Fraudsters aren't winning, but aren't going away either
Over the past few years, it seems that nearly every company has its own story of being a victim or target of payments fraud activity.
According to the 2020 Association for Financial Professionals (AFP) Payments Fraud and Control Survey, underwritten by JPMorgan, 81% of organizations reported being targets of attempted or actual payments fraud attacks in 2019, marking the second-highest percentage in the past decade. While this statistic and several others shared in the survey findings are concerning, we still see too few institutions taking steps to avoid fraud — many only doing so after they’ve become a victim.
As they think through fraud prevention strategies, companies should be aware of the factors that have enabled the uptick of fraud in the last few years and know the trends most likely to characterize fraud in the future.
Business email compromise (BEC) grew significantly last year, with more than six in 10 finance and treasury professionals reporting it as the source of an attempted or actual payments fraud attack, according to the AFP Payments Fraud and Controls Survey. This particular method of fraud relies on tactics like email impersonation and lookalike domains to trick users into thinking messages are coming from a legitimate or authoritative source. As it’s proved to be more profitable for fraudsters in recent years, they’ve invested in continuous improvements to their BEC scams.
While they may be increasingly seen as outdated methods of payment, checks continue to be top targets for fraud as well, with the 2020 AFP Payments Fraud and Control Survey reporting that nearly three-quarters of organizations experienced check fraud in 2019. ACH payments methods are also being increasingly compromised, with recent jumps seen in both ACH credit and debit fraud. These increases are likely due in part to ACH being an easier touchpoint for fraudsters than more closely scrutinized methods like wire transfers.
As payments technology continues to become more sophisticated, fraud will nonetheless continue to scope out and target the weaknesses in its application, hardware and facilitation through methods like BEC, phishing and ransomware. As if playing a game of chess, fraudsters aim to think several moves ahead of the companies they target. Part of their strategy involves paying close attention to the red flags and training companies use to prevent attacks, which gives them intel on the methods that are being recognized and allows them to pivot to those that aren’t.
At the same time, those perpetrating fraud will continue to optimize proven methods, such as better mimicking legitimate payment processes, to delay detection and more successfully execute BEC schemes. Once they have pulled off successful schemes, they will increasingly leverage decentralized financial payment options, such as cryptocurrency, to launder the proceeds of their fraud.
Regardless of how it might be carried out, fraud will be a credible threat in the foreseeable future for all businesses, no matter their size or the industry. Attacks on large, well-known companies may make the most headlines, but it is actually smaller firms that are likely to be the most vulnerable, as they may not have as sophisticated or extensive internal controls. The bad actors have the time and money to innovate their methods, making it imperative for companies to be quick and strategic about how to outsmart them.
Given the threat it poses, companies are keeping payments fraud top of mind, as the 2020 AFP Payments Fraud and Control Survey showed that nearly 60% of companies do have a fraud policy in place. While these numbers are encouraging, that still leaves many companies with no plan in place or incomplete protections due to challenges in implementing effective controls.
Fortunately for these companies, there are effective fraud controls that can be implemented quickly and inexpensively. There are a few considerations they should keep in mind. The hallmarks of a payments fraud prevention strategy include implementing dual payment authority before processing, detecting irregular payments, performing daily reconciliation of payment activity and establishing a clear escalation process.
One of the most powerful controls companies can implement is when they receive emails for payment instructions, account changes or changes of contact information, they perform callbacks using a phone number from a system of record to the person making the request.
While BEC scams are constantly changing, companies should be ever vigilant for their primary warning signs, including emails impersonating team members, executives or vendors and altered domains and email addresses.
Companies should work with experienced advisors across areas including banking and consulting, as they often have resources and employees dedicated to fraud prevention.
As the data shows, payments fraud remains a credible threat and unfortunate reality for the majority of businesses, something that is unlikely to go away as fraud methods continue to evolve. But more than ever before, companies can fight back with enhanced controls, improved processes and increased vigilance among employees.