Getting Deceived by Email Compromise and Vendor Fraud — and What to Know

Business email compromise (BEC) — when bad actors manipulate email communications to trick their victims — has become one of the most frequent forms of financial fraud, and these scams are becoming more sophisticated. Attackers often impersonate trusted individuals, such as board members, community management company team members or association vendors, to deceive unsuspecting employees into providing sensitive information or transferring funds.

The result is costly. In 2024, BEC crimes caused losses of $2.8 billion, according to the Federal Bureau of Investigation.¹  

One community association management company learned an expensive lesson when it fell victim to a fraudulent invoice from a fake vendor who compromised a board member’s email. Their story offers a valuable lesson in how to avoid BEC fraud with tools and procedures, including call-back authentication, vendor confirmations and employee training.

Fraudulent Vendor Payment: A Real-Life Story

For this particular community association management company, the trouble began when a bad actor gained unauthorized access to a board member’s email account. The compromised account allowed the attacker to become familiar with the board member’s communication style and calendar.

While this board member was on vacation, the management company’s accountant received what appeared to be a legitimate email from the board member, requesting urgent payment on a $125,000 invoice for consulting services to be paid to a vendor. The accountant, who assumed the transaction was authentic because the email came from a known party, ultimately bypassed typical operating procedures to get the urgent invoice paid.

Upon returning from vacation and reviewing the email correspondence, the board member discovered the email chain and realized an impersonator had drafted the invoice request. The board member quickly contacted the management company accountant, and together they reached out to their relationship manager at Western Alliance Bank for support.

How It Happened

A combination of factors created a situation ripe for fraud.

The root cause occurred when the bad actor gained unauthorized access to the board member’s email account and began sending emails that appeared legitimate. The accountant might have questioned a request from an unknown individual, but they trusted the communication that seemed to come from a board member.

However, a few red flags went unnoticed:

• The “urgent payment” request likely pressured the accountant to act quickly without following verification procedures.
• The accountant may have been reluctant to contact the vacationing board member for confirmation.
• No one researched and verified the vendor, who was not in their system.
• The designated association account lacked sufficient funds to debit for the transaction, so a transfer from another account was required to cover the invoice. This should have triggered a stronger review process before accessing the association’s reserve funds.

Consequently, the $125,000 fraudulent invoice was paid to a fake LLC, a “consulting business” created solely by the fraudster.

Taking Action

The BEC fraud was discovered on a Saturday. The community association management company urgently contacted its relationship manager with the Alliance Association Banking group at Western Alliance Bank, who responded that weekend, although the fraudulent LLC’s bank was not reachable until Monday.

The Alliance Association Banking team initiated the fund recovery process with the receiving bank, provided comprehensive documentation to support the fraud claim and continued to work closely with the receiving bank during the investigation process. As a result, a small portion of the funds was recovered and returned to the client. The client’s IT group also took action to ensure the threat was eliminated and no other threats were detected.

Preventing Fraud

Proactive strategies are essential to defend companies’ finances against the growing threat of BEC fraud. By establishing clear protocols and using a downloadable fraud prevention checklist, you can significantly reduce your risk. Key steps include:

• Implement Internal Policies: Establish strong vendor management procedures to ensure all vendors are set up properly in an internal vendor management systems.
• Double-Check Invoice Authorization: If necessary, delay paying invoices, even those noted as urgent, until a knowledgeable contact is available.
• Play Detective: Confirm any new vendor’s authenticity. You might check Google reviews of the vendor, company registration on the government’s Secretary of State page, address and other details. Look for red flags such as recently established businesses, lack of reviews or suspicious addresses (like a location in another state for a supposedly local company).
• Call to Verify: Emphasize the importance of callback verification for new vendors, as well as voice notification from employees for large invoices. Train your teams to use known contact information to verify vendor details, not information provided in suspicious communications.

Connect With a Trusted Banker

Your banking partner can provide invaluable support and create a tailored fraud prevention plan to meet your needs. The Alliance Association Banking team at Western Alliance Bank specializes in working with the community association industry, offering technology solutions and robust internal systems to minimize the risk of fraud.

Reach out to a member of our dedicated banking team for additional strategies to detect and mitigate risk, including free virtual training for you and your employees.