Head of Banking & Treasury Management Sales and Advisory - Americas
July 21, 2020Posted InTreasury management
To best view Citi Private Bank's site and for a better overall experience, please update your browser to a newer version using the links below.
Instances of payments fraud have been among us for a while, but remote working in the wake of the COVID-19 global pandemic has given rise to an increase of fraudulent attacks on companies. However, awareness, caution and training can keep those intent on causing financial harm at bay.
Late afternoon before the Easter Weekend, an invoice marked ‘Urgent: due for same day remittance’ arrives via email just as an accounts payable clerk at a manufacturing firm is about to leave for the day. The invoice is purportedly from a vendor with whom the company works and looks genuine. Even the clerk’s boss, the company treasurer who happens to be on leave, is copied on the correspondence.
The email seems to be originating from an address that looks like it’s the vendor’s invoicing department and the bank transfer details appear to be the same. However, a cursory glance suggests one of the digits in the account number is in the wrong place. Phone calls on a late afternoon before the weekend go unanswered, and in his rush to leave, the clerk wires $119,000 to a vendor he thinks is genuine. Upon the return of the company treasurer, the payment request is revealed to be fraudulent.
This is a real example of a fraud that occurred in the U.S. in 2019. The case itself was among the smallest instances of fraud stateside as millions were lost by corporate victims. Over 81% of all payment fraud attempts last year were made against companies, according to the 2020 AFP Payments Fraud & Control Survey.
Fast forward to a COVID-19 pandemic ravaged corporate world in 2020 and the landscape looks even worse. The ongoing global pandemic presents an opportunity for fraudsters, who are capitalizing on the change in business processes as companies’ operations shift to working remotely. As business continuity plans are implemented, internal controls and practices can be compromised.
The fraudsters’ preferred methods are Business Email Compromise (BEC) and invoice fraud, as current evidence suggests. The latest feedback from security solutions vendors – for example by Abnormal Security – points to BEC scams involving payment and invoice fraud rising by 200% between April and May this year.
More so, the vendor data is aligned with Google’s Transparency Report, which found the number of phishing websites, increasingly linked to BEC scams, spike from just over 20,000 in early March to nearly 60,000 by the end of May; a near trebling in the short space of 12 weeks.
Of course, awareness of BEC scams has increased, and we find that businesses have started to strengthen their defenses. But cybercriminals have evolved their strategy too, moving from the well-known format of impersonating an executive within the firm and requesting a payment, to more sophisticated vendor-based BEC scams like the aforementioned case study.
In vendor-based BEC scams, the majority of all BEC cases, the attacker poses as an existing supplier. The attacker no longer has to convince the victim of the need for the payment, as regular payments are already being sent to existing vendors. Instead, the fraudsters are simply sending updated payment information. Such a scam is effective because the fraudster is not initiating a new conversation, but seizing an existing email exchange.
Check fraud is also on the rise and continues to be the payment method most frequently subject to attacks. Check fraud occurs when a check is presented against an organization’s account that was not issued by the organization or when the payee information is altered. This can result in both financial loss and operational disruptions, as a new account will have to be opened and updated account information sent to customers and vendors. As check payments comprise almost half of all business to business payments, robust fraud protection measures are a necessity in order to safeguard an organization’s operating accounts. Now more than ever, fraud prevention and protection practices are crucial to protecting your business from payments fraud. Awareness, caution and consistent steps outlined below can help reduce the likelihood of a successful attack:
Best Practices for Combating Payments Fraud
If your business falls victim to a successful fraud attempt, we suggest contacting law enforcement, your insurance company, and your bank to report the incident.
To discuss strategies to help mitigate risk, please contact us.