Bookkeeper Phishing Response Checklist.
A response workflow for bookkeepers who receive suspicious invoice, vendor, payroll, or payment-change emails. Use this as a practical pre-payment checkpoint, then turn the process into a reusable workflow with the BEC Defense Pack.
Run these steps before approval.
Do not click or reply
Make the decision visible and documented before payment leaves the business.
Preserve the email
Make the decision visible and documented before payment leaves the business.
Check account rules and logins
Make the decision visible and documented before payment leaves the business.
Notify the owner/admin
Make the decision visible and documented before payment leaves the business.
Record actions taken
Make the decision visible and documented before payment leaves the business.
Escalate immediately if any of these are true.
- Money has already moved to a new or suspicious account.
- A mailbox has unknown forwarding rules, filters, OAuth grants, or unusual logins.
- The request touches client funds, regulated data, payroll, trust accounts, taxes, or legal deadlines.
- Two internal approvers disagree or cannot verify the requester off-thread.
Keep moving through the cluster.
Get the free payment-change verification checklist.
Send it to the person who approves invoices, ACH, wires, or vendor bank changes.
Want the workflow instead of another article?
Get the Business Email Compromise Defense Pack, request a free teardown, or download the checklist and capture the process for your team.