In an all too common scenario, someone in your organization’s finance department receives an email that purports to be from a supplier informing your organization of the supplier’s supposedly changed bank account and a request for you to make all future payments to the new account. Even after some likely back and forth via phone and/or email with the “supplier,” your employee ultimately changes the payment information in your systems, and future invoices are paid to the new pay-to account. Everything seems fine for a while, and then the problems begin.
Eventually, your company receives an email from the supplier asking why it hasn’t received payment of its recent invoices. When the supplier insists that it has not received payment, in spite of your company’s assurances that all invoices have been paid, your IT department investigates. The IT team figures out that the emails with the new payment information and the phone calls were fraudulent—they were not from your supplier but from a bad actor. It is, of course, too late to recover the fraudulently obtained payments, and in the interest of keeping the supplier, your company pays again.