Each day, financial institutions see hundreds of thousands of payments come in and hundreds of thousands of payments go out. And with humans still at the epicenter of these transactions–tasked with authenticating and authorizing payment is in fact going to the right vendo–businesses are left vulnerable to increasingly savvy fraudsters.
According to the Association of Financial Professionals, 81% of businesses reported a business payments fraud attempt in 2019 and the FBI cites business email compromise as one of the top cybersecurity threats with more than 23k complaints in 2019. Not to mention, COVID-related scams are on the rise. Yet the typical advice for businesses concerned with how to mitigate the risk of business payment fraud? Be careful. Businesses need more than a wish and prayer with an enemy as dangerous, not mention costly, as these fraudsters.
From email compromise to fake invoices to “deep fake” phone calls, fraudsters target the weakest link in the security system–humans. Regardless of the IT resources your organization has invested in and the process your organization has in place, if the decision to change banking information is left up to a human in your organization, then you are at risk for falling victim to a payments fraud scam.
Automating this entire process and alleviating the burden of responsibility on error prone humans has never been more relevant than it is today. Not only will an automated process decrease the potential for fraud, it also supports new business requirements forced by the global pandemic and WFH mandates. Collecting and verifying 3rd party banking details digitally means no one has to be in the office to collect mail, scan hard copies or cut checks. Meanwhile, payees don’t need to be in the office to receive payment. Automation helps protect your organization from the risk of business payment fraud and keeps employees safe.
While automation solves to the problem of how to securely move to ACH from checks and create a business process that functions with remote work, there are also actionable steps you can take today to protect against increasingly savvy fraudsters. Here are three ways to mitigate risk and how these specific actions will help immediately.
What to do: Move the collection of sensitive vendor information from business units to a centralized point in vendor management. Keep one point of contact (or one team) who owns the vendor relationship and who is charged with collecting and vetting all submitted information. Do not leave it to business units to decide if a banking change request is legit.
How this helps: Limiting the number of people a potential fraudster interacts with will drastically reduce the opportunity for socially engineering someone to change real vendor banking details to a fraudulent account.
What to do: Verify Tax ID and banking information
Verifying the Tax ID and banking is the one-two punch of mitigating risk. Connect with the IRS database and make sure the submitted Tax ID belongs to the entity that you intend to do business with, and then go further and verify that the banking information submitted is actually owned by the same entity.
How this helps: While a fraudster can often find a real Tax ID to submit to you, they cannot open a bank account with that Tax ID. Confirming bank ownership is the only way to truly avoid paying a fraudster. Unfortunately, COVID has significantly impacted best practices when it comes to banking. Traditionally a phone call to your vendor to confirm banking information was straightforward and easy, but the increased number of remote workers has added layers of challenges to this once simple process including knowing which phone numbers (business vs personal cell phones, for example) can be accepted, uncertainty that you are actually talking with your vendor and not a fraudster and unreturned phone messages. All of this contributes to stalling the bank verification process. Relying on an automated platform can alleviate these obstacles and support a swift and accurate account verification process.
What to do: Institute multi-level approvals and audit trails
Simply put, do not onboard any vendors and do not change any vendor credentials without multiple internal stakeholders signing off and capture those sign offs in an audible format. Always keep track of who and when for any payment approvals. Do not rely on a single AP staff member to be the one to spot, track, question, verify, and decide what is legit and what is a fraud.
How this helps: Internal controls prevent employee-based frauds, but also prevent a single employee from having too much of the burden for decision making on critical, time sensitive payment matters. Keeping the audit trail allows for continuous improvement of the process and will satisfy your insurance company when they ask exactly what you are doing.
As we approach a new year and continue to face the impact of a global pandemic and the increased exploitation of the human factor in the payments process, there is no time to waste. The effects of a business payments fraud incident are costly and can be devastating to a company brand and reputation, not to mention the impact on the individuals responsible for critical payment decisions. Setting into motion these ideas today will help mitigate risk and better position your company for defense against increasingly dangerous fraudsters.