Fraud continues to dominate and indiscriminately impact companies of all sizes and across all industries with ever more sophisticated methods. For the 14th year in a row, J.P. Morgan has underwritten AFP’s Payments Fraud and Control Survey to support the education, insights and knowledge it provides in the hope of protecting our companies and our flows.
While this year's survey showed that fraud activity is down 10% since 2019, the topic of payments fraud prevention continues to be incredibly relevant with each passing year. Every year, as we look at new and different ways of working, as we shift toward digital operations more and more, we are increasing the avenues that fraudsters can use and exploit to cause damage. And so, we need to continue to educate ourselves that we can properly plan, prepare and protect.
Overall, payments fraud has dropped by 10% over two years. But that doesn't tell the whole story. If you're a large company with at least a billion in revenue and a significant number of payments accounts, you’re more likely to be targeted. For you, the incidence of fraud has not lessened.
And, for those companies with annual revenues over one billion, 38% of respondents say the increased incidence of fraud was due to the remote workforce, while only 23% of those with annual revenues under one billion say the same.
Another important statistic to consider is how quickly organizations are able to detect fraud. Companies take less than a week to identify fraud: 38% are identifying it less than a week.
Checks versus ACH debits
We've definitely seen an increase in check fraud,” said John Geronimo, fraud strategy director of Commercial Banking, J.P. Morgan. “So it's no surprise that we've got 66% of organizations impacted by attempted or actual payments fraud around checks.”
If you think about it, given that it’s a paper instrument, there’s really nothing easier payment method to get your hands on. “It’s really quite dangerous for your organization,” said Geronimo. His advice? If you can, don’t use a check. This might, however, be more easily said than done. When there are circumstances under which you have no choice, how do you control for it?
Checks are low tech. It’s on paper, the routing and account numbers are right there, so it’s easy for criminals to get their hands on it — very easy.
There are some mitigation tools that your bank or vendor might have in place to combat check fraud. Number one is positive pay, followed by an internal procedure such as a daily reconciliation or internal processes, as well as segregating your accounts. Beyond that, you want to consider payee positive pay because it helps protect against altered checks.
“At Club Car, we have our positive pay default decision set to reject. It really forces us to be mindful of it every single day. And it helps; it's effective,” said Doug Knebel, director of Treasury and Risk, Club Car.
ACH debits and fraud
Using ACH debits is a much safer option, over checks. If you have a good reconciliation process around your ACH debits, and you're using one that blocks and filters, you're going to block what isn't permitted, or filter out what isn't permitted, and you're going to see what's unauthorized. If you find anything, you have 24 hours after posting (for corporate debits) to get that returned. With these practices in place, practitioners are able to avoid any loss associated with ACH debit fraud.
Finance pros must think “outside the box” and keep up to date on new technologies - fraud perpetrators certainly do. The 2022 AFP Payments Fraud Control Survey, underwritten by J.P. Morgan, shows that combating payments fraud requires more than just robust internal controls. See the comprehensive results here.
The same-day ACH limit has been raised by NACHA to $1 million as of March, bringing the question of fraud mitigation of ACH debits to the forefront of everyone’s mind. The two main ways to combat ACH debit fraud are: debit filters/debit blocks and reconciling.
If a criminal has a routing number and an account number, debits can be initiated against that account. One thing you can do to prevent this is, if you have an account from which you do not expect ACH debits to ever present, block them. If you do expect them to present, then set the filter to allow only the companies you’ve approved. And, of course, have your reconciliation process in place.
What criminals can do with your checks
They can counterfeit it — make a carbon copy and then enter the amount they want. Using Positive Pay, you can provide the bank with a file of all the checks you are issuing, and they will return a list of any exceptions — checks that don’t match the number and amount. This allows you to easily identify any counterfeit items drawn on your account. Further, you’ll want to set it up so that any exceptions are automatically returned just in case you can’t get to the file and make a decision in time.
Criminals can also alter the check. In this scenario, they'll take a bit of acetone nail polish remover and remove the payee name, insert the payee name of their choice and negotiate the check. This is why it's very important to use Positive Pay with payee name validation. So in addition to the check number and the amount, the payee name is also reviewed and presented.
Let’s also talk about forged or missing endorsements. A forged, missing, or improper endorsement is where a criminal takes the stolen check and they don't even endorse the back of it, or they go ahead and they endorse with a different name, and it gets negotiated at another institution. In that case, the RDFI claim needs to be filed against the receiving depository institution. They're responsible for returning those funds, but you’re out those funds for the duration of that process. You’ll need to file a claim, and the claims process can take up to 120 business days to complete — sometimes longer.
