Business Email Compromise Tracker: Payment Diversion and Invoice Fraud Trends

Overview

A useful business email compromise tracker is not a database of every suspicious message your company has ever received. It is a working monitoring tool focused on recurring signals: who is being impersonated, what payment instructions are being changed, which vendors are involved, which channels attackers are using, and where approval workflows are breaking down.

For most organizations, payment diversion scam activity clusters around a few predictable moments:

• New vendor onboarding
• Invoice submission and approval windows
• Month-end and quarter-end payment runs
• Staff travel, holidays, and leadership absences
• ERP, banking, or procurement process changes

That pattern is what makes a tracker valuable. You are not just logging incidents. You are monitoring pressure points in your own business process where spoofing, mailbox compromise, or social engineering is most likely to succeed.

In practical terms, a strong tracker supports five decisions:

1. Whether the current threat level to finance operations is rising or stable
2. Which fraud scenarios deserve immediate employee reminders
3. Which vendors or internal roles need stronger verification steps
4. Whether existing email security and payment controls are catching the right signals
5. When a suspicious event crosses from nuisance to formal incident response

If your organization already runs a broader incident program, connect this tracker to your escalation model. A fake invoice that is caught before payment may remain a fraud attempt. A verified mailbox compromise or completed wire transfer should move into a formal response workflow. If you need a framework for triage, the Security Incident Severity Matrix for SMBs: How to Classify and Escalate Events is a useful companion.

What to track

The best invoice fraud trends tracker balances tactical detail with repeatability. Track too little and you miss meaningful patterns. Track too much and the log becomes unreadable. The categories below are usually enough to create a high-signal monitoring resource.

1. Attack type

Label each event by scam pattern rather than only by severity. Common categories include:

• Vendor impersonation: a fraudster pretends to be a supplier and requests updated bank details
• Executive impersonation: the sender appears to be a senior leader pushing an urgent payment
• Mailbox compromise: a legitimate account is used to redirect funds or alter invoices
• Thread hijacking: attackers reply within an existing email chain to look credible
• Lookalike domain spoofing: a deceptive domain closely resembles a real vendor or internal address
• Portal or document lure: the target is sent to a fake invoice, shared file, or login page

These labels help your team distinguish ordinary phishing from high-risk BEC attack examples tied directly to payments.

2. Targeted function and individual

Track which teams are being approached. In many organizations, the highest-risk roles include accounts payable, treasury, procurement, payroll, controllers, executive assistants, and anyone with access to banking portals or vendor master data.

Do not stop at department-level labels. Record the job function targeted and the access that role has. A request sent to a junior AP clerk with authority to update remittance details is operationally different from the same email sent to a receptionist.

3. Impersonated party

Note who the attacker is pretending to be:

• Existing supplier
• New vendor
• CEO or CFO
• Law firm or outside advisor
• Bank representative
• Internal IT or security team

When the same names, executives, or strategic vendors recur, that often points to publicly exposed organizational information, recent transaction activity, or compromised correspondence.

4. Payment change requested

This field matters because the operational ask often reveals attacker maturity. Track whether the message requested:

• Bank account update
• Change in ACH instructions
• Wire payment to a new beneficiary
• Reissue of an unpaid invoice
• Urgent off-cycle payment
• Gift card or prepaid card purchase
• Payroll or direct deposit change

Gift card fraud and payroll diversion belong in the same monitoring family because the social engineering mechanics are similar even when the financial process differs.

5. Delivery and authentication details

This is where IT and finance teams can collaborate. Record the technical characteristics that made the message believable or suspicious:

• Display-name spoofing
• Lookalike domain or typo-squatting
• Free-mail sender used in place of corporate email
• SPF, DKIM, or DMARC alignment issues, if available
• Reply-to mismatch
• Unexpected attachment or file-sharing link
• Conversation threading behavior

Over time, these details support better email fraud monitoring rules and targeted mail gateway tuning.

6. Vendor and payment context

Track context that explains why the attempt might have worked:

• Was the vendor active in the current payment cycle?
• Was there an open invoice or disputed balance?
• Was there a recent legitimate bank change?
• Was the message sent near month-end or quarter-end?
• Was the employee on leave, overloaded, or covering for another approver?

This is often the difference between generic phishing awareness and process-aware defense.

7. Outcome

Every entry should end with an outcome label:

• Blocked by email controls
• Reported by user before action
• Verification completed and fraud stopped
• Vendor account flag added
• Payment attempted but recovered
• Payment completed and unrecovered
• Mailbox compromise confirmed

Without outcomes, your tracker becomes a record of attempts instead of a decision tool.

8. Time to detection and time to verification

Measure how long it took the business to notice the request and how long it took to confirm whether it was legitimate. Long verification windows create opportunities for pressure, escalation, and accidental approvals. If approval teams take hours or days to resolve obvious payment-change requests, your controls may be too informal.

9. Control point that failed or succeeded

For each event, identify the control that mattered most:

• Call-back verification
• Known-contact confirmation using stored contact data
• Dual authorization
• Bank detail change hold period
• Mailbox security alert
• Vendor master change review
• User skepticism and reporting

This allows you to rank defensive controls by real-world value rather than by policy language alone.

10. Follow-up actions

Your tracker should support action, not just awareness. Include a short field for next steps such as employee notice, vendor confirmation, domain blocking, payment workflow change, mailbox review, legal notification, or broader incident response. If a compromise extends beyond attempted fraud into a security event, your team may also need the Business Data Breach Response Plan: First 24 Hours, 72 Hours, and 30 Days.

Cadence and checkpoints

A tracker only becomes useful when it is reviewed on a schedule. Most teams do well with a layered cadence: weekly for operations, monthly for trend review, and quarterly for control changes.

