Podcast: Play in new window | Download
Payment fraud is a chronic issue. The current wave of digitization has opened up even more avenues for fraudsters: business email compromise (BEC), malware, phishing, data breaches, ACH debit fraud, and more, all on top of the still-rampant old-fashioned methods of check and wire fraud. (Author’s note: I faced this particular phishing scam just last weekend.)
IBM’s 2021 Cost of a Data Breach Report put the average total cost of a cyber breach at $4.2M across all surveyed industries, and at $5.72M for financial services in particular. And that doesn’t count the value of any stolen money, just the cost of internal processes such as detection, escalation, lost business notification, and post-breach follow up. The 2021 AFP Payments Fraud and Control Survey found that 74% of firms experienced actual or attempted payments fraud, and that companies above a billion dollars in revenue are more likely to be targeted than those with less revenue.
To learn more about how enterprises can protect their operations against payment fraud in 2022, PaymentsJournal sat down with Jon Paquette, VP of Solutions at TIS, and Steve Murphy, Director of Commercial and Enterprise Payments Advisory Service at Mercator Advisory Group.
Common cybercrime tactics
Although each new advance in technology brings a corresponding opportunity for fraudulent exploitation, the truth is that most types of fraud are the same as they have ever been. “The tactics haven’t changed,” said Paquette, “but the sophistication has changed a lot.”
For example, traditional BEC attacks are email-based – after all, it is right there in the name business email compromise. Now, cybercriminals are reinforcing that attack with phony confirmations from other sources. “We heard an organization tell us about deepfake phone calls they receive where the attackers actually spoof the CEO’s voice through recordings to say, “Hey, a wire request is coming in, keep an eye out,” before they send the BEC attack,” Paquette explained.
Fake invoice and fake wire instruction change requests are two of the newer fraud attempts currently circulating, wherein attackers send an accounts payable department a doctored-up invoice which routes to a fraudulent account. The AFP survey cited above reported that 60% of respondents believe accounts payable (AP) is the most vulnerable department to fraud within their organization. Another survey by Strategic Treasurer indicated success rates for BEC attempts had doubled between 2018 -2020. “It’s almost like you know these attacks are coming, and they still can’t be stopped,” Paquette elaborated.
Best practices for defending against digital payments fraud
Even if attackers remain persistent, institutional vigilance can go a long way towards mitigating damage. There are three key components of fraud mitigation:
- Training programs – To quote G.I. Joe, “Knowing is half the battle.” Training staff on what to look for in fraud attempts is a low-investment undertaking that can have high impact.
- Internal financial controls – Ensure there are robust mechanisms, rules, and procedures in place to maintain financial integrity and prevent fraud. This includes separation of duties, replacing manual processes with straight-through processing, and day-to-day reconciliation. These controls are split into three subsections:
a. Vendor master controls
b. Payment controls
c. Accounting controls
- Detection – Account validation services can be used to confirm if account information is legitimate or if there is a hidden beneficial owner. AI and pattern recognition are also very useful for determining if anything abnormal occurs.
Of course, not every enterprise will be able to enact sweeping end-to-end fraud prevention protocols. If the effort is more piecemeal, the priority is education, followed swiftly by controls. “You need to identify what the risk is, and then configure the tool to protect against specifically what that risk is,” Paquette clarified. “Otherwise, you’re going to put a tool in place that touches nearly everything, and all you’re going to create for yourself is a giant work queue of false positives to approve on a day-to-day basis, which is the opposite of having a well-thought-out fraud detection program in place.”
“It takes a village”
Just as the old adage says, “It takes a village to raise a child,” so too does it take a community to send a payment. The payments ecosystem is intimately connected, and a network of trusted beneficiaries, vendors, and information providers can help verify the legitimacy of an outbound payment to prevent fraud.
“From an attacker standpoint, that’s exactly what they’re doing,” Paquette pointed out. “They’re using automation and data to attack corporates, through publicly available sources like Zoom and LinkedIn. They know organizational structures within companies, who might be the ones releasing payments… and then they share that information extremely well within criminal networks. From a corporate standpoint, it only makes sense to then defend the same way with automation and data.”
Utilizing multiple data sources is critical for protection against fraud. Community sharing of data on account validation, historical customer behavior, normal payment routines, vendor changes, and corporate information all combine to make a powerful data set on which to run technology. Third-party vendors can provide this sort of agglomeration service.
Preventative networking is particularly effective against account takeover, which would otherwise look legitimate to account validation services unless the routing information is checked against other payees. For example, if two dozen other community members are paying a vendor through a different account than the one you have, that may be the only clue indicating that there is a problem.
Working from the top down
Overall, the best way to tackle fraud is to get organizational buy-in starting with a top-down commitment that fraud mitigation is a priority. “You need to have that mindset going into it for even a basic education program to really take off,” said Paquette. “Fraud mitigation is never a one-and-done type solution. It’s always an ongoing, constant change, management-type process.”
Each industry and each company will have different methods that are most effective for their specific internal gaps. The insurance industry, for example, processes a great deal of first-time payees for claims payments, so tracking changes from a vendor master standpoint won’t do much good with an evolving supplier base. In that situation, account validation services will be more critical so that bank account details can be verified.
Either way, enterprises should not rush into the implementation of a sophisticated detection tool if they don’t yet know how to use it or know what they are looking for. The best immediate action to take is educating employees about what threats there are in the market. “It’s informing your employees about what a fraudulent threat looks like,” Paquette concluded. Once that is done, reviewing financial controls and working towards a reduction in manual payments are great next steps.