The Devil’s in the Detail: Spotting Red Flags in Payment Change Requests

Mind The Breach: Phantom Invoice (Part 2) “The Devil’s in the Detail: Spotting Red Flags in Payment Change Requests”

(Intro Music)

[00:10] Sarah: Welcome to Mind the Breach. And this is part two of The Phantom Invoice.

[00:16] Sarah: I’m Sarah, and I’m here again with cybersecurity expert Patrick.

[00:21] Sarah: Last time, we established just how sophisticated and targeted invoice redirection and business email compromise scams have become.

[00:30] Sarah: Today, Patrick, I want us to focus on the defensive front line: spotting those critical red flags.

[00:36] Sarah: Businesses know these emails are out there, but the concern is always, how do we actually see the danger signs when these fakes are getting so good?

[00:45] Patrick: That’s the million-dollar question, Sarah. Or perhaps the multi-thousand-pound question for many SMBs.

[00:51] Patrick: You’re right. The craftsmanship in these fraudulent emails has improved dramatically, partly fueled by readily available AI tools that can generate flawless text.

[01:01] Patrick: But however polished the email, the fraudster’s intent and methods often leave subtle, and sometimes not-so-subtle, traces.

[01:09] Sarah: So, let’s break them. I always advise people to start with the sender’s details. That initial ‘From’ field can be very deceptive if you don’t look closely. What are the key things to dissect?

[01:22] Patrick: Absolutely. The sender’s email address is ground zero for scrutiny.

[01:27] Patrick: It’s not enough to see just ‘John Smith’ as a display name. Staff need to be trained to always inspect the actual email address behind that name.

[01:35] Patrick: This often involves hovering the mouse over the sender’s name in most email clients nowadays.

[01:41] Patrick: They should be looking for several tell-tale signs.

[01:45] Patrick: Subtle misspelling or character substitutions. Things like supplier@company.co instead of .com. Or lowercase r n letters used to mimic lowercase m letter.

[01:57] Patrick: These are designed to fool the eye at the quick glance. And there are more letters like that, which we can’t cover all of them.

[02:04] Patrick: Domain impersonation. Using a domain that’s very close to the legitimate one, perhaps adding a hyphen, a word like dash-payment, or using a different top-level domain like .org or .net instead of .co.uk.

[02:18] Patrick: Use of public email addresses for official business. This is a big one.

[02:23] Patrick: If your known contact at ABC Corp suddenly emails sensitive bank change information from john.abc.corp@gmail.com, that’s highly suspicious, especially if they’ve never used public emails in correspondence with you before.

[02:41] Sarah: That detailed check of the email address itself is so crucial. Beyond that, the content and tone of the email often provide strong indicators, don’t they? Especially unexpected deviations from the norm.

[02:55] Patrick: Indeed. A sudden, unexplained shift in the language, tone, or even the typical formatting of emails from a known contact should immediately raise suspicion.

[03:05] Patrick: If a supplier who’s usually informal and uses specific greetings suddenly sends a very concise and very brief, overly formal request, or vice versa, it warrants a closer look.

[03:16] Patrick: But perhaps the most potent psychological lever fraudsters use is undue urgency or pressure.

[03:23] Sarah: Yes, that element of panic they try to induce. Phrases like ‘urgent action required’ or ‘payment needed within the hour to avoid disruption’. It bypasses rational thought, doesn’t it?

[03:33] Patrick: Precisely. They’re trying to force an immediate reaction, overriding standard procedures. This is often coupled with instructions for secrecy: ‘This is a confidential matter, do not discuss with others,’ for example. This tactic isolates the victim and prevents them from seeking a second opinion or following normal verification paths.

[03:52] Sarah: And the narrative they construct for why these urgent, secret payments or changes are needed. That’s another area for scrutiny. For example, the out-of-the-blue notification of new bank details.

[04:05] Patrick: Exactly. While legitimate changes occur, an unheralded email being the sole method of communicating such a critical update is a significant red flag.

[04:16] Patrick: Businesses should consider the typical communication patterns of their suppliers. Would a long-standing partner only use a single email to inform you of new bank details, especially if large sums are involved?

[04:28] Patrick: Also, the new bank details themselves can be revealing. Is the new bank in an unexpected geographical location? Is the beneficiary name suddenly a personal one rather than the company name you are used to?

[04:41] Sarah: You mentioned earlier that attachments and links can also be indicators. Even if an email isn’t directly asking for a payment transfer, but is perhaps trying to get you to click on something to ‘view the new banking details’, for example.

