SUMMARY
Instances of payments fraud have been among us for a while, but remote working has given rise to an increase of fraudulent attacks on companies. However, awareness, caution and training can keep those intent on causing financial harm at bay.
Bank fraud trends
Late afternoon before the Easter Weekend, an invoice marked ‘Urgent: due for same day remittance’ arrives via email just as an accounts payable clerk at a manufacturing firm is about to leave for the day. The invoice is purportedly from a vendor with whom the company works and looks genuine. Even the clerk’s boss, the company treasurer who happens to be on leave, is copied on the correspondence.
The email seems to be originating from an address that looks like it’s the vendor’s invoicing department and the bank transfer details appear to be the same. However, a cursory glance suggests one of the digits in the account number is in the wrong place. Phone calls on a late afternoon before the weekend go unanswered, and in his rush to leave, the clerk wires $119,000 to a vendor he thinks is genuine. Upon the return of the company treasurer, the payment request is revealed to be fraudulent.
This is a real example of a fraud that occurred in the U.S. The case itself is a relatively small instance of fraud as millions are lost by corporate victims each year. 65% of respondents to the 2023 AFP 2023 Payments Fraud and Control Survey Report indicated that their organizations were victims of either attempted or actual fraud in 2022. While the survey indicates there is a downward trend in payment fraud in recent years, it is still concerning that 2 out of 3 companies continue to be victims of attacks.
The report also states that Business Email Compromise (BEC) scams are highly prevalent and are the root cause of payment fraud for most organizations. According to the report, 71% of companies were either victims of payment fraud or attempted fraud via email in 2022 with larger organizations being the most susceptible to BEC scams. Payment methods used during BEC attempts include both wire and ACH debits, with ACH debits being increasingly targeted.
Of course, awareness of BEC scams has increased, and we find that businesses have started to strengthen their defenses. However, cybercriminals have also evolved their strategy, moving from the well-known format of impersonating an executive within the firm and requesting a payment, to more sophisticated vendor based BEC scams like the aforementioned case study
In vendor based BEC scams, the majority of all BEC cases, the attacker poses as an existing supplier. The attacker no longer has to convince the victim of the need for the payment, as regular payments are already being sent to existing vendors. Instead, the fraudsters are simply sending updated payment information. Such a scam is effective because the fraudster is not initiating a new conversation but seizing an existing email exchange.
Check fraud
Check fraud continues to be the payment method most frequently subject to attacks. It occurs when a check is presented against an organization’s account that was not issued by the organization or when the payee information is altered. This type of fraud is low cost to the perpetrators and as such is very attractive. The consequences are both financial loss and operational disruptions to the check issuer, as a new account will have to be opened and updated account information sent to customers and vendors.
Robust fraud protection measures are a necessity to safeguard an organization’s operating accounts. Now more than ever, fraud prevention and protection practices are crucial to protecting your business from payments fraud. Awareness, caution, and consistent steps outlined below can help reduce the likelihood of a successful attack:
Best practices for combating payments fraud
- Incorporate processes to validate payment requests: New payment instructions should always be confirmed, preferably via an in-person meeting or a phone call with a known telephone number
- Dual Approval: Utilize an approver/checker process whenever you need to add a new payee or change existing payment details. Dual control significantly improves your chances of identifying a fraudulent act
- Confirm identity of sender: In addition to call-backs, the authenticity of the sender of an email can be quickly checked by hovering over the sender’s name in an email to display the real address
- Implement Bank Controls: Leverage your bank’s fraud protection and detection tools, including Automated Clearing House (ACH) Debit Blocks and Filters, and Positive Pay with Payee Name Verification
- Utilize Electronic Payment Methods: Due to the heightened vulnerability of check fraud risk, consider electronic or automated payment methods such as ACH or wires to optimize your payables operations
- Segregate Bank Accounts: As the primary source of fraud is related to the payment process, separating your payables and receivables accounts can help protect the organization’s incoming funds. Receivables accounts can be set up with restrictions that prohibit outgoing payments from being made out of the account, as well as ACH Debits drawn out of the account
- Ongoing Communication and Training: Awareness and understanding of current fraud trends is foundational to identifying potential fraud. As an example, businesses can subscribe to the U.S. Treasury Department’s Office of Inspector General’s fraud alerts to keep up to date
If your business falls victim to a successful fraud attempt, we suggest contacting law enforcement, your insurance company, and your bank to report the incident.