Skip to main content
Skip to article content

Dual Authorization: Your Best Defense Against Payment Fraud

By SO Email Security4 min read estimated reading time

Dual authorization requires two independent approvals before any payment is processed, making it one of the most effective defenses against Business Email Compromise, wire fraud, and payment redirection scams.

dual authorizationbusiness email compromiseBECpayment fraudwire fraudemail securityfraud preventioncybersecurityNISTsegregation of dutiesaccounts payable securitypayment verification

Dual Authorization: Your Best Defense Against Payment Fraud

Dual authorization is a financial control that requires two separate individuals to independently approve a payment before it is processed. It is one of the most effective defenses against Business Email Compromise (BEC), wire fraud, and payment redirection scams because it ensures no single employee can be manipulated into sending money to a fraudulent account. Organizations that implement dual authorization alongside independent verification significantly reduce their exposure to the social engineering attacks responsible for billions in annual losses.

What Is Dual Authorization in Payment Security?

Dual authorization, sometimes called dual approval or two-person integrity, is a security control that divides the responsibility for approving financial transactions between two or more individuals. NIST defines it as a system that prohibits individual access to certain resources by requiring the presence and actions of at least two authorized persons, each capable of detecting incorrect or unauthorized procedures (NIST SP 800-172, adapted from CNSSI 4009-2015).

In practice, this means one person initiates a payment and a second, independent person reviews and approves it before the transaction is released. The two individuals must have separate credentials, distinct roles, and ideally operate within a documented segregation of duties framework. This control applies to wire transfers, ACH payments, vendor bank detail changes, and any high-value financial transaction.

Dual authorization is closely related to the broader principle of Separation of Duties (SoD), which NIST SP 800-53 control AC-5 describes as dividing critical functions among different staff members to ensure no one individual has enough information or access to perpetrate fraud alone.

Why Does Dual Authorization Matter for Preventing Fraud?

The financial toll of payment fraud makes the case clearly. The FBI's Internet Crime Complaint Center (IC3) reported $16.6 billion in total cybercrime losses in 2024, a 33% increase over 2023. Business Email Compromise alone accounted for $2.77 billion in losses across 21,442 reported incidents that year. Between 2022 and 2024, BEC losses reported to the FBI totaled nearly $8.5 billion.

The Association for Financial Professionals (AFP) 2025 Fraud and Control Survey found that 63% of organizations experienced BEC in the past year. Wire transfers remain one of the most targeted payment methods, affecting 39% of surveyed organizations according to Eftsure's analysis of fraud trends (eftsure.com).

What makes BEC particularly dangerous is that attackers do not rely on malware or technical exploits. They rely on trust, routine, and the absence of verification controls to trick employees into processing fraudulent payments. A single approval workflow gives attackers exactly one person to deceive. Dual authorization forces them to compromise two people independently, which dramatically raises the difficulty of a successful attack.

How Does a Business Email Compromise Attack Work?

Understanding the attack sequence reveals exactly where dual authorization intervenes.

Step 1: Reconnaissance. The attacker researches the target organization, identifying employees who handle payments, their reporting structures, vendor relationships, and communication patterns.

Step 2: Account Compromise or Spoofing. The attacker either compromises a legitimate email account through phishing or creates a spoofed domain that closely resembles a trusted contact's address.

Step 3: Social Engineering. Using the compromised or spoofed account, the attacker sends a convincing message requesting a payment, a change in bank account details, or approval of a fraudulent invoice. The request often carries urgency or invokes executive authority.

Step 4: Single-Point Exploitation. If only one person can approve and execute the payment, the attacker needs to deceive only that individual. The fraudulent wire transfer is processed, often to an overseas account.

Step 5: Fund Movement. Once the transfer is complete, funds are moved rapidly through multiple accounts, making recovery extremely difficult. The FBI's Recovery Asset Team managed to freeze $561.6 million in 2024, but that represents a fraction of total losses.

Dual authorization disrupts this chain at Step 4 by requiring a second set of eyes on every transaction.

What Happened When Dual Authorization Was Missing?

In August 2024, Luxembourg-based chemical manufacturer Orion S.A. disclosed to the U.S. Securities and Exchange Commission that a non-executive employee had been targeted in a BEC scheme, resulting in $60 million in fraudulent wire transfers to accounts controlled by unknown third parties. The employee was tricked into executing multiple outbound transfers without an independent second approval catching the discrepancy. The company reported no evidence of system compromise, meaning the entire attack relied on social engineering a single individual. As of the disclosure, the funds had not been recovered.

This case illustrates a core reality: even large organizations with sophisticated operations remain vulnerable when payment approval depends on a single person.

How Can You Detect a BEC Attack Before Payment?

Use this checklist before approving any payment, especially when changes to payment details are involved.

Does the request involve new or recently changed bank account details? Was the request received via email without a secondary confirmation through a different channel? Does the email domain contain subtle misspellings or character substitutions? Is the sender creating unusual urgency or bypassing normal approval chains? Does the payment amount or frequency deviate from established patterns? Has the vendor or executive been contacted through a known, independently sourced phone number to verify the request? Are there inconsistencies between the invoice details and the purchase order or contract on file?

A second authorized reviewer applying this checklist independently provides a meaningful layer of fraud detection that a solo approver cannot match.

What Steps Should Organizations Take to Implement Dual Authorization?

Establish a written dual authorization policy. Require two-person approval for all wire transfers, ACH payments above a defined threshold, and any change to vendor banking information. Document which roles hold approval authority.

Enforce segregation of duties. The person who initiates a payment should never be the same person who approves it. NIST SP 800-171 control 3.1.4 specifically requires separating individual duties to reduce the risk of malevolent activity without collusion.

Verify through an independent channel. Before approving any payment involving new or changed bank details, confirm the request by calling the vendor or executive using a phone number sourced independently, not from the email requesting the change. Eftsure's platform automates this verification step by matching payment details against an independently maintained network of verified businesses (eftsure.com).

Implement threshold-based escalation. Payments above certain dollar amounts should require additional approvals, with progressively senior authorization for higher values.

Conduct regular pressure testing. Simulate BEC attacks internally, including fake authority emails and spoofed vendor requests, to test whether dual authorization controls hold under realistic conditions.

Automate where possible. Manual controls are vulnerable to human error and fatigue. Payment verification technology adds a technology-assisted layer that operates consistently on every transaction, closing gaps that manual processes leave open.

Audit and review. Maintain complete records of who initiated, who approved, and what verification steps were completed for every payment. Review these logs regularly for anomalies.

Sources:

FBI Internet Crime Complaint Center (IC3), 2024 Annual Report, ic3.gov | NIST SP 800-53 Control AC-3(2): Dual Authorization, csrc.nist.gov | NIST SP 800-172 Glossary: Dual Authorization, csrc.nist.gov | NIST SP 800-171 Control 3.1.4: Separation of Duties | Association for Financial Professionals, 2025 Fraud and Control Survey | Orion S.A. SEC Filing, August 2024 | Eftsure, eftsure.com