Criminals continue to be targeted and tricky when it comes to fraud schemes. The AFP reports Business Email Compromise (BEC), check, and wire fraud at the top of the list of fraud schemes seen in 2020, followed by third-party vendor compromise and account takeovers (or hacking). It’s important for any organization that makes payments to understand the fraud schemes they’re up against and implement the right controls to protect against fraudsters.
Top Payments Fraud Trends for 2021 and Beyond
According to the 2021 AFP Payments Fraud and Control Survey Report, 74% of organizations experienced attempted or successful payments fraud in 2020. Though this is slightly lower than the 81% targeted in 2019, most organizations encounter attempts at fraud. Here we outline the top payments fraud trends to look out for.
Business Email Compromise (BEC) in Accounts Payable
Business email compromise (BEC) looks like email from a trusted third-party. It contains a request for a funds transfer, payment or bank information. But, these emails are really from fraudsters masquerading as someone you trust–a senior executive or a vendor.
BEC made waves as a popular source of fraud attempts in 2019, with 61% of survey respondents indicating that it was the primary source of attempted and actual fraud. This number rose slightly to 62% in 2020, with 76% of businesses having experienced actual or attempted BEC in the past year. Moreover, this type of fraud hits accounts payable departments the hardest, with 61% of respondents indicating AP as their most vulnerable sector.
When the COVID-19 pandemic caused a shift toward remote work and remote business transactions, cybercriminals, in general, took advantage of this with increased phishing attempts, many of which contributed to BEC in accounts payable departments. However, organizations that implemented robust Business Continuity Plans (BCP) were able to take steps toward mitigating these attempts.
Methods used by surveyed organizations to protect against BEC fraud in 2020 included the following:
- Implementing end-user education and training on how to identify BEC threats and spear-phishing attempts (77%)
- Creating company policies for verifying any account, invoice, or payment changes (70%)
- Executing callbacks to an authorized contact to confirm fund transfer requests (67%)
- Establishing strong internal controls prohibiting payment initiation via email (66%)
- Requiring senior management to sign off on transactions over a certain threshold (58%)
- Adopting two-factor authentication or other security measures for accessing payment initiation (57%)
- Color-coding emails so that external emails are more readily identified (39%
- Using intrusion detection systems that flag emails with suspicious extensions (28%)
- Prohibiting or flagging emails where the reply address differs from the from address (21%)
In a later section, we describe how AP automation goes a long way in protecting against fraud by implementing many of these strategies for you.
Checks and Wire Transfers Most Susceptible to Payments Fraud
Payments fraud often comes from outside individuals in the form of forged checks and stolen cards, with 52% of survey respondents indicating this type of problem as a primary reason for attempted or actual fraud experienced by their organization. Checks and wire transfers specifically were the payment methods most impacted by fraud, with 66% of fraud attempts impacting check payments and 39% impacting wire transfers.
However, fraud activity via paper checks is on the decline–down from 74% in 2019. The decline is largely due to using fewer paper checks and relying more and more on electronic payments, which tend to be much more efficient and secure.
Vendor and Partner Compromise
Third-party or outsourcers came in third on the list of attempted or actual payment fraud sources in 2020 at 19%. This includes fraud committed by vendors, professional service providers, or business trading partners. Fraud may also occur when the vendor or partner, through no fault of their own, becomes compromised due to targeted attacks on their email or payment systems.
Vendor email compromise occurs when an attacker has succeeded in compromising a vendor’s email account, typically someone in the Accounts Receivables department that handles payments. Once an account has been accessed, the fraudster begins gathering intelligence that’s used to plan the next attack. They will then send a targeted email to one of the members of your AP team, directing them to change payment or password information, or even navigate towards a website that will install malware to collect passwords. Businesses must validate these emails by calling their vendor to ensure information changes are intended and real. Falling victim to vendor and partner compromise can cost both parties serious time and money.
Account takeover made up only 12% of the sources of attempted or actual payment fraud. An account takeover occurs when a computer or payment system is compromised via phishing, malware, or hacking which allows a bad actor to take over the account. Preventing this type of threat requires educating users on how to identify suspicious emails and validating the legitimacy of sensitive requests.
Internal Controls for Preventing Payments Fraud
Understanding where threats may come from is only the first step in preventing fraud in your AP department. Here we outline some internal controls you can implement as the next step toward protecting your accounts.
Because so many fraud attempts come via phishing or more targeted spear-phishing attacks and cross the desks and emails of employees, the first line of defense is to educate those employees, so they know what to look out for. Small and medium-sized businesses may be particularly vulnerable as bad actors target them more frequently under the assumption that security will be laxer. Training staff to identify potentially fraudulent emails will go a long way in protecting against some of the most common ways fraudsters get their foot in the door.
Two-factor authentication is a method in which access is granted to a website, application, or payment system, only after the user has been authenticated based on at least two pieces of evidence.
A password may be one authentication factor, while other factors may include something the user has—such as a key card or security token, biometric verification such as a fingerprint scan, or a GPS identification of the user’s location. This creates an added layer of protection if a user’s password or login information becomes compromised.
Segregation of Duties
Segregating duties, such as those who process invoices and those who authorize payments within an AP automation solution, significantly reduces internal fraud risks. When no single employee has access to the full process, then no single employee can breach the entire system or become compromised in a way that affects the entire system as easily.
Validation of Payment Information Updates
By adding multiple layers of validation to any transactions or payment information updates, you further avoid the risk of fraud. For example, if all it takes is only one person to verify a payment, any compromise to that person or their access can lead to problems. With a second point of validation for each transaction (ex. a phone call), however, fraud becomes much less likely as both points of validation would need to be compromised for the attempt to be successful.
How AP Automation Solutions Can Help Reduce Fraud Risk
AP Automation makes it possible to automate and optimize each phase of an invoice’s journey while reducing the risk of fraud. MineralTree’s AP Automation solution implements segregation of duties and provides better visibility across user roles, business units, and locations while eliminating paper, maximizing e-payments, and enabling AP management from a central platform accessible anywhere.
MineralTree fully integrates internal controls into the AP workflow, including the ability to safeguard user access with two-factor authentication. In addition, our automatically populated audit trail provides the ability to look back at specific actions in detail should anything go wrong. When sensitive information changes, we send notifications to account managers and payment approvers to ensure its accuracy.
With MineralTree’s Virtual Cards, payments are made with a single-use 16 digit code that only pre-authorized users can initiate. This form of payment is inherently more secure than checks, ACH, or traditional wire transfers. Not to mention, virtual cards offer cash-back rebates as well as a host of benefits to suppliers. In total, MineralTree’s built-in security and internal controls enable you to maximize productivity, all while reducing the risk of error and fraud.
Learn more about MineralTree’s End-to-end TotalAP Automation solutions today.