Updated July 29, 2022
Payment fraud continues to be a major focus for business leaders, with organizations implementing preventative measures and controls to combat it. According to the 2022 Payments Fraud Survey by the Association for Financial Professionals (AFP), payments fraud impacted 71% of all organizations surveyed last year, which is a slight decrease from 74% in 2020. Business email compromise (BEC), a form of phishing attack, continues to be the primary source of payments fraud activity, where fraudsters use emails to trick employees into transferring funds to fraudulent accounts. These scam artists pretend to be vendors or senior management and use spoof URLs in emails, requesting either a change in bank account information or a transfer of funds to a fraudulent account.
Anyone with an email may be subject to a phishing scam or payments fraud, so it’s important that your team is prepared to keep an eye out for these fraudulent emails.
What to look out for
Fraudsters do their due diligence, usually researching companies’ public websites, press releases, social media and other sources to gather information and craft messaging that appears to be authentic. Be on the look-out for payment scams requests that:
- Have a sense of urgency, a call for help, or a need for confidentiality
- Add a new contact at a supplier or vendor representing the company
- Update a payment account, typically without a request for a phone contact
- Indicate a change to payment instructions or payment type (e.g. check to wire)
- Communicate a sudden change in business practice
Are you using best practices?
To safeguard your company’s funds—especially payments made by check or wire— consider working with your bank to set up:
- Positive pay—an automated cash management service that helps protect against check fraud.
- ACH Blocks to stop unauthorized ACH transactions, and ACH Filters to allow only designated ACH transactions to post to the account. For reference, ACH transactions are a common form of electronic transfers, such as direct deposits, payroll and authorized insurance payments.
- Restrictions on payments initiation based on emails to prevent fraudulent activity from BEC and two factor authentication to add an extra layer of security.
- Dual control for all payments whereby one employee sets up a transaction or payment recipient and another employee must approve it from a different computer.
- Secure online wire transfers with dual controls, plus a token device or app for multi-factor authentication.
- Predetermined wire transfer limits and email alerts for someone outside of your accounting or treasury area.
- Annual relationship reviews with your treasury management officer to be sure your online access and users, account signers, email alerts are up to date.
Cybersecurity education is key
While it is common for the finance team to discover payments fraud, the entire company has a role to play in prevention and detection. Trainings and resources to teach best practices are essential. Some companies even send out simulated email phishing attacks in order test their employees and keep cybersecurity top of mind.
Cybersecurity and payments fraud can be overwhelming for businesses because fraudsters are always evolving their attack methods. To keep up with the pace of change, ongoing awareness, strategic preparation and a strong relationship with your bank are some of your best defenses.
By: Barbara Raths, Senior Vice President, Director of Treasury Management and Government Banking