Payments Fraud: Hitting a Moving Target to Stop Bad Actors

As fraudsters continue to innovate and develop new techniques targeting businesses, organizations must remain vigilant to deter threats

According to the Association of Financial Professionals’ (AFP) 2018 Payments and Fraud Control Survey, 78% of companies were victims of payments fraud in the previous year. AFP’s President and CEO Jim Katz, commenting on the study, said “It is alarming that the rate of payments fraud has reached a record high despite repeated warnings.”

Clearly, greater overall awareness on the part of business owners of new forms of fraud and

advancements in anti-fraud technology has not deterred attackers. “Bad actors” have been keeping pace and continue to develop new tactics. In this environment, businesses need to remain vigilant, understand and anticipate scams, and better prepare themselves to deter threats.

Vigilance is especially critical for smaller organizations that may not have the level of resources to dedicate to fraud control that larger companies can deploy. Fraudsters are well aware of this, evidenced by their gradual shift from targeting larger organizations to victimizing smaller ones.

What are the sources of fraud?The AFP survey identified four principal forms of fraud:

• Check fraud

• ACH debit fraud

• Wire fraud

• Business email compromise

Seventy percent of organizations experienced check fraud in 2018, per the survey, a slight decrease from 2017, but still far and away the most common form of payments fraud. Despite the rise of new payments technologies and predictions of the demise of paper checks, they remain the most popular payment method for business-to-business transactions. This makes checks an attractive target for fraudsters. As the survey notes, however, “The decline in check fraud activity has been offset by the increase in payments fraud via wire transfers and ACH debits and credits.”

Reflecting this shift from paper to electronic fraud, the level of ACH credit fraud has quadrupled over the past decade, rising from 4% to 20% of organizations affected. Similarly, fraud via ACH debit has also continued to rise, reaching 33% in 2018. A further 45% of organizations experienced wire fraud incidents in 2018.

Perhaps the biggest new threat to emerge in recent years, however, is business email compromise (BEC) and its cousins, vendor impersonation and executive impersonation. These relatively new forms

01

Equal Housing Lender. ©2019 M&T Bank. Member FDIC. 36234 191107 VF mtb.com

of fraud can be the product of hours of painstaking research by bad actors. Instead of sending phishing emails to random addresses, cybercriminals select the business they wish to target, use readily available digital sources to identify out the names of core executives or vendors, then target a victim within the business who manages finances. They then create a fraudulent email to trick the victim into initiating one or more wire transfers.

Vendor impersonation fraud can be particularly damaging because of the time gap between invoice and notification. Often this fraud is only uncovered after the money has moved through several financial institutions, making recovery nearly impossible. Businesses that can alert their financial institution to BEC fraud and get them involved in the early stages can increase the likelihood of recovering funds. When a vendor changes banking information, calling to verify the new information can also help avoid problems down the line.

BEC scams can come from within or outside the organization. They may be as simple as an email purported to be from an executive requesting funds, or an “employee” requesting a change in direct deposit information that can result is several thousands of dollars in losses. As is the case with verifying changes in vendor information, making an extra phone call to confirm requests or changes is a best practice.

The percentage of companies falling prey to BEC scams has risen alarmingly in recent years, from 64% in 2014 to 80% in 2018, according to the AFP. Many organizations are aware of this type of fraud and have implemented additional controls and training to protect themselves from becoming victims, but BEC fraudsters continue to innovate.

The potential impact of fraudBeyond the financial losses incurred as a result of payments fraud, businesses should consider its nonfinancial impacts, which have the potential to be substantial. They can include damage to the organization’s reputation, the exposing of confidential information and significant costs resulting from clean-up efforts.

So what can you do to minimize the effects of fraud, avoid significant outlays of money and time, and enjoy greater peace of mind?

• Stay up to date on the latest attack schemes. Fraudsters are notoriouslyresourceful and skilled at exploiting any weakness. Understanding where and hownew attacks may emerge can help you better anticipate and adapt.

• Invest upfront in training and controls. When employees and IT teams are armedwith knowledge in advance, attacks are less likely to succeed.

• Encourage your employees to be skeptical of requests than seem unusualand report any time they think they may have received a phishing orimpersonation attempt.

Communicate with your financial institution the moment you suspect fraud may have occurred. The earlier they can respond, the less likely you are to suffer financial or reputational damage.

78%of companies

were targets of fraudulent payments last year

Paper Checks 70% were

victims of check fraud

ACH 33% cited ACH

debit fraud

Wires 45%

experienced wire fraud

Email 82%

experienced business email

compromise

02