Payments fraud is still a serious threat to every organization. Wherever fraudsters can find relaxed controls within an organization, they have a scheme designed to penetrate it.
In a companion webinar to the 2023 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan, experts shared their perspectives on the latest fraud trends and offered solutions that can help you respond to ever more sophisticated threats.
Where there are checks, there is check fraud
As long as organizations continue to write checks, there will be fraud. And it too is evolving with every control put in place to prevent it.
“We saw a check fraud where the endorsement was fraudulent on the back of the check. It makes a lot of sense when you think about it,” said Holly Olson, Corporate Treasurer at AFL. “We all have positive pay, but there's nothing to help us with endorsement fraud on the back.
“In another scheme, our team dropped several checks into the USPS blue box from which they were stolen, whitewashed, and pushed through the system, deposited and then our positive pay caught them. We reported it to the local police and to our bank and filed a report with the post office.”
Fraud in business travel
With an increase in travel, there are more opportunities for fraud to occur. “This has been a hot-button issue in our organization,” said Olson. She said they have people who were being electronically pickpocketed as they walked around cities. To prevent this, they asked their staff to either use an RFID wallet or RFID sleeve to protect their company card.
Other areas of risk for fraud include hotels that are still writing down credit card numbers manually and virtual cards being stolen. “I was a little surprised by the uptick in fraud in the virtual cards because they're more or less touted as being foolproof,” said Olson. “But they're definitely not.”
Virtual cards are active up until the expiration date and can be exploited up to the amount of that transaction card. “We have seen some fraud in our procurement department along those fronts,” said Olson.
To prevent these types of fraud, Olson said they are going “back to the basics” and reviewing their policies. They want to ensure there is a clear understanding of what their policies are and what expenses they're comfortable with associates using a credit card for. For example, manufacturing may not have a need to go to Home Depot, but the service side may, so they could eliminate Home Depot from the manufacturing side by restricting the related MCC codes.
Per transaction daily limits and three-day aggregate limits are also items they’re looking into. “It's really about risk mitigation; we're not able to eliminate all risks,” said Olson.
Business email compromise still tops the list
Business email compromise (BEC) types of attacks — an umbrella term that includes email, wire transfer, gift card fraud and W2 fraud, among others — have been siphoning money away. Seventy-one percent of organizations experienced BEC in 2022, up 3% from the previous year, according to the 2023 AFP Payments Fraud and Control Survey.
The most prevalent types of BEC included:
- Spoof email (73%).
- Domain lookalike (57%).
- Legitimate email taken over by a fraudster (54%).
BEC fraud primarily comes by email. There is no link to click on, no attachment with malware or a virus on it. “It’s purely what we call ‘social engineering,’ which is essentially using our humanity against us,” said Erich Kron, Security Awareness Advocate at KnowBe4. Attackers use greed, curiosity, self-interest, urgency and fear to get people to click or otherwise act.
Fraudsters are using AI and ChatGPT
AI and ChatGPT are helping to make phishing emails increasingly believable. Gone are the days of misspellings and grammar errors. And because ChatGPT is very good at translations, the emails could be coming from anywhere.
“It is getting to the point where you almost have to question everything,” said Olson. “You have to know what’s coming in and whether it’s a legitimate email. And if you don’t, send it to your IT [or security] department and have them validate it.”
“If we pay attention, we can realize that something's a little off,” said Kron. “You may not be able to put your finger on it. You may not be able to specifically say, this is what's wrong, but we can listen to our instincts and give it to somebody who can do all the technical stuff to validate or invalidate it.”
With so much information readily available about your company, its leadership and even your vendors, fraudsters can make phishing emails sound very convincing. They can find information through LinkedIn, form 990 and other filings — after all, it’s all public information.
Kron’s advice is to be aware of what’s out there and how it can be used against you. “Don’t just assume that because they know something about you — that you think is private — that it’s legit,” said Kron.
Process to recover lost funds
In terms of getting lost funds back, you should reach out to your bank as soon as possible, and if it’s an ACH, initiate the recall for the item. Once you reach out to the bank and provide the details of the fraud event, they will start working with the other bank or institution to see if they can secure those funds.
If the funds are still with the other institution, then they may be able to secure it. But, if the funds have left the other institution, this is where law enforcement would need to help. As there are no requisite timelines in place for the recovery of funds, the process could stretch on for months and months.
Tools you can use to mitigate fraud
Given that time is of the essence when it comes to payments fraud, some best practices include products such as ACH debit blocks or filters that allow you to set up controls on your account. That way you’re only reviewing the items that don’t fall within the controls you have placed on your account.
“We do block all ACH debits on some accounts, like our AR accounts, where there should be no debits coming out of there at all,” said Olson. “We also have ACH controls set up and positive pay.” In addition, they have automated bank reconciliation and segregation of duties and outsource their check printing. Plus, the team reconciles cash daily.
Another critical tool is having a callback policy in place. Callback policies remove friction from the payments process; you’re not potentially making payments to accounts that are invalid or closed, which would result in a return.
“Educating your team about the fact that this [payments fraud] is going on and it's a significant issue can go a long way,” said Kron. He also recommends enabling multifactor authentication. Having multifactor authentication enabled, especially on things like email accounts, helps make sure that fraudsters have a much harder time taking over legitimate accounts.
In addition, Kron advises having policies in place regarding the transfer of significant amounts of money or sensitive information, such as W2s. These should include confirmation calls to a known outside number with a known contact.
Fraudsters often pose as executives in their schemes. “Executives have to be on board,” said Kron. When leadership is aware of the risks, they’re more receptive to accepting that quick verification call or answering the message sent through an internal messaging system (e.g., Teams) or text.
It’s also important to foster a culture where security is a resource, not a roadblock. “If you just get that weird feeling, reach out to your security people. Don’t be afraid to do that,” said Kron.
Want to learn more? Read part two, where experts answer real questions from treasury professionals about payments fraud.