If you absolutely have to mail a check, mail it using some sort of tracking system, just as FedEx or UPS, and follow up with the recipient. Make sure they received the check so that in the even there is fraud, you can act quickly, which always helps with recovery times.
Criminals can also deposit it twice. They’ll deposit it first via a mobile app, and then they’ll take it to a physical institution and deposit it again. If you’re using Positive Pay, you’re going to see that second deposit, and then you can return it. That said, the physical institution is holding the physical check, so they are considered the holder in due course. Therefore, a claim will need to be filed with the mobile deposit bank, and once again you’re wasting time on administrative tasks that could have been avoided.
Credit card fraud
Most credit card fraud occurs in instances where the card is not present, i.e., online transactions. One of the most effective anti-fraud practices when it comes to credit cards is enrolling in fraud alerts. When you see a transaction come through that you don’t recognize, immediately call the number on the back of your card and report it as fraudulent. If you have commercial card programs, focus on making sure you only have folks using the card who are entitled to it. If a person has left, shut the card down. What limits do your holders have? What are the policies surrounding use of the card? All employees should set up fraud alerts and report anything fraudulent immediately.
One tip that always bears repeating: Never ever click on a document or link that comes from an unknown source. A lot of vendors like to pay with a purchasing card (P-card), which means you’ll get a link to click on to get paid in some system generated email. It looks suspect, but it’s actually legit. If you have any doubt, reach out to your customer to ask how they plan to pay you, that way you’ll know if it’s via P-card link.
ACH credits and wires
Then there are BEC (business email compromise) scams, which are still a big business — because they work. Criminals use email to manipulate you into releasing an authorized transaction to an account controlled by them. The key phrase here is “authorized transaction,” meaning recovery is not guaranteed.
BEC scams are number one in terms of loss: $2.3 billion was stolen last year alone. Criminals take over accounts through Microsoft Teams or Zoom and present themselves as the CFO or director of finance, someone with the authority to initiate a funds transfer or order one. This typically takes place by text in the app, with just the picture of the person up, no video or audio, and they’ll say something like “We’re making this acquisition; don’t tell anyone about it. Please make this payment to this address using these credentials.” And, as of last year, cryptocurrencies became the end point for a lot of these types of transactions, which has negatively impacted banks’ ability to recover the funds.
One bit of good news is that BEC fraud is, according to the 2022 AFP Payments Survey, down 8 percentage points from 2021, and at 68% is the lowest we’ve seen in five years. This is attributed to a more educated and cautious populous rather than a lessening of attempts.
ACH credits and wires tied for the top payment type most impacted. Traditionally it’s always been wire transfers at the top of the list, so this uptick in fraud related to ACH credits is concerning.
Club Car has some experience in this arena, said Knebel. In early July of 2021, the company was hit with a fraud attempt via BEC, after the sale of X was finalized.
“These fraudsters are very sophisticated,” said Knebel. “They know how to get news of company events, such as what Club Car was going through last June with its ownership transition.” They check out employment status on LinkedIn of employees, because with these carveouts and sales to private equity, there is oftentimes a big turnover of personnel.
“A lot of jobs are created that didn't exist before, like mine,” he said. “And these fraudsters are aware of this, so they know that during the transition phase, when the ownership is changing and there's a lot of personnel movement, that's when these companies are the most vulnerable to these sorts of attacks. This happened in our case and our accounts payable coordinator was the victim of it.” She clicked on a link that she shouldn’t have, and the fraudsters were then able to hack into the company’s email system. They set rules within Microsoft Outlook so that any emails received by this individual were then routed to her junk box or deleted automatically.
They were then able to draft new emails to and from this individual, so they were able to send her an email that said it was from their new private equity owner. They owed the new owner their quarterly monitoring fee, which the fraudsters figured out and told the AP manager that the banking instructions had changed. It came from a trusted email address, because through this BEC, they were able to create new emails that looked like they were coming from internal employees. “It’s scary because it looks like it's coming from someone you trust, but it’s actually being drafted by the fraudster,” said Knebel.
Unfortunately, the wire was sent using the new banking instructions, but JP Morgan was able to intercede, and Club Car did not suffer any loss from it. “It’s a lesson learned,” he said. “We had what we consider to be tight controls on the process, and now we’re suspicious of everything. We perform callbacks to people we already have a relationship with. Even if it's from someone internal, we are checking it. Don't let your guard down.”
