Payments fraud is a problem for nearly every treasury organization. As fraudsters’ schemes continue to evolve, companies’ responses to these threats must also advance. Those that don’t will ultimately be setting themselves up for major losses.
AFP’s new Payments Guide, underwritten by MUFG Union Bank, examines some of the ways that fraud is changing and how treasury departments are responding to those changes.
So how can organizations best discover fraud? Often, by the time fraud is recognized, it’s far too late to do anything about it. Are there any systems or routines that make fraud more noticeable? Though it may sound obvious, the importance of educating your workforce can not be overstated. Treasury departments need to make sure that any employees who touch company money are aware of the latest threats and learn to recognize the telltale signs of a scam.
Furthermore, criminals adapt, and employees can’t always count on fraud to be obvious. Steven D’Antuono, Financial Crimes Section Chief for the FBI, noted that fraudsters have gotten very good at circumventing email systems. If companies are on the lookout for certain keywords in emails, then criminals will try different ones. “So I think just having good filters, good internal controls and constant messaging to your people to check on new payment methods and be skeptical,” he said.
D’Antuono added that everyone from Fortune 500 companies to small construction companies are being taken advantage of, particularly by Business Email Compromise (BEC) scams. “It’s human nature,” he said. “It’s real people who push out those payments, whether it’s through electronic systems or cutting a check the old fashioned way. So you have to just be skeptical and know who you’re paying at the end of the day.”
FBI Assistant Section Chief Aaron Seres added that companies also should assess their risk tolerance for fraud losses. “You can’t control every single transaction to the degree that you would like to; you can’t scrutinize every single one,” he said. “So whether it’s $1 million or $500,000, consider having a dual check threshold level before you send out a payment. So if your threshold is $1 million and you get a request for $1 million, you need to get someone to take a second look at it. So controls like that are what we talk about a lot, because they’re used before you send out the money. Because once it’s sent, that’s the harder part.”
In terms of where to report payments fraud—any type of fraud—D’Antuono recommends going to the Internet Crime Complaint Center (IC3). “It’s not just for internet crime; it’s for all financial crimes,” he said. “So the first thing to do is go to IC3.gov. Sometimes we might be able to get the money back by some of the mechanisms that we can put in place, like calling the banks. But you should definitely contact your banks yourself. It amazes me that people don’t call their bank when their money is taken. So contact the bank, then contact IC3. If you wait to do any of this, it’s like a kidnapping—24 hours go by, the less chance we have of getting it back.”
Seres noted that going to your local FBI field office after a fraud incident can help, however, going to IC3 first is the best way to go. “[The field office] might not be dealing with these issues on a day-to-day basis,” he said. “When you contact your local field office, they will try to help, but they don’t have the same expertise as our IC3 location. So that’s the best vehicle if you want to get action.”
When a fraud incident occurs, there is often a question of whether a company should even report the incident. Given how bad reputational damage can be to a business, some organizations feel it’s not worth taking the hit. However, as fraud has continued to increase, the FBI has observed an uptick in companies reporting.
D’Antuono doesn’t see reporting to the FBI as a major reputational risk to companies. “We’re not going to tell anyone, so why wouldn’t they report it to the FBI? If it’s a publicly traded company they’ll have to report it eventually, and if you’re a small company, reporting it to us doesn’t mean it’s going to be out there publicly. We don’t say anything about ongoing investigations, ever. That’s our policy.”
For further insights, download After the Fact: How Treasurers Can Respond to Fraud. Additionally, the Payments Track at AFP 2019 has multiple sessions on fraud.