Payment fraud is a growing problem that every organization needs to guard against.
Payment fraud can happen to your business at any time. You pay what you believe is a legitimate invoice from a legitimate vendor or contractor, but the payment actually goes to an impostor who may be anywhere in the world and virtually impossible to find. Beyond the financial loss, it can also result in the exposure of confidential company information and can spread malware and spyware to gain access to confidential personnel and customer information. If payment fraud happened to you, you wouldn’t be alone: In a recent Association of Financial Professionals® (AFP) survey, 82% of financial professionals have reported that their organizations were targeted in 2018.*
Continue reading to find out:
- What payment fraud is
- What payment control is
- How payment fraud is becoming more complex
- How payment fraud can be avoided
Business Email Compromise (BEC) is an increasingly common scam.
BEC, also known as Email Account Compromise (EAC), targets business officers who execute payments. The targeted individual receives an email from what appears to be a known vendor, contractor or other third party—often a senior executive. The email requests an urgent transfer, invoice payment, and/or a change in bank account or payment instructions (e.g., new routing and account information for ACH or wire payments, a change of payment method from check to ACH, or changes in banking information for payroll). Impersonating HR departments and directing employees to sign in using what appears to be official links has become increasingly common.
Fraudsters have become stunningly skilled at impersonation.
Fraudsters are more sophisticated than ever and can stalk their victims with great efficiency. Using phishing emails and social engineering techniques via social media, they learn all they can about their targets’ patterns, habits and mindset. They poach contacts and other information. They learn what payment methods their potential victims use, in an effort to make their requests appear routine. Another tactic is to create a fake bank account and let it sit for months so that when it appears, noone is alerted by a new vendor or contractor. They can also hack into the officer’s account and use it at will, with no way for anyone to tell. They often use social media or “out of office” messages to time the attack for when the officer is away.
Best practices for fraud detection to safeguard your business and employees against payment fraud:
- Isolate and safeguard your payment system: • Use a dedicated computer to process payments • Choose hardware, software and service providers that meet security requirements • Always use antivirus software and keep it updated, to keep your IT systems protected from viruses and malware • Use a secure system for remote access or eliminate remote access if you don’t need it • Never provide nonpublic business information or any sensitive information on social media
- Protect your email account and devices: • Never, ever provide your login credentials to anyone • Do not use the “Reply” option when authenticating emails for payment requests; instead, use the “Forward” option and enter the correct email address by typing it or selecting it from your address book • Do not use free web-based email accounts; business emails should always use company domains
- Verify all payment and change requests: • Require that all payments and/or changes (e.g., account or routing transit numbers, payment type, amount, financial institution, mailing address, etc.) be verified separately and approved by different people • Use a different communication channel from the one the request came in on; for large payments, use multiple channels • Never use the contact information from the request; always use what you have on file • Make vendor payment forms available only to appropriate personnel, using secure means • Require that any changes to payment account information be made or confirmed by a system administrator, using methods such as verification codes for existing contacts • If a financial institution questions the legitimacy of a payment, respond quickly
- Limit access, implement dual custody and segregate functions: • Limit access to payment systems to employees who need it • Break down the payment process into separate steps and divide those steps between two people; the same person should not be able to both create and approve a payment • Segregate accounting duties, so there is dual custody
- Teach your employees to recognize suspicious activity, resist potential fraud and provide tools to report it: • Educate and train employees to question and independently authenticate changes in payment instructions; they should never fall prey to requests for secrecy or pressure to take action quickly • Urge them to be skeptical even when the outreach appears to legitimately be from the requesting organization • Make sure they are always aware of the telltale signs including typos, grammatical errors, missing words, payment amounts that differ from the invoice, use of a public email domain such as Gmail, subtle changes in the organization’s name in the email address requests to pay individuals, or anything that does not exactly match the information you have on file • Make sure they know not to open attachments, click links or give any personal information, as fraudsters use these to install malicious malware • Refer them to government agency websites that provide information and advice about recognizing and responding to suspected fraud, and links to report it; these include the FBI, FCC and FTC
- Implement background checks and rigorous monitoring protocols: • Review past payment history to detect any deviation from the typical pattern • Perform account reconciliations regularly • Review vendor address and banking information changes and request supporting documentation to confirm any changes • Review personnel changes
- Teach your employees to be wary of fake check scams: • Teach employees to be alert and check scams in which a scammer sends a (bad) check for more than has been billed to the targeted vendor or contractor asking you to wire the overage to a third party; this scam often includes a reason for the overpayment and an immediate need for the reimbursement • Guard your checks and check stock carefully; scammers may steal them and defraud you by “check washing”—deleting your information and changing the payee’s name and, possibly, the amount.
- Use Positive Pay to protect against check fraud • Positive Pay continues to be the method most often used by organizations to guard against check fraud • It helps identify fraudulent checks by matching check issue information against checks presented for clearing, and sends electronic notification alerts of certain discrepancies so you can decide whether to pay or return it • Payee Positive Pay provides a second security layer to our standard Positive Pay with Payee name matching • If relevant discrepancy appears, you will receive electronic notification alerts, which require your decision to pay or return the item
- Use ACH Positive Pay and ACH Block to combat wire transfer fraud: • Business Online Banking provides advanced anti-fraud features and a wide range of self-service banking capabilities • ACH Positive Pay enables you to establish and control acceptable sender parameter profiles. You can view any ACH debit outside of your sender parameter profiles and either pay or return it. ACH antifraud services include features to help avoid inadvertently rejecting authorized ACH payments • ACH Block provides the ability to block all ACH debits, or those of specific originators, from being posted to your account; all blocked transactions will be automatically returned to the originator.
- Help your employees guard against payroll fraud: • Train your employees to watch for phishing attacks and suspicious malware links and to carefully examine the sender’s address of any emails they receive • They should know not to reply to any suspicious email or enter login credentials when clicking on a link or opening attachments • Employer self-service platforms should authenticate requests to change payment information using previously known contact information. One method is to require “Out of Band Authentication”—a second password that is sent in an SMS text message or to an existing email address, or to use a hard token code. They should also reauthenticate users accessing the system from unrecognized devices, using previously known contact information • Set up administrator alerts on self-service platforms for unusual activity such as a change in banking information or when multiple changes that use the same new routing number or identical account numbers. Also, consider validating any new Direct Deposit information by sending ACH prenotification transactions.
HOW TO REPORT FRAUD:
If you believe you are the victim of payment fraud, contact the FBI Internet Crime Complaint Center (IC3). If you suspect a payment fraud attempt but have not lost money, contact FTC Complaint Assistant. Please contact Banc of California if you believe you are the victim of payment fraud or suspect a payment fraud attempt.