Payment fraud continues to be a major focus for business leaders, with organizations implementing preventative measures and controls to combat it. According to the 2023 Payments Fraud Survey by the Association for Financial Professionals (AFP), payments fraud impacted 65% of all organizations surveyed last year, a slight decrease from 71% in 2021. Business email compromise (BEC), a form of phishing attack, continues to be the primary source of payments fraud activity, where fraudsters use emails to trick employees into transferring funds to fraudulent accounts. These scam artists pretend to be vendors or senior management and use spoof URLs in emails, requesting either a change in bank account information or a transfer of funds to a fraudulent account.
Anyone with an email address may be subject to a phishing scam or payments fraud, so your team must be prepared to watch for these fraudulent emails.
What to look out for
Fraudsters do their due diligence, usually researching companies’ public websites, press releases, social media, and other sources to gather information and craft messaging that appears to be authentic. Be on the lookout for payment scam requests that:
- Have a sense of urgency, a call for help, or a need for confidentiality
- Add a new contact at a supplier or vendor representing the company
- Update a payment account, typically without a request for a phone contact
- Indicate a change to payment instructions or payment type (e.g., check to wire)
- Communicate a sudden shift in business practice
Are you using best practices?
To safeguard your company’s funds—especially payments made by check or wire— consider working with your bank to set up:
- Positive pay—an automated cash management service that helps protect against check fraud.
- ACH blocks to stop unauthorized ACH transactions, and ACH filters to allow only designated ACH transactions to post to the account. For reference, ACH transactions are a common form of electronic transfers, such as direct deposits, payroll, and authorized insurance payments.
- Restrictions on payments initiation based on emails to prevent fraudulent activity from BEC and two-factor authentication to add an extra layer of security.
- Dual control for all payments whereby one employee sets up a transaction or payment recipient, and another employee must approve it from a different computer.
- Secure online wire transfers with dual controls, plus a token device or app for multi-factor authentication.
- Predetermined wire transfer limits and email alerts for someone outside your accounting or treasury area.
- Annual relationship reviews with your treasury management officer to be sure your online access and users, account signers, and email alerts are up to date.
Cybersecurity education is key
While it is common for the finance team to discover payments fraud, the entire company plays a role in prevention and detection. Trainings and resources to teach best practices are essential. Some companies even send out simulated email phishing attacks to test their employees and keep cybersecurity top of mind.
Cybersecurity and payments fraud can be overwhelming for businesses because fraudsters constantly evolve their attack methods. To keep up with the pace of change, ongoing awareness, strategic preparation, and a strong relationship with your bank are some of your best defenses.
By: Barbara Raths, Senior Vice President, Director of Treasury Management and Government Banking