Payment Fraud: Spot It and Stop It

Payment fraud is a serious problem for companies of all sizes. In the Association of Financial Professionals (AFP) 2023 survey report, 65% of respondents reported their organizations were victims.1 There were various payment instruments used to carry out the thefts. Check writing accounted for 63% of business fraud, followed by corporate commercial cards (36%), wire transfers (31%), and ACH debits/credits (30%).2

What are the most common types of payment fraud?

In addition to common payment methods used to commit fraud, scammers also have preferred modes of attack.

• Outside Individuals

  
  Whether forging checks or stealing credit card data, individuals outside the organization perpetrate the most fraud. These criminals committed 54% of the fraud against businesses last year – an increase of three percent from the year before. The most highly targeted organizations were those with less than $1 billion in revenue (58%).3
  
  

  How to prevent hacking:

  
  Protecting your systems, software and devices is part of a larger cybersecurity plan. It is also critical to payment fraud prevention. Be sure to timely apply patches and other updates, as well as monitoring networks for irregularities. Hijacking company communications is another way fraudsters gain access to sensitive data. Encryption protects the data. Multi-factor authentication and password managers make it harder to access corporate email and other accounts.



• Business Email Compromise (BEC)

  
  In this communication-based scam, fraudsters will either forge an email header to impersonate a legitimate source such as a vendor or employee (74%), lead users to a lookalike, fake domain (57%), or access a compromised account to send fraudulent payment requests (54%).4 These emails may also have attachments or links to fake payment sites. The percentage of companies that experienced BEC last year rose three percent to 71%. Businesses with more than 100 payment accounts and annual revenue of at least $1 billion are more often targeted (63%), but all organizations are at risk.5
  
  

  How to prevent BEC:

  
  The first defense in any scheme is to understand the scenarios and tricks fraudsters use to gain access to your company’s email accounts. Train staff to identify and respond to scams, and to use strong passwords for every account they use. Also, secure accounts and devices with multi-factor authentication. Maintaining an overall solid cybersecurity posture is also important, as it protects systems and software and often includes safeguards against BEC.



• Vendor Impersonation

  
  Thirty-seven percent of fraudsters pretended to be vendors, submitting fake invoices to trick companies into making illegitimate payments. Organizations with fewer than 26 payment accounts and annual revenue of at least $1 billion (49%) were the intended victims of these scams.6
  
  Recent research reveals that invoice fraud costs businesses an average of $280,000 annually.7 Direct consequences include financial loss and reduced working capital that can inhibit company growth. Indirect costs might be loss of reputation, legal or regulatory actions, and disrupted operations.
  
  

  How to prevent invoice fraud:

  
  An automated solution works quickly and flags anomalies for investigation. Double-check vendor and invoice details, like whether you have a matching purchase order. Confirm payment details with known contacts at the vendor if something seems suspicious. Internal protocols like segregation of duties, regular audits and tiered approvals can also improve oversight.



• Account Takeover

  
  This is a type of identity fraud in which criminals add their own information to a customer’s account. For example, a fraudster might hack into an account and change the email address or add his or her name to the account as an authorized user. The fraudster then hijacks the account. They may also insert spyware or malicious code. Twenty percent of payment fraud – an increase of four percent – was attributed to account takeover, which is most often aimed at businesses with more than $1 billion in annual revenue and more than 100 payment accounts.8
  
  

  How to prevent account takeover:

  
  Limiting access to data, software and systems, via authorization and authentication, is the best way to prevent account takeover. Share sensitive information with only necessary staff and programs. Implement password management software to ensure employees and customers use strong passwords. It’s also important to establish baselines to understand and monitor account behaviors. With this knowledge you’ll be able to detect suspicious activity and prevent attacks.

Executing these destructive schemes takes considerable time and mental effort. Criminals are tenacious, and their end-goal is always financial. Organizations must stay one step ahead with internal controls and timely, effective payment fraud prevention strategies.

Payment fraud detection is a critical tool to prevent risk.

Businesses need a fraud risk management solution that balances tolerance with positive customer experiences and operational efficiency. For low-cost transactions, companies and banks might have a relatively high risk tolerance but, for more expensive purchases, they usually require a higher level of assurance that the payment isn’t fraudulent.

Fraudsters won’t stop trying to steal from businesses. But vigilance, employee education and smart investments can help. These are four important steps to take to effectively protect your systems and data.

1. Perform a fraud risk assessment.

   
   Examine what tools and processes you currently have and how effective they are against known risks. Ensure systems and software are up to date. Then understand emerging risks and what you need to protect against them.
   
   Most AFP professionals realize the importance of fraud review. Sixty-one percent analyze their processes, whether internally (36%) or externally (25%). Organizations with less than $1 billion in revenue are more likely to perform fraud reviews internally, while those with at least $1 billion ask for assistance from their banks. Most internal reviews are performed by Treasury (56%), Risk Management (42%), Accounts Payable (37%) and IT departments (35%).
   
   While 27% of respondents don’t currently review their fraud processes, 12% plan to within the next year.9



2. Conduct a beneficiary validation.

   
   Just over half of AFP survey respondents (53%) verbally confirm who will receive payments prior to processing. The remaining 38% either delegate this task to their banking partner (17%), use as external vendor (16%) or use some other means (5%). As important as beneficiary validation is to mitigating payment fraud, some organizations don’t take steps to do so (9%).10
   
   Validating beneficiary information before adding a one-time or recurring ACH payment instruction in ERP or accounting applications is a best practice companies shouldn’t overlook. Tools and services to automate this validation are available. In addition, some payables solutions will enable companies to avoid capturing, validating and maintaining ACH payment instructions all together, further reducing vulnerabilities.



3. Invest in technology.

   
   Technology is helping organizations become better at fraud detection and prevention. “The latest company-to-bank integrated solutions enable real-time connections between enterprise resource planning (ERP) or account application and financial institutions,” says Laura McGortey, director, Synovus Payments Management Solutions.
   
   “This integration eliminates the need for tokens, as well as payment or reconciliation file exchange. In addition, user entitlements are already established within the ERP or accounting application and managed by individuals with administration-level credentials. This further strengthens organizations against payment fraud vulnerabilities,” McGortey adds.
   
   Artificial intelligence and machine learning are also powerful tools in payment fraud detection. These solutions cull massive amounts of historical data for usage, payment and other patterns, creating dynamic rules for guidance. Such rules also detect new threats.



4. Ask for help.

   
   Seventy-nine percent of respondents to the AFP survey look to their banking partners for assistance with payment fraud prevention.11 Financial institutions manage billions of dollars in consumer and business capital, and they are bound by industry and government regulations. Companies should put this expertise to use to better understand current and emerging threats, as well as identify fraud and prevent loss.
   
   Banks also offer cohesive fraud prevention tools. “Some evolving payment solutions better protect businesses’ bottom line with integrated safeguards. These include fraud screening, ACH banking information validation and monitoring for electronic payments, as well as built-in positive pay protection for checks,” says McGortey.

Payment fraud damages can be extensive and costs are staggering. For more information on how Synovus can help your business with fraud risk management, complete a short form and a Synovus Treasury & Payment Solutions Consultant will contact you with more details. You can also stop by one of our local branches.