'Being careful' isn't enough to stop business payment fraud
Business payments fraud is the largest source of cybercrime in the U.S. with 87% of businesses reporting having been the target of a payments fraud attempt last year.
And while everyone from Wells Fargo to the FBI warns about these fraudsters and the real potential of lost funds, more often than not industry advice comes down to “being more careful.”
Clearly, being careful is not enough. Fraudsters are savvier than ever. They are focused, detailed and very patient, often lying in wait for months before they make a play. Organizations need to be just as savvy to improve their defenses and shore up internal processes to stay ahead of scammers. The good news is there are simple tactics organizations can take today to help mitigate this risk and protect against devious agents.
While there are many different fraud vectors, there are a few key ways a scammer can access information and gain your goodwill. The one thing all of these vectors have in common is that they focus on the weakest link in your security system – your humans.
Regardless of the IT resources your organization has invested in and the security processes already in place, if the decision to change banking information is left up to a human in your organization, then you are at risk for falling victim to a payments fraud scam.
Here are three practical ways you can help mitigate risk today:
Review vendor invitations and approvals. Managing the identity information for vendor onboarding and maintenance is extremely challenging (and costly!). Most large organizations receive, update and manage these myriad "identity elements" for thousands of new and existing payees each year, a process rife with opportunities for a fraudster to exploit.
Start at the foundation of your vendor onboarding process: Inventory who at your organization currently can initiate business with a new vendor, and document (or revisit the documentation regarding) controls in place for adding new vendors. Ask questions including: Do people at your company have free rein to determine who they do business with? Are controls in place to limit the number of vendors in a particular vertical (for example, how many different office supply vendors do you use)? Do you have controls in place around inviting or approving new vendors?
Re-examine your existing controls. You likely already have controls in place that prevent a single person from adding and approving new vendor information and invoices. If not, do this now. Next, take the time to re-examine these controls to determine fraud vectors that could be exploited by bad actors, both inside and outside your company walls. This examination should be done regularly, as new fraud vectors can be discovered and exploited at any time. Questions to ask include: Who specifically, or which department, owns the vendor onboarding process? Are those owners responsible for gathering the required vendor identity credentials such as W-9s, Tax IDs, insurance documents, or does that task fall to various departments? Are those responsible trained to spot obvious fraud attempts, fakes and forgeries? Can they detect social-engineering attempts? Are you using third parties to verify the authenticity of the submitted credentials?
Verify ALL identity elements before accepting them into the ERP. Examine your process for when a vendor submits their tax ID, remittance address and banking details and, perhaps more importantly, when an existing vendor updates these identity elements. Changing banking details is the top fraud vector entry point for payments fraud attempts.
Of all of the ways you can fortify payments fraud protection, perhaps the most critical area to invest in is third-party partnerships. Recommended questions to ask include: Are you verifying tax IDs? Do you confirm bank account ownership and validity before making a payment? What controls do you have in place for verifying updates to previously submitted banking information?
By taking action today, you can begin to have peace of mind that your previously existing fraud vectors have been sealed off. Moving forward, you should regularly audit your entire process from start to finish to apply new learnings and root out previously unforeseen vulnerabilities.
Understandably, this effort will take time, resources and a collective agreement that payments fraud protection is a key objective of your organization. But the reality is that being careful is not good enough. Putting into place a specific plan that is constantly revisited and improved upon, – and investing in partnerships to offload your risk where it makes sense – are the only ways to ensure protection. The fraudsters keep evolving their tactics. Shouldn’t your defense follow suit?