Click for currency
Instant payments have been a boon for businesses, their suppliers, and their customers. They reduce administration costs, support questions from suppliers looking for their payments, while also increasing speed (obviously), transparency, the ability to control cash flow, and help produce smooth supplier relationships.
They can also give criminals the opportunity for a quick getaway.
It’s important then for businesses to put procedures and technology in place to protect themselves, their vendors and their customers from fraud.
We’ve previously gone into depth about general types of payment fraud, and the tactics that criminals use, but how do instant payments change how criminals target businesses?
In the main, they don’t.
Instant payments are the equivalent of having a Ferrari versus a Morris Minor as the getaway car when robbing a bank. The way the bank is robbed doesn’t change much, but catching the criminals requires both early warning systems so the police can arrive on the scene as quickly as possible, and fast enough cars to catch the criminals if they getaway.
Of course, digital technologies have changed how criminals conduct payments fraud enormously, but instant payments themselves don’t change their fundamental tactics.
If you can identify (or even prevent) a fraud early, the chances of recovering the money increases dramatically.
For businesses then, they still have to look out for APP (authorized push payment) fraud, billing schemes, ACH (automated clearing house) fraud, check payment frauds, expense reimbursement fraud, kickback schemes, payroll fraud, and the like, but what they really need to consider when it comes to instant payments is prevention, response time and actions.
If you can identify (or even prevent) a fraud early, the chances of recovering the money increases dramatically. But, if a payment is instant, how can businesses realistically protect themselves? What’s more, how they retain the level of convenience customers now expect while still being a safe and secure entity to transact with?
According to the CIA, once 72 hours has elapsed from a fraud occurring and it hasn’t been detected and acted against, the chance of recovering the funds drops to 9%. Bottom-line, you need to prevent fraud whenever possible, detect fraud early (if not instantly) and take immediate actions. This requires a trifecta of elements – people, process, and technology – working together in harmony.
The most vulnerable part of any system is generally the people running it. There are always the chances that the digital architecture has holes in it, allowing criminals ways in, but usually it’s by exploiting people’s vulnerabilities that criminals create vulnerabilities within a system.
The most vulnerable part of any system is generally the people running it.
Training
‘Training’ is an obvious solution to make your people less susceptible to fraudulent tactics, but what form should this training take?
Firstly, you need to focus on where your business is vulnerable. Will criminals use your product or service to target you, your customers, your suppliers, or all the above? What are the tactics they are most likely to use? This emphasis on likely tactics will stop training being too general, and thereby less memorable for people.
Secondly, do you have instances in the past you can use as examples? Are there people – even the victims of the fraud – willing to talk about their experience? This personalization of the fraud will again make it stick out much more in the employees’ mind.
Thirdly, insider fraud should be a core part of any anti-fraud training. It’s not a nice conversation to have, but by having it openly you both tell your employees that you’re aware of the possibility of insider fraud, and you have systems in place to identify it when it happens.
Finally, training must be both regular and supported by top management. This doesn’t mean you have to do sessions every week, but a few times a year would be appropriate. Top management need to support this by communicating the importance of the session themselves and also attending regularly as well.
Due diligence and behavior monitoring
Beyond training, doing proper due diligence on new hires (difficult, of course, and any background checks usually legally requires all information gathered to be directly for job related purposes) is an important step.
As well as this, monitoring behavior of employees is an important way to prevent fraudulent schemes getting out of hand. This has to be done within reason, and the balance between monitoring discreetly and invading people’s privacy and destroying their trust can be a tough line to walk.
Instant payments are a result of technological advances and preventing instant payment fraud requires advanced technology too. Automated systems, which use embedded fraud detection algorithms and machine-learning tools, are at the front-line of preventing instant payment fraud.
Predictive risk assessments and automated fraud detection
One of the first steps in preventing instant payment fraud is to predict it before it happens. There are many red flags that anti-fraud professionals know to look for in a payment, and by embedding these red flags into a payment system, they can often prevent a fraudulent payment being made in the first place.
The system then needs to be capable of sorting out the ‘good’ payments that may have red flags and those genuinely fraudulent ones. A simple example is someone making a payment for a ‘bomber jacket’. The system may be looking for keywords such as ‘bomb’ and therefore prevent the payment going through but needs to be clever enough to know that this payment is for an item of clothing, and not linked to terrorist activities.
Without this ability to discern businesses may find multiple payments are being held up, causing an impact on revenue.
Robust data security
Any payment system must have strong data security. Regular penetration testing and external audits, prompt patch management (to keep the system up-to-date), deletion of out-of-date data, secure data processing activities in-line with top industry standards, data encryption, and certified host providers to house the data securely are just some of the elements world-class payment systems will have in place as standard.
