A single phishing email has allegedly cost several New York City entities nearly $19 million — a stark reminder that even well-resourced organizations remain vulnerable to today’s increasingly sophisticated email-based fraud.
According to New York Post reporting, the scheme began in April 2023 when a fraudster impersonated a legitimate vendor and tricked a city-run organization into changing the vendor’s payment details. Over the following months, multiple transactions were misdirected to a fraudulent account. The total loss has now reached $18.9 million.
One of the affected organizations was Milford Management, which oversees hundreds of residential and commercial properties in Manhattan on behalf of landlords including Battery Park City Authority. While the payments were meant for a legitimate vendor, they were instead funneled to accounts under the fraudster’s control for months before discovery.
Phishing attacks remain one of the most effective cybercrime tactics — not because technology fails, but because humans do. What makes this case notable is the speed and scale of the financial impact from a single point of failure.
Despite security and procedural controls likely being in place, fraudsters were able to impersonate a known vendor and submit falsified documents, capitalizing on trust in internal processes. The attacker’s communications were convincing enough that payment changes were processed and the scam went undetected for several months.
As Eftsure regularly observes, business email compromise (BEC) scams are no longer crude or obvious. Attackers now use lookalike domains, fake credentials, and realistic vendor paperwork — often timed to coincide with periods of high activity. Their goal is to avoid detection by appearing legitimate at every stage.
Why AP and treasury teams are in the crosshairs
For finance professionals — especially those in accounts payable and treasury roles — this incident highlights how exposed traditional payment processes have become.
Large organizations manage thousands of payments and hundreds of vendors. Manually verifying bank detail changes or relying on email-based confirmations creates vulnerabilities that experienced fraudsters know how to exploit. Even when procedures are followed, the underlying data may be outdated, or the verification step too easily bypassed.
The implication is clear: following the process isn’t enough. Finance teams need dynamic, independent safeguards that can flag inconsistencies in real time — without relying on employee intuition.
How Eftsure helps close the gap
Eftsure provides a critical layer of defense against payment fraud by verifying vendor details before funds leave the business.
The platform continuously monitors vendor data and leverages a network of verified records to alert finance teams to suspicious changes, such as when new bank details don’t match a known vendor profile. This allows accounts payable teams to halt suspicious payments before they’re processed — without slowing down legitimate transactions.
In cases like the Milford fraud, Eftsure would have identified the mismatch at the point of payment, preventing funds from being diverted to the fraudster’s account.
What finance leaders should do next
While no single tool eliminates all risk, finance teams can take several concrete steps to strengthen fraud resilience:
- automate vendor onboarding and bank detail verification
- require independent, out-of-band confirmation for any payment changes
- integrate real-time alerts and anomaly detection into AP workflows
- update training to include realistic phishing and impersonation scenarios
- work with trusted partners who validate vendor credentials at scale
This isn’t just a finance process issue — it’s a systemic risk to operational continuity, reputational trust, and public accountability. And as this incident shows, the financial consequences can be immense.
To see how Eftsure can support your fraud prevention controls, book a demo.
