You’ve Discovered Payments Fraud. Now What?

  • By AFP Staff
  • Published: 7/1/2024
What to Do After You Discover Payment Fraud

Has your organization been hit by payments fraud? First, know you are not alone. According to the 2024 AFP Payments Fraud Survey, underwritten by Truist, 80% of organizations were targets of either actual or attempted payments fraud in 2023 — a 15-percentage point increase from the previous year.

This issue is not going away. Fraudsters are getting smarter and making use of more advanced tools, such as AI, to perpetrate attacks that are even more difficult to detect. The good news is that preventative security measures are becoming more sophisticated, too.

Below are recommendations from Sue McBride, Senior Vice President – Wholesale Payments Head of Receivables and Reconciliation at Truist, and Roderick Brown, Wholesale Payments Fraud Services Senior Product Manager at Truist, on the steps to take after discovering payments fraud.

The sooner you contact your bank, the better

Reviewing your bank statement or account online is a critical first step for determining if potential fraud occurred. Notifying your bank of the suspected fraud is your top priority. You will then want to take action to prevent further losses from the fraudster. It’s also imperative that you gather information about the scheme and perpetrators while it’s still fresh.

To help with the fraud investigation, develop a timeline and collect any relevant documents and information. Recovery timeframes are, on average, 90-120 business days — and the recovery of funds lost to fraud is not guaranteed. According to the 2024 Payments Fraud Survey, 30% of respondents reported that their organizations were unable to recover funds lost due to fraud. As the client and intended payee, you may be at a loss for the amount of the payment for the duration of the investigation, regardless of the outcome.

The criteria and calls to action for different payment methods

There are no material differences to reporting any type of suspected fraud to your bank. However, each payment modality has specific criteria and calls to action per the applicable service agreements and terms and conditions. Specific examples include:  

  • Checks: A notice of fraud must be submitted within the timeframe designated in the commercial banking service agreement.
  • Wire: Generally, once a wire transfer has been sent, it cannot be reversed. The funds are considered to be the property of the recipient, and the transfer is final. However, if the wire was made fraudulently, the sender can contact their bank to request a reversal. If the holding bank retained the funds, there may be an opportunity for recovery.
  • ACH: (ACHs are electronic bank-to-bank money transfers processed through the Automated Clearing House Network). It is essential to understand the ACH rules around return windows:
    • B2B: B2B stands for Business to Business. For example, transactions such as manufacturer to wholesaler, rather than to individual consumers. You must notify the bank within 24 hours of settlement.
  • RTP® (Real Time Payments): RTP credit transfers are irrevocable once sent to the RTP system and final when the payment message is accepted by the recipient. There is no obligation for the recipient to return funds once settlement has occurred; however, the recipient is required to reasonably cooperate with efforts to recover erroneous or unauthorized payments if the payor submits a Request for Return of Funds within 60 calendar days of the payment.

What you need to know about holder in due course

Part of the Uniform Commercial Code (UCC), Holder in Due Course (HIDC) significantly impacts your organization’s liability for check fraud and the checks it issues. In essence, if you accept a check for payment, you’re a Holder in Due Course (HIDC).

In order to make the rest of the explanation true, there cannot be any evidence of fraud on the face of the check, and the person accepting the check cannot have any knowledge of underlying fraud related to the check. If this holds true, you, as the HIDC, are entitled to be paid for the amount of the check even if:

  • The drawer (check issuer) placed a stop payment on the check.
  • The check was rejected by the bank as a Positive Pay exception item.

If the HIDC is unable to negotiate payment for the check, they can sue the drawer for its full-face value. In accordance with the statute of limitations, the HIDC has 10 years from the issue date — or three years from the date the check was deposited and returned unpaid, whichever comes first — to sue the drawer.

The HIDC can also assign, sell, give or otherwise transfer their rights to another party as long as that party wasn’t involved in any underlying fraud related to the check. This also transfers all rights to the new HIDC — provided the check did not “expire” prior to the original HIDC accepting the check for payment. If it has expired, the new HIDC has no legal standing.

Resolution timeframe

You signed a fraudulent check payment affidavit, and now you’re wondering how long it will take to be resolved. As long as the claim is filed in a timely manner and all necessary information is submitted, the resolution timeframe is typically only a few days. However, the recovery process can take up to 180 days depending on the type of check fraud and the bank of first deposit (BOFD) — recovery largely depends on the responsiveness of the presenting/depositing bank.

Ensuring payments reach their destination

Beneficiary validation is an important step in ensuring accurate and secure payments. Companies rely on a combination of validation procedures, including verbal validation, bank letters and written instructions, to confirm payment details.

Several solutions are also available that support validating beneficiary information, including verifying the status and owner of the account before making a payment, which is critical to preventing fraud.

Considerations regarding stop payment orders

Every company issues stop payments. Some even have hundreds of outstanding stop payment orders on checks. However, before you issue a stop payment, consider the following:

  • Placing a stop payment on a check does not necessarily terminate the obligation to pay the check. To help protect your organization, always print an expiration date on the check face. If the check is lost, the payee will have to wait until the expiration date for the check to be reissued, which may be inconvenient for them, but it’s the only way to protect yourself from an HIDC claim.
  • A stop payment is typically good for only 180 days. After that, the stop payment drops off the bank’s system and is no longer monitored. If the checking account is not on Positive Pay, the stop payment needs to be reissued. A check that is six months old becomes a stale-dated check, and a bank has the legal right (but not the legal requirement) to decline payment. A bank cannot be held liable for paying a stale-dated check. Note: A Positive Pay service will catch stale-dated check.

Additional tips regarding check security

Checks remain the payment method most susceptible to fraud. In 2024, 65% of respondents to the AFP Payments Fraud Survey reported that their organizations’ check payments were subject to fraud attempts or attacks. Yet of those organizations currently using checks, 70% do not plan to eliminate checks from their payment systems by 2026.

While the most effective way for an organization to prevent check fraud is to eliminate check use and transition to electronic payment methods, if your organization is required to use checks, it is important that the checks include overt and covert security features, particularly explicitly worded warning bands. These security features can help prevent a variety of types of check fraud, including some HIDC claims. Also, be sure to use a controlled check stock — checks that are uniquely designed or customized for your organization.

Learn more about the latest payments fraud trends in the AFP 2024 Payments Fraud Survey, underwritten by Truist.

Truist and the contributing authors do not guarantee the accuracy of this material and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of this material. Truist is a service mark of Truist Financial Corporation. RTP® is a registered trademark of The Clearing House Payments Company LLC.

Copyright © 2024 Association for Financial Professionals, Inc.
All rights reserved.