As the AFP Payments Survey reveals, accounts payable is the most susceptible to BEC fraud. So have a conversation with your AP group, work with internal and external audit, if you can, and make sure you have all the mitigation tools that we’ve talked about in place and equal to what you have in treasury. Of course, this is all a function of the size of your business and the size of the finance department.
“Our treasury department is one person: me,” said Knebel. “I'm working very closely with our accounts payable team every day, many times during the day, and we're working off of the same policy. But in a much larger organization, you're going to have much more siloed policies, procedures, and SOPs that help with that.”
Putting internal controls into place
“Criminals are shameless,” said Geronimo. “We’ve seen them register domains that look like employees and try to update payroll instructions. We focus on teaching and using the best practices across all areas that could potentially move money, or from where funds could leave their firm, such as treasury, AP and HR.”
So, what internal controls do most companies have in place? It boils down to three broad categories. The first is educating your employees, which is key. This amounts to going through a 30-minute training to understand how BEC fraud is conducted, and you might have a fraud training that’s reviewed on an annual basis. Some organizations tie education to their incentive compensation, for example, if the employee is tested and they click on a link, that impacts their incentive compensation. The second category is policies and procedures, and the third is following up on confirmations and requests — verifying emails even though it looks like it’s from someone you can trust.
Training should be your number one focus, because while having the right policies and procedures in place is important, at the end of the day, you’re dealing the people paradox. Your team is your greatest defense — and your greatest weakness.
The criminals are laser focused on two things. One, that we are human, and we rely on email. “It’s simple for them; it’s hard for us,” said Geronimo. You have to perform a call back to the person accountable for the change in instructions, and use a phone number retrieved from the system of record. Make sure the phone number you’re using is a known and trusted number. “I can’t stress that enough,” he said. And make sure it’s to the right person because callbacks can go wrong.
Where do they go wrong? First is, believe it or not, relying on an inbound phone call. The criminal will send the instructions to you, and then they’ll call and say they know you are going to do a callback, so they’re calling to validate it for you. The callback has to be an outbound call. The second is calling the number on the invoice or in the email. And the third is not calling the correct person.
Geronimo provided an example they’ve seen with their clients. “We’ve seen scenarios where our client will call the controller at another organization. The controller turns around, says, you know, I don't know, let me find out. And what do they do? They email the CFO. It's the CFO's email that's compromised. The criminal responds to the controller. The controller confirms with our client on the phone, right? Our client wasn't speaking with the correct person. You cannot rely on email, not in the chain of custody around payment instructions. That is the vulnerability the criminals are searching for, and when they find it, they will use it.”
He suggested a little test. If you're in a position of authority, go ahead and email and ask for a change in instructions, switch accounts between two known good accounts that you have and ask your team to email you back when it's done. If they do, you've got a vulnerability you need to address.
Also think about what information's out there publicly, or what your employees may be sharing. If you can, limit what they share. “If they're on LinkedIn saying, ‘hey, I'm John, I'm the new payments employee at company ABC,’ they've got a bullseye on 'em right there,” said Geronimo. How quickly do your new payments employees know your policies and procedures? How fast are they ramped up? How quickly are they tested?
If you do have the unfortunate circumstance of falling prey to a BEC, or where you've sent funds to a criminal destination, get a recall done immediately. Notify your bank immediately; let them know it’s fraudulent. File a report with the FBI's Internet Crime Complaint Center (IC3); notify your local FBI field office. You can find it on their website and engage local law enforcement or appropriate law enforcement. For example, Hong Kong police. If it's gone to Hong Kong, those are steps you absolutely want to take. Have a plan ready, and at the go, know who's going to execute it. You don't want to try to figure it all out in a crisis.
Also, if your bank reaches out to you, take that seriously. “Another area in which we've seen clients struggle is they'll be notified about a transaction that looks unusual from the bank’s standpoint,” said Geronimo. “And they’ll sometimes assume their policies and procedures were followed as expected, and they release the transaction. Don’t do that. If your bank contacts you, don't assume your controls were executed as intended. Confirm they were.”
The new Nacha rule
The new Nacha rule requires that a third party validate who your beneficiary is/PE validation. This is something you’ll want to have a conversation with your bank about. Nacha already has a rule in place for originating the ODFI to validate the information, but again, talk to your bank.
In the case of payment information, more is better. The more information you have, the more informed your decision-making and controls process can be, and that is inevitably where you want to be.
The bottom line is: fraud's not going away. Every time you stop a fraudster, you've revealed a control. They just look for the next avenue or next way to ultimately take advantage of or exploit you. They don't go away. So, to the extent that you can have more information about the destination of your payments, you want that.