Without these protections, data can become vulnerable to direct hacking or phishing attempts which criminals can then leverage to make fraudulent payments.
Real-time response mechanisms
Once the system’s detection methods raise the level of potential fraud to a defined level, the system will generally pause the payment and notify a human operator to make the decision.
The technology needs to be smart enough to detect potential fraud, while allowing good payments to go through
In the instant payment’s era, this makes the ability to do this in real-time an essential part of any anti-fraud response. And this is where the technology meets the human element.
The technology needs to be smart enough to detect potential fraud, while allowing good payments to go through, while the human side needs to be quick enough to deal with potential fraudulent payments.
Process is rarely the shiny object in organizations that people want to build and follow. It’s bureaucratic, prone to manipulation, and rarely bullet-proof. It’s also essential.
What then are the processes businesses can put in place to prevent instant payments fraud?
Have a fraud response plan
What’s not written down, doesn’t exist. If you don’t have a defined plan, then any trigger events will lead to confusion and an inadequate, piecemeal response. Defining in advance who is notified, including the police, and what actions the organization should take immediately after a fraud is identified, will help align the team in the right direction.
A fraud response plan should also have a proactive element. This would include a whistleblowing process, allowing employees to report (confidentially if necessary) potential frauds occurring within the organization.
Double-blind monitoring
Payments, particularly initial payments to new external parties, should be double-checked by a human being. What’s more, the payment process in general should be the responsibility of more than one person.
Regular audits
Regular audits will help detect and prevent fraud. While auditors are not generally responsible for detecting fraud, a good auditor will monitor your incomings and outgoings with fraud in mind. Regular internal checks and audits will also help detect potential fraud and prevent internal fraud because the risk of being caught is greater.
Instant payments haven’t fundamentally changed how frauds occur, but they have fundamentally changed how businesses need to prevent and react to fraud occurring. By using modern payment platforms, putting the right processes in place, and putting people at the heart of your anti-fraud strategy, criminals will find their getaway car stalling on the roadside.
For more on how TransferMate can help protect your business against payment fraud, get in touch with the team today.
If you’ve ever owned a car without automatic locks, you’ll know how easy it is to leave the doors open overnight. You grab the shopping, get distracted when you get inside the house, and it’s only the next morning that you turn the key and realize you’ve been lucky.
When it comes to payment frauds, businesses are leaving their doors unlocked all the time. There has been a surge of fraud attacks on businesses since the pandemic, with criminals shifting resources to digital avenues, making it more important than ever for businesses to protect themselves from attacks.
Today we’re looking at 6 common accounts payable frauds and how to prevent them.
1. Billing Schemes
A billing scheme is simply a person (either an employee or an outsider) that gets a business to issue fraudulent payments by submitting fake invoices. While the most common culprit is an internal employee, successful phishing schemes can be a way for an outsider to pose as an employee or supplier in a more subtle way.
Billing schemes typically come in three forms:
How to prevent a Billing Scheme fraud
Checks and balances are the key here. While often difficult to achieve – especially within a small business – having multiple people along the chain will help both spot potential fraud and discourage people from trying.
It’s important to maintain a separation of duties in the purchasing process, have an approved vendor list that you regularly update, and require additional sign-off for non-approved vendor payments. Finally, picking up the phone and contacting the vendor directly if anything seems unusual will never be a bad step to take – no-one will be annoyed about you being careful with their money.
‘With commerce comes fraud.’
Nathan Blecharczyk, co-founder and chief strategy officer of Airbnb
2. Authorized Push Payment (APP) Fraud
Often a direct result of a successful phishing attempt, APP fraud is where a fraudster uses their newly gained knowledge of the company details and processes to get in the middle of a transaction. By monitoring emails and analyzing past invoices and their timings, a fraudster can produce a genuine looking request for payment at just the right moment.
Another common tactic fraudsters use is impersonating an internal employee (often a senior executive) and asking another employee to authorize a payment into an account. They will often use language that conveys a sense of urgency to push that person psychologically and get it done quickly.
While phishing is the most common tactic, simple social engineering techniques can work also, such as ringing a company and using publicly available information to trick an employee into making a payment because of an ‘emergency’.
How to prevent an Authorized Push Payment Fraud
Common sense preventative methods, such as strong password protections and changing passwords frequently, can deter scammers, staff training will always be the top preventative tool. Making your staff aware of common scams and the tactics used will give them the power and confidence to ask questions when they are unsure. Company policies, such as always putting payments through the accounts department (rather than company credit cards), also add a layer of protection against APP payment frauds.
