In this week’s bulletin, Charlie discusses payment diversion fraud and how organisations can protect themselves from fraudsters aiming to access financial transactions.
I receive daily emails from The Record which lists cyber incidents. Yesterday, the headline read ‘Microsoft disrupts RedVDS cybercrime platform behind $40 million in scam losses’. The article went on to say ‘popular cybercriminal subscription service called RedVDS was taken down by Microsoft after the platform was used to enable more than $40 million in fraud losses in the United States alone. RedVDS provided cybercriminals with disposable virtual computers that make fraud cheap, scalable and difficult to trace, according to Microsoft assistant general counsel Steven Masada.’[1] I cover Business Email Compromise (BEC) in the two-day cyber course I teach, so I was aware of it as a concept, but I thought this week’s bulletin would be a good opportunity to research the basics and share them with you.
The Nature of the Fraud
Although the amount of money lost to fraudsters through payment diversion fraud is usually not enough to cause the organisation to fail, fraud can still lead to significant losses, embarrassment, and may put the organisation in financial difficulty. Many of the techniques used to prevent fraud are the same as those for stopping a ransomware attack, so by being aware of how fraud is carried out, you can protect yourself from both ransomware attacks and losing money to fraud. I also believe this is a very underreported crime, and I suspect many large organisations probably hush up the fact that it has happened, and may not report it to the police or Action Fraud, instead putting the loss as ‘down to experience’.
What Is It?
‘Business Email Compromise (BEC) and Payment Diversion Fraud are sophisticated cybercrimes that target individuals and businesses, aiming to deceive them into transferring funds or sensitive information to cybercriminals posing as legitimate entities. These scams often involve impersonation tactics, compromising email accounts, and manipulating communication to divert payments or sensitive data.’ [2] The fraudsters use a variety of techniques to trick an employee into sending money for a legitimate purpose, but in fact it is a fraud, and the money is being sent to the fraudster. The important part is that the fraudster has no access to the bank accounts, so the money is pushed to the recipient, which creates the fraud. As it is the organisation that authorises and releases the payment, the banks are much less sympathetic to refunding the money.
Cost of Fraud
According to an FBI Report in 2021, ‘BEC is one of the fastest growing, most financially damaging internet-enabled crimes. It is a major threat to the global economy.’. The report also said that ‘Between June 2016 and December 2021, global exposed losses from BEC/EAC totalled approximately $43.3 billion.’. According to the FBI Internet Crime Report 2024, the losses to this crime in the USA were $2.7b. In the UK Finance Fraud Report in 2025, the total losses in the UK to ‘Authorised Payment Fraud’ was £84.9m. [3] Although in USA and UK figures I might not be comparing like-for-like in both cases, it is a substantial amount of money for a business to bear.
How is the Fraud Carried Out?
The fraud is typically carried out in five phases.
1. Reconnaissance
This is where the fraudsters have to do the work; they identify a company or organisation to target. Typical target sectors include construction, real estate, and manufacturing, all of which have complex supply chains and involve high-value transactions with a constantly changing set of companies. SMEs are also often targeted as they may have laxer systems than larger organisations. The fraudsters will then research the people in the company to understand who does what, who their suppliers are, and think about how they will conduct the fraud. They will use social engineering and open-source information to gather details on individuals. Their research has to be meticulous as any slip-up or suspicion on the part of the organisation could compromise the fraud and all the time and effort will be wasted. They may also investigate and research both ends of the email chain, including the person within the company who will send the payment, and the organisation, such as a supplier, from whom the email containing the fraudulent request originated.
2. Compromise
The next step is to gain access or to be able to interact with the target personnel. This could be achieved in several ways, such as through phishing or spear phishing, or by installing malware to access the target’s email. They might also use ‘credential stuffing’, where they employ brute force or utilise compromised usernames and passwords to gain access to the victim’s email. Additionally, they could use typo squatting, where they send an email and start a correspondence that appears to be from a supplier or internal source, but the actual email address is very similar to the legitimate one, though different upon closer inspection.