[04:55] Patrick: Correct. Let’s start with attachments, as they are a common threat. The golden rule is to never open them straight away. Before you do anything else, use your antivirus software to scan the file. If the timing of the email, its message, or the circumstances seem at all suspicious, it’s absolutely vital to wait for the antivirus determination.

[05:16] Patrick: However, it’s important to remember that antivirus scanners can sometimes miss things. So, if the scan comes back clean, but the email still doesn’t feel right, trust your instincts.

[05:28] Patrick: This is when you fall back on the most reliable method: out-of-band communication and your company’s escalation process.

[05:36] Patrick: That leads to the links in the email, and my advice here is to ignore them completely. Don’t even hover.

[05:43] Patrick: Modern links can be incredibly complex, packed with encoding that makes it nearly impossible for the average person to tell if they’re legitimate or not.

[05:53] Patrick: The far better strategy is to stop and think. Does this request make sense? If there is any doubt, confirm it by picking up the phone and calling a number you know it’s legitimate, not the one from the email signature.

[06:07] Patrick: This simple step bypasses the risk entirely, including the danger of time-of-click protection, where a link can be harmless one minute and malicious the next.

[06:18] Patrick: And once an email is flagged as suspicious, the next step is crucial. The employee should follow the company’s internal escalation procedure. For many small businesses that lack the dedicated cybersecurity staff, they should consider engaging an external expert to safely analyze the suspicious email or attachment.

[06:38] Patrick: It’s important to recognize that even a contracted IT service provider may not have specialized forensic expertise required for this type of analysis.

(Music Break)

[06:51] Sarah: That’s a perfect example of how complex this can get. We’re going to take a short break to hear a word from our sponsor, who has a solution for this exact problem.

[07:01] Sponsor Ad Voice: You’re a business owner. That means you’re the boss, the finance team, and often the IT department, too. You’ve spent years building your business, your life’s work. But what do you do when a suspicious email lands in your inbox? One demanding an urgent payment or asking you to click a link that just doesn’t feel right. Your antivirus didn’t stop it, and now the responsibility is all on you. That moment of panic and uncertainty is exactly what the criminals are counting on. But you don’t have to face it alone. At Security Affairs Limited, we offer a different approach. We’re not another complex software subscription. We are a team of UK-based cybersecurity experts offering a simple, pay-as-you-go analysis service. For a small, one-off fee, you securely forward us that suspicious email or file. We perform an in-depth, human-led analysis and give you a definitive, plain English report: what it is, what it does, and exactly what you need to do next. No jargon, no guesswork, just clarity. Stop the anxiety and get back the control. Protect your business and your peace of mind. Visit securityaffairs.biz to see how simple it is to get the expert answers you deserve. That’s securityaffairs.biz.

(Music Break)

[08:26] Sarah: And we’re back.

[08:29] Sarah: It feels like a combination of technical awareness and good old-fashioned critical thinking. Are there any other, perhaps more technical, elements within the email itself that can betray a fraudster?

[08:41] Patrick: A few more subtle points. Examine the CC and Reply-To fields. Fraudsters might CC email addresses that mimic internal colleagues to add a veneer of authenticity. More critically, the Reply-To address can be different from the apparent From address. So, while the email appears to come from CEO@yourcompany.com, hitting reply might direct your response to fraudster@somewhere-else.com. This is a clear giveaway.

[09:10] Sarah: That reply-to switch is a clever one. Ultimately, Patrick, many of these red flags point to a deviation from established norms and procedures. If a request, however well disguised, asks an employee to bypass a standard company process, that in itself should be the biggest red flag of all, shouldn’t it?

[09:29] Patrick: Unquestionably, Sarah. If a company has a defined procedure for validating and actioning payment changes or unusual payment requests, any communication that attempts to circumvent that procedure is, by its very nature, highly suspicious and warrants immediate, cautious verification through established out-of-band channels.

[09:49] Sarah: This is all incredibly valuable, Patrick. It reinforces that while the fraudsters are evolving, so too can our ability to detect their attempts, provided we cultivate that awareness and critical scrutiny within our teams.

[10:03] Patrick: That’s the key. It’s about empowering people with knowledge and encouraging a culture where it’s not just acceptable, but expected, to pause and question when something doesn’t feel right.

[10:13] Sarah: And on that note of empowerment, in our final episode, we’ll be discussing the simple, practical steps and robust verification processes businesses must implement to actively block these fraudulent attempts. Patrick will be back to guide us through that.

(Outro Music)