Protect yourself: Cybercriminals utilizing Business Email Compromise (BEC) schemes to impersonate vendors and company executives

It is increasingly common for cybercriminals to use a tactic called Business Email Compromise (BEC) to commit payments fraud. In this scheme, criminals use email systems to:

  • Impersonate an employee or executive requesting that payments be made to an illegitimate vendor or bank account
  • Impersonate an existing vendor via email to provide illegitimate bank account information for future payments.

With BEC becoming an increasing threat, we'd like to be able to help you understand this threat and warn you if we see any red flags. You will see this banner when editing a vendor's bank account:

When you see this banner, pay extra attention and validate the bank information and payment instructions before initiating payments.

To help you learn how you can protect yourself and your business from BEC losses, here are some topics to review:

3 ways to help guard against BEC

Here are some recommended best practices and Key CashFlow features designed to help you protect your business from BEC fraud losses:

  1. Watch out for impersonators: If you receive payment instructions from an employee or an executive by email, or if you receive bank account number updates to bank from a vendor by email, be sure to follow up with them or a trusted contact by phone to verify their instructions. Never rely on email alone, as it may have been compromised.
  2. Connect to vendors in the Network whenever possible: If your vendor is part of the Network, they manage their own bank account information, so you don't need to manage it within Key CashFlow.
  3. Watch for unusual payment requests: Be extra vigilant with first-time vendors. Also be wary of rushed or urgent payment requests—don’t cut any corners just to meet a deadline.

You may be liable for unauthorized or fraudulent payments originated using your customer's security credentials. Using fraud prevention best practices and processes may help protect your business and reduce the risk of loss.

Other best practices and precautions

Below are additional suggestions for protecting you and your business from BEC:


Watch for bogus email messages disguised to appear as real: Fraudsters commonly spoof legitimate email domains with ones that look similar (e.g., or instead of

Hover over or reply to an email address to make sure it isn’t being masked as something it’s not. Be suspicious of request for secrecy or pressure to take action quickly.

Immediately report and delete unsolicited email from unknown parties.


Provide basic training and advanced education for employees to recognize BEC and phishing schemes.

Be careful what you post to social media and company websites, especially job duties and descriptions, staff hierarchy information, and out-of-office details.

Make sure temporary staff covering for your payments employees understand that criminals may pose as employees or vendors to try and manipulate them.

Create intrusion detection system rules that flag emails with extensions that are similar to company email.

Register all company domains that are slightly different than the actual company domain.

What if I’ve been targeted?

If you believe you’re a victim of a BEC attack, report it to local law enforcement immediately.

If you believe that Key CashFlow has been compromised, please contact our Support team immediately.


The information provided in this article is intended only to be a resource to help Key CashFlow users protect themselves against cyber fraud. It does not provide a comprehensive list of all types of cyber fraud activities, or identify all types of cybersecurity best practices. Key CashFlow does not represent or warrant that using the best practices or other recommendations contained in this article will prevent BEC or any other type of payment fraud or cyber fraud.