What Is Payments Fraud?
Payments fraud is the illegal or unauthorized use of payment instruments — including credit and debit cards, checks, wire transfers and online payment platforms — to obtain financial gain. The umbrella of payments fraud encompasses a wide range of fraudulent activities, including credit card and check fraud, phishing and account takeover.
Payments fraud is one of the principal challenges organizations and businesses face today. According to the 2024 AFP Payments Fraud and Control Report, underwritten by Truist, 80% of organizations reported being a victim of an attempted or actual fraud attack.
PART 1
How Does Payments Fraud Affect Businesses?
Payments fraud can affect businesses in numerous ways, including:
- Potential financial loss
- Reputational risk
- Failure to meet regulatory requirements
- Business disruption
- Loss of customer trust and loyalty (e.g., as a result of a data breach)
Mitigating payments fraud requires the implementation of robust security measures, employee education on common fraud schemes and collaboration with partners, including banks and vendors.
PART 2
How Does Payments Fraud Happen?
The majority of payments fraud starts with an individual outside your organization. Fraudulent emails, referred to as business email compromise (BEC), and vendor imposters were the two methods most frequently used by fraudsters in 2023, according to findings from the 2024 AFP Payments Fraud and Control Report.
Three common tactics that fraudsters use to commit BEC are:
- Spoofing email accounts of websites (domain lookalikes)
- Sending targeted spear phishing emails
- Using malware to access legitimate email threads discussing bills and invoices
Clicking on a domain lookalike can lead to web traffic diversion and/or malware delivery. Fraudsters like to use compromised email accounts to send fraudulent change of payment instructions. These emails appear authentic but often contain hyperlinks to malicious sites or payment portals. With the help of AI, fraudsters have been able to avoid standard indicators of a phishing email, such as spelling and grammatical errors.
Other often-used methods reported in the 2024 AFP Payments Fraud and Control Report include intercepting checks sent through the mail, invoice fraud, an imposter posing as an organization representative to a client, account takeover and third-party payment processors.
PART 3
How to Protect Your Business Against Payments Fraud
How do you protect your business against payments fraud? While there is no single fail-safe protection, experts recommend fortifying three areas: collaboration, processes and controls, and employee education.
Collaborate with Partners
Banks, professional advisors and risk managers have expertise in identifying and mitigating fraud risks and are, therefore, excellent sources for advice and guidance. They will likely start by recommending that you implement robust processes to prevent or minimize the impact of fraudulent activities. Many banks are also proactive in investing in advanced technologies designed to detect transactions susceptible to fraud.
Adopt Robust Processes, Controls and Audit Trails
To minimize the initiation of fraudulent activities, implement controls, such as the segregation of duties and setting limits on individual authorizations according to the person’s level of expertise. Put every transaction through a timely confirmation and reconciliation procedure to ensure any irregularities are addressed immediately. Finally, be sure to enable effective review and oversight procedures in order to maintain a clear audit trail for every transaction.
Educate Employees
Regular employee education sessions — throughout the entire organization — are essential. Such sessions promote adherence to internal processes and equip employees with the knowledge to identify various sources of fraud, such as BEC scams. When companies empower their employees with awareness and training, they can significantly decrease the risk of falling victim to fraud.
PART 4
Positive Pay vs. Reverse Positive Pay
Two fraud prevention services commonly offered by banks to help detect and prevent check fraud are positive pay and reverse positive pay. While both services verify the authenticity of checks before clearing them for payment, the difference between them lies in their approach.
Positive pay involves the company sending payment information (a list of issued checks) to the bank before distributing checks. The bank then matches the details of each check to the company’s records and pays only those that match; some services also verify the payee field. Any discrepancies are sent to the company for a decision on whether to pay or return the item, usually on the same day. If no decision is made, the bank defaults to either pay all or return all (of the exception items). To help the company make this decision quickly, most services provide online access to transaction data and check images.
When dealing with ACH payments, the bank sends the company a list of ACH debits, i.e., requests for payment, and the company decides whether or not to authorize payment. Rules can be set up ahead of time to help automate the process, such as allowing debits up to a specified amount to be paid automatically. It is standard practice for positive pay services to operate on a batch basis; however, companies can also opt for teller positive pay, which allows tellers to process a real-time inquiry on checks, which helps prevent the cashing of fraudulent items.
There are two weaknesses with positive pay to be aware of:
- Positive pay does not safeguard against fraudulent endorsement, which is when a stolen check is endorsed and cashed by a third party without altering key details such as the amount or serial number. Because positive pay cannot differentiate between the original check and a copy, it pays the first presented check.
- Unique to the U.S., if the third party (e.g., a check-cashing center) can prove that it was a “holder in due course” at the time it accepted the check, they may be able to collect from the issuer of the check even though the check was fraudulent or altered.
With reverse positive pay, the bank sends a daily or intraday file to the company of checks presented for payment. The company then matches it with the issued check file and notifies the bank of any discrepancies. It is important to note two weaknesses of reverse positive pay:
- Reverse positive pay does not prevent fraudulent checks from being cashed at the teller line, as the bank doesn’t have access to the issued file.
- The default of “pay all” or “pay none” needs to be established with the understanding that if the company ops for “pay none,” all checks will be returned for that day — not just the exceptions.
PART 5
Best Practices for Fraud Control
Companies can adopt several best practices tailored to their payment processes to fortify fraud control measures:
- If your organization is still writing checks, be sure to utilize check stock embedded with advanced security features such as microprinting, holograms and non-photo-reproducible elements. This can deter counterfeit attempts and enhance check authenticity.
- Implement a segregation of duties. This ensures that individuals who are reconciling accounts are distinct from those authorized to initiate the transactions. Include positive pay procedures as well — those authorized to make decisions regarding the exceptions should not be involved in the initiation of the transaction.
- Require dual authentications for all EFT transactions. This adds an extra layer of security by having one person initiate the transaction and another person review and authorize it.
- Reduce or eliminate non-repetitive wire transactions and maintain separate accounts for deposits and disbursements.
- Deploy specific-purpose deposit-only ZBAs with debit blocks or filters to enhance control over funds. Bolster protection further by implementing check blocks for ACH-only ZBA accounts.
- Authenticate the ownership of beneficiary accounts before initiating EFT transactions or writing checks. This can be done by utilizing standalone services like Early Warning Services, integrating KYC verification solutions into payables workflows, or, in the U.K., leveraging bank-provided solutions such as CoP.
- Adopt proactive measures against BEC scams. For example, verify any changes to settlement instructions by directly contacting payees as opposed to clicking “reply” in the sender’s email.
Incorporating these best practices into your company’s fraud controls will help strengthen your defenses against payments fraud, thereby helping to safeguard both the company’s financial assets and its reputation.
PART 6
Payments Fraud Trends
Not since 2018 has the number of organizations impacted by fraud been this high. In 2023, 80% of organizations reported having been targets of payments fraud activity — an increase of 15% over 2022. The resulting data of the 2024 AFP Payments Fraud and Control Report also found that fraudsters targeted more large organizations than last year, those with an annual revenue of at least $1 billion.
The incidence of payments fraud in 2023 remained unchanged for over two-thirds of survey respondents, while 26% of finance professionals reported an uptick. Interestingly, of those who reported an increase in incidents, the majority were from organizations with annual revenues of less than $1 billion.
PART 7
Learn More About Payments Fraud
- AFP Digital Badge: Payments Fraud 2023/2024 (complimentary to AFP members)
- AFP Mini-Course: Payments Fraud (AFP member resource)
- AFP Self-Paced Course: Payments Fraud and Cybercrime