Late afternoon before the Easter Weekend, an invoice marked ‘Urgent: due for same day remittance’ arrives via email just as an accounts payable clerk at a manufacturing firm is about to leave for the day. The invoice is purportedly from a vendor with whom the company works and looks genuine. Even the clerk’s boss, the company treasurer who happens to be on leave, is copied on the correspondence.
The email seems to be originating from an address that looks like it’s the vendor’s invoicing department and the bank transfer details appear to be the same. However, a cursory glance suggests one of the digits in the account number is in the wrong place. Phone calls on a late afternoon before the weekend go unanswered, and in his rush to leave, the clerk wires $119,000 to a vendor he thinks is genuine. Upon the return of the company treasurer, the payment request is revealed to be fraudulent.
This is a real example of a fraud that occurred in the U.S. in 2019. The case itself was among the smallest instances of fraud stateside as millions were lost by corporate victims. Over 81% of all payment fraud attempts last year were made against companies, according to the 2020 AFP Payments Fraud & Control Survey.
Fast forward to a COVID-19 pandemic ravaged corporate world in 2020 and the landscape looks even worse. The ongoing global pandemic presents an opportunity for fraudsters, who are capitalizing on the change in business processes as companies’ operations shift to working remotely. As business continuity plans are implemented, internal controls and practices can be compromised.
The fraudsters’ preferred methods are Business Email Compromise (BEC) and invoice fraud, as current evidence suggests. The latest feedback from security solutions vendors – for example by Abnormal Security – points to BEC scams involving payment and invoice fraud rising by 200% between April and May this year.
More so, the vendor data is aligned with Google’s Transparency Report, which found the number of phishing websites, increasingly linked to BEC scams, spike from just over 20,000 in early March to nearly 60,000 by the end of May; a near trebling in the short space of 12 weeks.
Of course, awareness of BEC scams has increased, and we find that businesses have started to strengthen their defenses. But cybercriminals have evolved their strategy too, moving from the well-known format of impersonating an executive within the firm and requesting a payment, to more sophisticated vendor-based BEC scams like the aforementioned case study.
In vendor-based BEC scams, the majority of all BEC cases, the attacker poses as an existing supplier. The attacker no longer has to convince the victim of the need for the payment, as regular payments are already being sent to existing vendors. Instead, the fraudsters are simply sending updated payment information. Such a scam is effective because the fraudster is not initiating a new conversation, but seizing an existing email exchange.
Check fraud is also on the rise and continues to be the payment method most frequently subject to attacks. Check fraud occurs when a check is presented against an organization’s account that was not issued by the organization or when the payee information is altered. This can result in both financial loss and operational disruptions, as a new account will have to be opened and updated account information sent to customers and vendors. As check payments comprise almost half of all business to business payments, robust fraud protection measures are a necessity in order to safeguard an organization’s operating accounts. Now more than ever, fraud prevention and protection practices are crucial to protecting your business from payments fraud. Awareness, caution and consistent steps outlined below can help reduce the likelihood of a successful attack:
Best Practices for Combating Payments Fraud
- Incorporate processes to validate payment requests: New payment instructions should always be confirmed, preferably via an in-person meeting or a phone call with a known telephone number
- Dual Approval: Utilize an approver/checker process whenever you need to add a new payee or change existing payment details. Dual control significantly improves your chances of identifying a fraudulent act
- Confirm identity of sender: In addition to call-backs, the authenticity of the sender of an email can be quickly checked by hovering over the sender’s name in an email to display the real address
- Implement Bank Controls: Leverage your bank’s fraud protection and detection tools, including Automated Clearing House (ACH) Debit Blocks and Filters, and Positive Pay with Payee Name Verification
- Utilize Electronic Payment Methods: Due to the heightened vulnerability of check fraud risk, consider electronic or automated payment methods such as ACH or wires to optimize your payables operations
- Segregate Bank Accounts: As the primary source of fraud is related to the payment process, separating your payables and receivables accounts can help protect the organization’s incoming funds. Receivables accounts can be set up with restrictions that prohibit outgoing payments from being made out of the account, as well as ACH Debits drawn out of the account
- Ongoing Communication and Training: Awareness and understanding of current fraud trends is foundational to identifying potential fraud. As an example, businesses can subscribe to the U.S. Treasury Department’s Office of Inspector General’s fraud alerts to keep up to date
If your business falls victim to a successful fraud attempt, we suggest contacting law enforcement, your insurance company, and your bank to report the incident.