DENVER -- Retail treasurers are being hit by multiple fraud methods, if the opening discussion at the 2018 AFP Retail Roundtable is any indication. Business email compromise (BEC) scams, check fraud and card fraud—you name it, they’re feeling it.
One trend that AFP has observed has been BEC scammers targeting smaller organizations. “Traditionally, larger organizations see more fraud, but smaller companies are now being targeted more,” said Magnus Carlsson, AFP’s manager of treasury and payments.
For retailers in particular, BEC scams tend to target supplier payments, rather than the more traditional CEO/CEO spoof email. In these types of scams, a company will receive an email from what they believe to be a routine supplier that is sending new payment instructions. In actuality, this is a fraudster and if the company doesn’t make sure those new payment instructions are accurate, the money they send will never be seen again.
One retail treasurer suggested that some retailers may still be caught off guard by these scams because they are not typically the ones being hacked; their suppliers are. So when his organization gets a request from a supplier to change payment instructions, they make sure to confirm the change with a known contact at the supplier. “We give that contact a call. And if it’s a factory overseas, we make sure to just send an email that we compose to our supplier contact,” he said.
Although wires are still the payment method most targeted for BEC scams, the 2018 AFP Payments Fraud and Control Survey found that checks are now being used more frequently in these attacks. For retailers, BEC scams have been split evenly between wires and checks.
This relates back to the increasing trend of fraudsters targeting smaller organizations. “The criminals conducting these BEC scams really don’t want to raise any red flags; they want to make their communication look as authentic as possible,” Carlsson said. “If they target smaller organizations, why not request a check? Because those organizations are probably more likely to handle checks.”
But retailers are not just getting hit with check fraud via BEC. The AFP survey also found 77 percent of retailers have incurred attempted or successful check fraud in 2017.
One retail treasurer explained that she has seen very little BEC, but check fraud on her organization’s payroll account as surged dramatically. “When I started in treasury, we’d have Positive Pay issues, maybe three or four times a month. Now we have multiple Positive Pay issues every day,” she said. “They’re on our payroll account, so we switched the payroll account. Within one month, the fraud came right back. So check fraud is way higher than BEC.”
Part of the issue is check cashing services that hold companies responsible when check fraud occurs. “Some of the largest retailers out there will still hold you liable for that amount,” she said. “So while the dollar value isn’t as high as what a BEC would be, it’s more time consuming for our team. I know when I answered [the AFP fraud survey] checks were our number one concern. We have so many things in place to protect us from wire and ACH fraud, but checks are the ones that we can’t do anything about besides having Positive Pay in place or change banks accounts when we see fraud.”
Another retailer remarked that these kinds of holder-in-due-course problems that emerge from check cashing services continue to be a problem that no one has an answer for. “As our general counsel would say, I’ve got to spend $5,000 to hire a lawyer to fight a $550 issue,” he said.
Although the implementation of EMV chip cards can reduce card fraud at the point of sale, there are ways to get around it. Requiring card users to enter a PIN would likely take care of these workarounds, but that was not mandated in the United States. Carlsson noted that the AFP survey found that a large majority of U.S. retail treasurers would prefer to use chip and PIN over chip and signature (or just chip, since signatures are no longer required by the card brands).
A retail treasurer who has reduced card fraud to almost nothing since adopting EMV provided fellow attendees with three actions to reduce chargebacks at the point of sale.
Implement EMV terminals. This one is pretty obvious, but there are still many retailers that have yet to implement EMV. Without it, you’re opening yourself up to fraud that you’ll be liable for.
No manual keying. If a chip card doesn’t work, don’t permit your employees to key in a card number manually. “We turned off manually keyed transactions. If you haven’t done it, you should,” the treasurer said. “Allowing manually keyed transactions is like not being EMV compliant. It is the wild west, and your customers know it.”
Don’t allow fallback swiping. Lastly, don’t allow your customers to do a fallback swipe if the chip card doesn’t work. “Typically, if you insert a card three times and it doesn’t work, you’ll be allowed to swipe it,” he said. “People know this and will put a card in backwards or use a card with a bad chip but a mag stripe that works. If you allow them to do a fallback swipe, you, the retailer, are liable for fraud.”
Instead, the treasurer advised his peers to demand a different payment method. “There are very few people out there who only have one payment method that just happens to be a card,” he said.
AFP 2018 has multiple sessions on fraud in the Payments Track. Learn more here.