A typical organization loses 5% of its revenue to fraud every year, with a median loss of $125,000
Association of Certified Fraud Examiners (ACFE)
3. ACH (Automated Clearing House) Fraud
ACH (automated clearing house) payments are electronic fund transfers. It’s another area where phishing (or by using social engineering techniques) can be the way in for the fraudster, although the culprit can also be an employee with official access or using nefarious means to gain access.
The difference between APP Fraud and ACH fraud is in the tactics used – APP uses information to trick an employee to pay someone they shouldn’t, while ACH fraud attacks the actual system the payment is being made through.
Once the fraudster has access to the files they can edit a vendors profile within the system, including the payment information.
How to prevent an ACH fraud
As ACH fraud is essentially a way of attacking a digital network, the first step is to make that network as secure as possible. By using multi-layer, multi-factor authentication security processes, you can deter all but the most determined and skilled fraudsters, and automated payment systems will bring additional layers of security. However, as is the case with so many of these frauds, it’s the human factor you must look out for most, both in training and identifying suspicious behavior.
It’s estimated that in 2020, 1 in every 4,200 emails was a phishing attempt.
Symantec Cyber Security
4. Check Payment Frauds
While checks seem to be a thing of the past, they are much more popular than you might think. In 2019, a study by the Federal Reserve found that 14.5 billion checks were processed that year.
Check fraud is very common (one study found 75% of all businesses that suffered accounts payable fraud was because of check fraud), and it can come in many forms. The simplest way is for the fraudster to make out a check and change the payee or write checks for personal expenses and charge it to the business account.
Fraudsters will also send vendors double-payments or purposely overpay them, and then intercept the check when it returns to cash it elsewhere.
How to prevent Check Payment Frauds
There are several methods of preventing check fraud, from good processes to technological solutions. Firstly, preventing the physical checks within a business to be easily accessed is a must, while also properly storing voided checks will help with reconciliation. Speaking of reconciliation, doing it regularly will mean you’ll spot any fraud quickly.
A proactive way to prevent check fraud is to use a positive pay service. Essentially, positive pay means your bank will compare checks received each day to an issue file you send them and highlights items that don’t match across the two lists, flagging them for your review.
“Torture the data, and it will confess to everything.”
Ronald Coase, British economist and Nobel Prize winner.
5. Expense Reimbursement Fraud
Expense Reimbursement Fraud is when an employee submits a false expense report after making purchases on their personal credit card, creates fake expenses for items or services never purchased, overstates expenses, or submits duplicate reports to be reimbursed twice.
This can range from the relatively minor to serious, systematic frauds. Whichever end of the scale it occurs though, a study by the Association of Certified Fraud Examiners found that expense reimbursement fraud accounted for 21% of fraud within small businesses, to 11% in large enterprises.
How to prevent Expense Reimbursement Fraud
Regular spot-checks, formal warnings for minor offenses (depending on company policy), and regular audits will discover most types of expense frauds.
Another method commonly used to spot fraud is applying Benford’s Law. This principle states that in naturally occurring number sets, smaller numbers (like 1 and 2) will show up at the start of each data point more frequently than other numbers. For example, the number 1 appears as the leading significant digit about 30 % of the time, while 9 appears as the leading significant digit less than 5 % of the time.
Knowing this principle means that a person can examine data sets (like expense receipts) and see the likelihood of whether fraud has occurred.
6. Kickback Schemes
Kickback schemes are when an employee colludes with an outsider and receives a reward (financial or otherwise) to change a business decision. They can be very damaging as they may not leave a direct paper trail like other frauds, and can become a stepping stone to other frauds, such as billing schemes.
Vendor selection can be a key area where kickback schemes occur. Vendors may attempt to bribe an employee with straight cash or reciprocal awards (such as event tickets, holidays, etc.) so they are selected over competitors.
How to prevent Kickback Schemes
As is the case with so many of these frauds, having multiple people in the chain is a great deterrent to people. All bids should be viewed and judged by multiple people, while a gratuities policy to make rules clear to people is also a must. Audits on vendors selection and purchases over a certain dollar amount will also help you spot fraud early.
We will probably never be able to end fraud altogether. Systems are unlikely to ever become invulnerable, no matter how sophisticated the technologies, and people certainly never will be. What businesses can do, however, is build up layers of protection to decrease the likelihood of fraud occurring in the first place and lessen its impact if it ever does.
In so many payment frauds, it happens because of weak links in the process combined with an inability of staff to check for errors due to overwork or overly complex systems.
Implementing automated accounts payable systems will begin giving the power back to businesses in preventing, spotting, and limiting fraud. Automated red flags, the improved ability to examine data and the audit trail generated by automated payment processes are key weapons in the fight against fraud.
After all, it’s easier to lock the car door when it’s automatically done for you.
Use bulk payments to make up to 5,000 payments to employees or partners with a single click