A trusted healthcare provider thought they were paying a known vendor for urgently needed personal protective equipment (PPE). But the bank account they transferred funds to wasn’t legitimate—and by the time the fraud was discovered, more than $1.1 million had vanished.
According to the U.S. Department of Justice, cybercriminals impersonated the PPE vendor and convinced the healthcare provider to update payment details. Four ACH payments were redirected to a fraudulent account controlled by the attacker.
The funds were quickly dispersed through a fake business entity and layered bank transfers — part of a laundering strategy designed to delay detection and block recovery.
The attackers timed their move perfectly
This was a targeted business email compromise (BEC) attack. The threat actors didn’t need to breach systems — they just needed the victim to believe the payment request was legitimate.
- impersonated a trusted PPE vendor
- inserted fraudulent bank details into an active invoice process
- registered a shell business to receive and obscure the funds
- used structured payments to avoid immediate flags
It was a blend of social engineering, identity spoofing, and traditional money laundering — and it exploited the one thing no system can automate: trust.
Why the threat actors chose this moment
PPE procurement during a health crisis is time-sensitive, and attackers know finance teams under pressure are less likely to second-guess an updated bank account from a known vendor.
That pressure can override even the best internal controls — especially if:
- vendor changes are handled via email
- account verification is manual or skipped
- workflows prioritise speed over validation
This wasn’t just a financial loss. It likely disrupted PPE supply, slowed frontline operations, and raised questions about internal financial governance.
What finance leaders should take from this
BEC scams don’t exploit firewalls — they exploit business processes.
Here’s what this incident reinforces:
- Process-level risk is rising: Cybercriminals target the way money moves, not just the tech around it
- Email approvals are too easy to fake: Vendor detail changes need to be verified outside the inbox
- Time pressure is a vulnerability: Urgency benefits attackers more than defenders
No organisation is immune — especially when controls rely on manual verification and assumed relationships.
How Eftsure helps catch these scams early
Eftsure helps finance teams identify fraud before funds are released, by verifying vendor banking details against an independent, continuously updated source of truth.
With Eftsure, finance teams can:
- detect mismatches between vendor records and bank account changes
- receive alerts before payments are processed
- reduce reliance on manual checks and email-based approvals
Such incidents can be intercepted early — before any funds leave the account.
Eftsure complements existing cyber and banking controls to strengthen your layered defense.
Strengthen your payment controls against evolving cyber threats
Learn how Eftsure helps finance teams identify and stop payment fraud risks introduced by vulnerabilities in platforms like SharePoint.
Book a demo to see how Eftsure protects your payments before money leaves your account.
