Security firms scramble to respond to accounts payable 'reverse fraud'
Fraud targeting accounts payable departments had been on the rise to begin with, but a new sense of urgency has taken hold in the wake of a recent incident that cost Facebook and Google $100 million.
Crooks find it easy and lucrative to create fake websites and invoices or take over legitimate accounts to trick companies into thinking they owe money to a false "supplier."
Such was the case with Facebook and Google, falling victim to an elaborate scheme allegedly put together six years ago by a Lithuanian fraudster who forged email addresses, invoices and corporate stamps to impersonate a large manufacturer the social media and digital tech companies did business with regularly.
Facebook and Google did not respond to inquiries about how they may have altered their technology to cope with this growing fraud trend. When news of the crimes was released, both companies declared in media statements they were engaged with law enforcement investigations, and had recouped their funds.
It was especially alarming to other businesses of all sizes that major companies with plenty of fraud prevention tools in place could succumb to accounts payable fraud. But that's how difficult this foul play is to thwart.
Facebook and Google were prime targets because their business is online, and they send payments to others who are generating ad income and traffic to their sites, said Manish Vrishaketu, chief operating officer at Tipalti, an accounts payable management and risk mitigator.
"They are paying commissions to these affiliates and partners worldwide, so it's a matter of the fraudster signing up as an affiliate and then spoofing Facebook or Google into thinking they are driving traffic to the site — and they have all sorts of technology to do this," Vrishaketu added.
Attackers create income-generating activities, which are fake, and seek payments from Facebook and others until those companies realize they've been duped, Vrishaketu said.
Accounts payable fraud works in the opposite direction as most payment fraud, creating a distinct challenge. Rather than a merchant processing incoming consumer card transactions, businesses pull money out of an account for a B2B transaction and send it directly to another account.
"I may think I am paying supplier A, but in reality the money could be directed to another account because a fraudster has taken over supplier A's account," Vrishaketu said.
There are also differences between merchant processing and accounts payable that complicate fraud risk.
"In talking about B2B and accounts payable, the first thing is putting the client onboard and doing full Know Your Customer compliance because that's an advantage in the B2B world that you don't have in the consumer world," Vrishaketu said.
Illegally monetizing accounts payable is attractive because of a large and sustainable payoff. "When fraudsters find a vulnerability that pays off for them, they will keep doubling down on the tactic until it gets plugged," said Trace Fooshee, analyst with Aite Group.
While banks have created innovative security, it is possible that third-party protections could create gaps, according to Fooshee. For example, crooks may compromise a business' email system, allowing access to the corporate client's network.
"Once they've infiltrated the email system, they use a variety of tactics to trick the corporate officer into making or changing a payment in such a way that it finds its way into an account controlled by a fraudster," Fooshee said.
Fooshee cited the FBI's Internet Crime Complaint Center, which reported that between 2013 and 2016, business email compromise losses were just under $7 billion, versus $12.5 billion between 2016 and 2017.
Tipalti, of San Mateo, Calif., is using the trend to sell businesses on the idea of an internal financial crimes unit. "It basically means having access to and a full understanding of what is happening within your network," Vrishaketu said.
Businesses also have to be careful not to make payments to companies or individuals under government sanctions, and they have to have a sound anti-money-laundering program in place, he added.
"The industry is big and unique, so there are lots of opportunities for fraud," Vrishaketu said. "Making sure companies are aware of that is critical."