoiding Social Engineering and Phishing Attacks

Related reads

• AI-Enhanced Business Email Compromise
• Email Security Guide
• Email Security Tester
• Deepfake and AI Manipulation Defense Guide
• Cybersecurity Incident Response Plan
• Cybersecurity Training Guide