Ordinary phishing hunts for passwords from individuals. In a company the attackers are after much more, which is why they are also more cunning. They will not send an obviously fake e-mail full of typos, but a credible-looking invoice or payment instruction that appears to come from your supplier or your boss. One poorly verified transfer is enough for several thousand euros to leave the company. Here are the three most common scenarios and how to defend against them.

1. A fake invoice with a changed IBAN

The most widespread company fraud. The attacker poses as your real supplier and sends an invoice that looks completely standard, except it has a different bank account number (IBAN). Sometimes the attacker first breaks into the e-mail conversation, reads the genuine invoice and sends an edited copy with their own account. You pay in good faith and the money ends up with the fraudster.

Warning sign: any change of account number announced by e-mail. Even if the e-mail looks genuine.

2. CEO fraud (payment “from the boss”)

An accountant or assistant receives an e-mail that appears to be from the director or owner: “Please pay this urgently, I am in a meeting, we will sort it out later, it is confidential.” The message plays on authority and urgency and deliberately discourages you from verifying. The attacker often knows the names of people in the company and the communication style, because they studied the e-mails beforehand. This is technically called social engineering.

Warning sign: an unusual, urgent and “secret” request for payment from a superior that bypasses the normal process.

3. “We have changed banks, please update our details”

A variation on the first scenario. An e-mail arrives from a “supplier” saying they have switched to a different bank and future payments should go to a new account. The account number is, of course, the attacker’s. It works because changing banks is common and raises no suspicion.

Why it works even on careful people

These scams rely not on technology but on psychology. The attacker exploits trust, authority, urgency and routine. The e-mail address is usually almost identical to the real one (for example one extra letter, or i swapped for l), so at a glance it does not stand out. And because invoices and payments are a daily routine, they easily pass without a second look.

How to defend yourself

The defence is fortunately simple, and above all about process rather than money:

  • Verify any change of payment details through a second channel. Always. Call the supplier on a known phone number (not the one from the suspicious e-mail) and confirm the new account.
  • Introduce dual approval for payments above a certain amount, so a transfer is never approved by just one person.
  • Train your people. An accountant who knows about CEO fraud will spot it in seconds. Regular training is the cheapest insurance.
  • Secure your e-mail against sender spoofing (technologies such as SPF, DKIM, DMARC and a quality spam filter) and turn on two-factor authentication on company mailboxes, so the attacker cannot get into them in the first place.
  • Have a written procedure for what to do with a suspicious payment request, so people do not have to decide under pressure.

We will help you set it up

In business IT we deal with these things every day. We will set up your e-mail protection and two-factor authentication, design a safe payment procedure and teach your people to recognise a fake invoice and a false instruction “from the boss”. If something suspicious has just arrived, do not pay it and contact us; we will gladly verify it with you.