On the one hand, fraud losses continue a seemingly inexorable rise. On the other, there are positive steps businesses can take to mitigate those losses.
Earlier this year, the AFP (the Association for Financial Professionals) published its annual “Payments Fraud and Control Survey,” which looks at trends in business-payments fraud and what companies are doing to combat them.
The news wasn’t particularly good. Even though companies are finding some success with increased fraud-prevention efforts, they’re having trouble keeping pace. Eighty-two percent of the survey’s 628 respondents said their organizations experienced attempted or actual payments fraud in 2018. That represents a nearly 20% rise in the past five years. We’re at a point where it’s no longer a question of whether your business will experience fraud, but when.
What stands out in this year’s report is that criminals keep finding new ways to attack businesses, and they’re increasingly attacking large enterprises. No company is immune, and businesses need to find even better ways to safeguard every type of payment along with the payment process itself, because the fraudsters are always one step ahead.
Business email compromise (BEC) is a top tactic for external attacks, impacting more than half of the survey respondents, up from 46% in 2017. Wire transfers are still the most common target for BEC scams, probably because they’re usually one-off requests, so it’s less noticeable when something is out of the ordinary. Checks are the second most common target because they’re still the most common payment method.
The good news is that, with heightened awareness and defenses, the number of companies experiencing BEC wire payments fraud has dropped 17 percentage points, from 60% to 43%.
The number of companies hit by BEC fraud targeting checks has dropped as well. Nearly 90% of organizations now report using Positive Pay. Roughly 70% say they have instituted internal controls such as segregation of accounts and daily reconciliation to fight check fraud. These measures appear to be working. Just 20% of companies reporting BEC scams said they targeted paper checks, a 14-point decline from the previous year. That far outpaces the decline in use of paper checks, which remains stubbornly stuck at about 50%.
The bad news is that one-third of companies reporting said fraudsters accessed automated clearing house credits via BEC, up from 12% in 2017 (“A Surprising Jump in ACH Fraud,” May). According to the report, that means that criminals are now more able to invade internal systems through account takeovers (ATOs), and access harder-to-reach payment methods. This has caught companies off guard: 56% of survey participants said they aren’t taking any additional steps to protect ACH payments.
Another ominous trend: Although monetary losses haven’t increased much per company (scams are typically designed to evade red flags by requesting ordinary amounts of money), fraudsters have stepped up attacks on large enterprises where bigger payments are more common. And they’re stealing larger amounts of money. Twenty-five percent of companies with over $1 billion in revenue and 100 or more payment accounts reported losses of $1 million or more from BEC.
A Multifront Battle
What can companies do to protect themselves? They must fight this battle on many fronts. They should set up training, protocols, and controls to address different schemes, payment methods, and associated processes.
Education, training, and internal controls that prohibit payment initiation based on emails or other secure messaging systems are the top means to guard against BECs. Verification policies and minimum two-factor authentication are both important, too, because scams are getting more and more convincing.
Positive Pay is a good first step against check fraud. You can take it a step further with Payee Positive Check, which adds the payee name to the data fields that are cross-checked.
Companies that actively protect themselves against ACH fraud use a variety of measures, including:
– Reconciling accounts daily to identify and return unauthorized debits;
– Blocking all ACH debits except on a single account set up with ACH Positive Pay and a debit filter;
– Blocking ACH debits on all accounts, and creating a separate account for ACH debits initiated by third parties, such as taxing authorities.
Daily reconciliations are also a common way of protecting against attacks on security credentials. Other protections include: restricting access to company networks to company-issued devices; dedicating to payment origination a personal computer with no access to email, web browsers, or social networks; and instituting disaster-recovery plans.
On the card-payment side, single-use virtual cards are the most secure way to pay invoices, because the card number can only be used once, and only for a specified amount and payee. If all that sounds like a lot of work, consider automating payments through a third-party platform.
Payment fraud has become a game of whack-a-mole that the moles are winning. Companies have battened down the hatches on some fronts, only to find fraudsters popping up elsewhere. Despite some success in the battle, overall fraud continues to rise.
Companies should consider every means at their disposal to protect not only the payments themselves but the associated information, systems, and processes.
—Jim Wright is vice president, enterprise sales, at Nvoicepay Inc., Beaverton, Ore.