HOW TO VERIFY PAYMENT CHANGE REQUESTS (Before You Lose $47K)

By SO Email Security2 min read

Learn the Known Number Rule - a simple FBI-backed framework to protect your business from Business Email Compromise (BEC) scams that have cost companies $55 billion globally.

email securityBECbusiness email compromisepayment fraudcybersecurityFBI IC3phishing preventionsmall business security

Last month, an accountant at a 12-person company received an email from their vendor.

New bank account. Please update your records.

The email looked perfect. Same signature. Same formatting. Same tone.

She updated the payment details and sent $34,000 to the new account.

That vendor never sent the email.

The $55 billion problem

The FBI's Internet Crime Complaint Center reports that Business Email Compromise scams have resulted in $55 billion in global losses. In 2023 alone, they received 21,489 BEC complaints totaling $2.9 billion in adjusted losses.

These aren't Nigerian prince emails.

They're surgically targeted attacks that exploit one thing: trust.

Scammers spend weeks studying how your vendors communicate. They learn the names, the tone, the timing. Then they strike when you're busy, distracted, or rushing to close a deal.

The known number rule

The fix is stupidly simple.

When you receive any request to change payment details, call the business's main phone line directly rather than calling numbers provided via email contact.

That's it.

Not the number in the email. Not the "updated" contact info. The number you already have on file. The one from their website. The one on their business card from three years ago.

Why does this work?

Because fraudsters can spoof emails perfectly. They can't answer your vendor's main office line.

The FBI puts it bluntly: "Don't rely on email alone."

One phone call. Sixty seconds. That's what stands between a normal Tuesday and explaining to your CEO why $34,000 is gone forever.

What makes BEC so dangerous

Business Email Compromise works because it bypasses technology entirely.

Your spam filter won't catch it because the email looks legitimate. Your antivirus won't flag it because there's no malware. Your firewall won't block it because it's just... an email.

The attack targets humans, not systems.

Fraudsters commonly impersonate CEOs asking for urgent wire transfers, vendors requesting payment to new accounts, real estate agents with "updated" wiring instructions, and HR staff requesting employee tax information.

They time their attacks perfectly. Board meetings. Vacation days. End of quarter rushes. Any moment when verification feels inconvenient.

Your action item for today

Open your vendor list.

Confirm you have a verified phone number for every company you send money to. Not email contacts. Phone numbers you've independently verified.

Create a simple policy: any payment change request over a certain threshold requires voice verification to a known number. No exceptions.

The fraudsters are counting on you being too busy to call.

Prove them wrong.

Want to protect your inbox from BEC and phishing attacks? Ṣọ Email Security provides real-time threat detection for Gmail and Outlook users. Learn more