Weekly operational review

Keep this short and tactical. Review:

• All payment-change requests received that week
• Suspicious messages targeting finance or executive staff
• Any vendor master modifications
• Exceptions to normal payment approval workflows
• Pending verifications older than your internal target

The purpose is not deep analysis. It is to catch active patterns while details are fresh.

Monthly trend review

Once a month, step back and look for movement in the tracker. Compare:

• Number of BEC attempts
• Number of vendor impersonation events
• Number of executive impersonation events
• Share of attacks involving invoice changes versus urgent payment demands
• Most targeted departments and users
• Most impersonated vendors
• Rate of user reporting versus security tool detection
• Near misses and confirmed losses

This is the review meeting that turns scattered alerts into invoice fraud trends your team can actually act on.

Quarterly control checkpoint

Every quarter, ask whether the pattern of attacks has shifted enough to justify process or technical changes. Focus on:

• Whether your callback procedures are still being followed
• Whether approval thresholds need adjustment
• Whether email authentication and lookalike-domain monitoring need tuning
• Whether vendor onboarding and bank-change procedures are too permissive
• Whether specific business units need targeted refresher training

Quarterly review is also a good point to revisit related governance topics such as vendor diligence and privacy obligations. Depending on the broader incident context, your team may benefit from reviewing the Vendor Security Questionnaire Essentials: What to Ask Before Sharing Customer Data and the Privacy Law Update Hub: New US State Privacy Rules Businesses Should Track.

Event-driven checkpoints

Do not wait for the calendar if one of these occurs:

• A vendor reports their mailbox was compromised
• Your company changes banks, ERP systems, or payment processors
• There is staff turnover in finance leadership or AP
• A fraudulent payment is sent or nearly sent
• A cluster of spoofing messages appears around payroll or month-end
• A real executive or vendor account is observed sending suspicious requests

These are immediate reasons to review the tracker and reinforce controls the same day.

How to interpret changes

Not every increase in suspicious email means your business is under a novel attack. The point of a tracker is to separate noise from meaningful change.

An increase in volume may mean better reporting, not worse security

If employee-reported events rise after awareness training or easier reporting workflows, that can be a positive signal. Before concluding that the threat has worsened, compare the increase in reports to the increase in confirmed malicious requests and actual payment actions.

A shift in impersonated vendors often points to exposed business context

If attackers suddenly focus on one supplier, ask why. Possibilities include a public contract announcement, compromised vendor communications, a known invoice cycle, or information exposed in previous correspondence. The most useful response is not a generic alert but a vendor-specific verification rule.

More thread hijacking usually deserves higher concern

A polished fake invoice from a new domain is dangerous. A fraudulent request inside a real conversation is usually more dangerous. When your tracker shows more conversation hijacking, it may suggest mailbox compromise somewhere in the chain, either on your side or the vendor's. That should raise the response level and may require mailbox review, password resets, session revocation, and direct vendor outreach.

Requests timed around deadlines reveal process pressure points

If payment diversion scam attempts cluster near month-end, quarter-close, payroll cutoff, or leadership travel, attackers may be exploiting urgency rather than technical sophistication. The right control here is often procedural: delayed processing of bank changes, mandatory callback to a stored number, or second-person review for off-cycle payments.

More blocked emails does not always mean controls are complete

If your mail gateway catches many lookalike domains but users still receive thread hijacks from trusted accounts, your exposure may be shifting rather than shrinking. Use the tracker to compare what your technical stack catches versus what reaches the business through legitimate or compromised channels.

A small number of near misses can outweigh a large number of low-quality attempts

One well-crafted request that almost changes a vendor's bank details is more important than twenty generic CEO gift card emails. Weight events by business process proximity: Did the attacker identify the right vendor, the right approver, the right payment amount, or the right invoice timing? If yes, your tracker should mark that event as high learning value even if no money moved.

It can also help to align BEC entries with other account-takeover risks. If your organization is seeing reused-password issues or suspicious sign-ins, review broader account security posture as well. The article Credential Stuffing Explained: How Reused Password Attacks Work and How to Stop Them provides useful context for adjacent compromise paths.

When to revisit

Revisit this topic on purpose, not only after a loss. A business email compromise tracker earns its keep when it becomes part of routine operational hygiene.

At minimum, return to your tracker:

• Monthly, to review patterns and update internal alerts
• Quarterly, to test whether controls still match attacker behavior
• Before high-volume payment periods, such as quarter-close or year-end
• After any vendor bank-detail change process update
• After executive travel schedules or organizational changes that increase impersonation risk
• Immediately after a near miss, confirmed compromise, or misdirected payment

To keep the tracker practical, end each review with a short action list. A good monthly list usually contains no more than five items, such as:

1. Flag the top three impersonated vendors for callback-only bank-change verification
2. Send a targeted reminder to AP and executive assistants about the current spoofing pattern
3. Review any inbox rules or login anomalies on accounts involved in suspicious threads
4. Update domain blocks or alerting for newly observed lookalike senders
5. Audit recent vendor master changes for proper approvals and contact validation

If your organization experiences an actual fraud event, expand the review beyond payment controls. Preserve the email, confirm whether any mailbox was compromised, notify affected partners through known-good channels, and determine whether customer or employee information is involved. Depending on scope, related guidance on reading formal notices and downstream identity risk may also become relevant, including Breach Letter Explained: How to Read a Data Breach Notice and Decide Your Next Steps and Identity Theft Warning Signs After a Breach: What to Watch in the First 90 Days.

The most effective tracker is the one your team will actually revisit. Keep it short enough to scan, specific enough to guide decisions, and structured enough to show whether invoice fraud trends are changing over time. Business email compromise is persistent because it exploits familiar processes. Your monitoring should be just as persistent, and much more disciplined.