3. Surveillance
At this stage, the fraudsters are monitoring transactions and trying to understand the partners involved in the process of how financial transactions are made. They will also be looking out for large transactions, how often they are sent out, and who they are sent to. From their compromised accounts, they may ‘groom’ their victims, interacting with them so the victim believes they are speaking to someone internally or to someone in one of their suppliers. There could be weeks of conversation or observations before the fraud is executed.
4. Execution
The fraud is executed in a number of ways. It could be a legitimate invoice that arrives, but the fraudster pretends to be from the supplier, claiming they have changed their bank account details and asking for the payment to be sent to a different account. It might involve a new, known supplier and a fake invoice is sent. The fraudster may know about the new supplier, what the payment is for, and the amount, making the invoice seem legitimate. It could be a senior manager, such as the CEO, requesting an urgent payment for a company matter, often accompanied by a need for a quick and secret payment because it concerns a special company project. It might also be a ‘lawyer’ or the organisation’s bank asking for the payment. Throughout, psychological pressure techniques, such as urgency, authority, or secrecy – or all three – are used to prevent the person from thinking critically and questioning the payment. With the advent of deepfakes and AI-generated voices impersonating someone, making the victim believe it is the real person, the fraud becomes easier.
5. Laundering
Once the money goes into the fraudster’s bank account, they transfer it elsewhere and usually buy cryptocurrency with it, so the money disappears. Sometimes, if you act quickly, you can get the bank to recall the money, but often the frauds are so convincing that it isn’t until an audit or a supplier asks where their money is, after you’ve already ‘paid’, that the scam is discovered. Your bank may refund you, which could be capped at £85K, but since you authorised the payment, this could be difficult. You should report it to Acton Fraud and the police, but that will not get your money back.
Case Study Example
A recent example of how this fraud is evolving is the deepfake-enabled payment diversion attack against engineering firm Arup in Hong Kong in 2024. In this case, fraudsters used AI-generated deepfake video and audio to impersonate senior executives, including what appeared to be the company’s CFO, during a video call with a finance employee. Believing the call to be genuine, the employee authorised a series of payments totaling approximately HK$200 million (around £20 million) to accounts controlled by the criminals. The company only realised 6 months later when they went to account for the money and discovered the fraud.
How Can I Stop the Fraud from Happening?
Many of the techniques used to prevent fraud also help prevent cyber attacks, meaning the same controls can reduce both risks.
1. People
Staff should receive regular training to recognise fraud and social engineering techniques. Reducing the organisation’s digital footprint, especially for senior leaders or those likely to be involved in finance, limits the information criminals can use to craft convincing attacks. Staff members should be made aware of the risks associated with the information they share on social media and with whom they share it.
2. Technology
Multi-factor authentication (MFA) should be enabled on email and financial systems to reduce the risk of account compromise. Email security controls and transaction monitoring can help detect impersonation attempts and unusual payment behaviour, but they should support, not replace, human verification.
3. Governance
Clear, documented payment and verification procedures should be formally approved and regularly reviewed. Organisations should conduct periodic audits and maintain tested incident response plans to ensure suspected fraud is escalated and addressed quickly. Staff should be made aware that if they believe they may have made a fraudulent payment, they should report it immediately and not delay through fear of blame or repercussions.
4. Verification Principle
Any request involving money must be verified using known, trusted contact details already held by the organisation. Contact information included in an email or message should never be used for verification. Use code words or information only known to the two people to verify requests from senior managers or individuals requesting changes or urgent payments.
There is significant money to be made from this type of fraud, and while it may not always lead to an organisation’s failure, the financial losses can be substantial and far-reaching. Beyond the pure monetary impact, payment diversion fraud can have a profound psychological effect on the organisation and on the individuals involved, particularly staff who unknowingly authorise the payment. It is therefore essential that employees and business continuity managers understand the threat and their role in preventing it. A culture that encourages healthy scepticism, verification, and questioning of unusual requests can go a long way towards stopping this crime before it succeeds.
[1] The Record (2026), Microsoft disrupts RedVDS cybercrime platform behind $40 million in scam losses
[2] ReportFraud (2026), Payment Diversion Fraud
[3] FBI Congressional Report (2022) FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud
