Overall payments fraud was down in 2021, according to the 2022 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan. Even so, the survey finds that the underlying fraud by payment type is changing, as companies shift from paper to digital methods.

During the companion webinar to the survey, an expert panel from J.P. Morgan and Club Car discussed the latest trends in payments fraud. The audience also asked questions related to mitigating fraud across the various payment types. Due to time constraints, we were not able to answer all of the questions live. In this article, we go into more of the questions with John Geronimo, Fraud Strategy Director, Commercial Banking at J.P. Morgan. AFP thanks J.P. Morgan for providing the responses below and for underwriting the AFP Payments Fraud and Control Survey this year.

Q: What is BEC?

J.P. Morgan: Business Email Compromise, or BEC, is a scheme in which criminals use email to try and trick victims into authorizing transactions to an account controlled by the criminals.

Key Survey Finding: 68% of organizations were targeted by BEC in 2021, a sharp decrease from last year’s figure of 76% and the second lowest figure since AFP began tracking this data.

Q: What are the most common ways that a check can be compromised?

J.P. Morgan: Fraud can occur in several ways once a check is sent from the originator and a criminal copies the check stock, routing and account number. Criminals can commit fraud by counterfeiting the check, altering or attempting to negotiate with a forged or missing endorsement. Criminals can also initiate an ACH debit using the check account number. Internally, keep check stock in a secure location, under dual control, and limited to only staff required to process.

Key Survey Finding: In 2021, checks were the payment method most impacted by fraud activity (66%).

Q: Has there been any development in Holder in Due Course liability with regard to mobile deposits?

J.P. Morgan: The most recent development around mobile deposits was the Federal Reserve Board adding a new indemnity from the check maker’s bank for remote deposit capture that indemnifies a depositary bank that received a deposit of an original paper check that was returned unpaid because the check was previously deposited using a remote deposit capture service and paid.

In July of 2018, the Fed added an exception to the indemnity right of the bank taking the paper check, if it accepted the original check with a restrictive endorsement such as “for mobile deposit only.” Effectively, the use of the restrictive endorsement shifts liability away from the bank accepting the remote deposit to the bank accepting the original paper check.

Q: Do you recommend utilizing chip and contactless features on cards?

J.P. Morgan: Both EMV chip and contactless options are very secure and are recommended to be used instead of the card’s magnetic strip. Please keep in mind that contactless payments also include using a device, such as Apple/Samsung/Google Pay, which are also very secure options for payments. That said, contactless payments work via short range radio frequency, and there are apps that, if in very close proximity, can pick up some of the data from a contactless payment, for example, account number and expiration date.

Q: In exploring the latest and greatest payment methods (e.g., tokenized payments and real-time payments), what types of fraud should we be aware of, and how best can these types of fraud be mitigated?

J.P. Morgan: Criminals will focus on the weakest link in an organization — the person capable of instructing or authorizing these payment methods. Education, training and testing are critical. Criminals will continue to use business email compromise and social engineering to manipulate those in authority to release authorized transactions.

Q: How do you encourage employees who initiate and approve wires to actually follow the procedures implemented in fraud training?

J.P. Morgan: Through controls testing and audit. For example, it is considered best practice to require employees to evidence they executed internal policies and procedures, and a sample of transactions should be reviewed with the required supporting evidence.

Key Survey Finding: 58% of survey respondents indicated that their Accounts Payable departments were compromised through email scams in 2021.

Q: Do you have any guidance on fake letter of credit?

J.P. Morgan: The Commercial Banking Fraud Team has seen multiple instances of fake letters of credit, fake W-9s and fake bank letters of account change, etc., that have impacted our clients. Robust KYC/vendor validation practices are critical to help protect against fraud loss. JPMorgan Chase has published a playbook on business email compromise and callback processes to help your team with callback processes.

Q: Is doing more than one callback to confirm a change in wire instructions considered a best practice? Who should be doing the callback generally?

J.P. Morgan: This is dependent on an organization’s existing internal operating principles and risk tolerances. A callback, if executed correctly, is a best practice BEC control.

Q: What if the person is working from home, and you cannot call the number retrieved from a system of record?

J.P. Morgan: Wait until controls can be executed correctly. Funds are final when sent and recovery is on a best-efforts basis.

Q: Does anyone require having the bank confirm bank change information?

J.P. Morgan: Clients own their vendor relationships and are therefore best positioned to validate changes in instructions. We have seen instances in which a client who has a banking relationship with the recipient bank may inquire as to account status. Absent a relationship the receiving depository financial institution (RDFI) may not engage.

Want to learn more? View the comprehensive results from the 2022 AFP Payments Fraud and Control Survey. Members can also view the full webinar on demand.