When it comes to safeguarding your financial operations, no one is immune to fraudsters. Their methods are constantly evolving in sophistication, presenting us all with new challenges.

During an AFP webinar, industry experts discussed how things have changed since results from the 2024 AFP Payment Fraud and Control Survey, underwritten by Truist, were reported. There are new fraud trends, as well as methods organizations are taking to combat them.

Shifts in fraud trends

Referring to the 2024 AFP Payment Fraud and Control Survey, Tom Hunt, CTP, Director, Treasury Services and Payments for AFP, said, “One of the trends we saw this year was a shift in BEC fraud; it’s moving away from wires and towards ACH credits.”

Vigilance with a healthy dose of skepticism is required to combat fraud, advised Chris Ward, Head of Enterprise Payments at Truist. “If somebody is raising a red flag, you should assume that's correct and try to prove that it isn't fraud,” he said. “I've had case after case recently where clients saw the signs but didn't stop. If it's too good to be true, it's probably a scam. There are all kinds of things going on in every single one of these fraud categories, and they're getting better and better at spoofing.”

USPS mail fraud remains a significant concern as well, leading to washed checks. “We're trying to get away from mailing checks,” said Karyn Brown, CTP, Treasurer at Austin Industries. “The physical checks increase the risk of stolen or intercepted mail resulting in washed checks.”

Vincent released the results of a study they conducted from February to August 2023 that found $688 million in suspected fraud related to mail theft. “This is based on reports filed by 15,000 financial institutions,” said Hunt. “I think it was like 3% of all the mail in this period was considered fraudulent in terms of being stolen.”

“There’s all kinds of public data on stolen mail,” said Ward. “It’s quite pervasive. In addition to the printing technology that’s out there today, the ability to edit things digitally makes it much easier to produce a counterfeit check to then get injected into the system.”

Organizational vulnerabilities and responses

According to results from the survey, less than half of organizations have tested fraud policies, and given how long it takes to detect fraud, reconciliation is a must. “Detection typically takes about a week,” said Hunt. “So, making sure your reconcilement and the back office is functional and efficient is as important as ever.”

While many organizations want to reduce their reliance on checks, some smaller vendors are resistant to electronic payments due to privacy and cost concerns. “We've got a lot of mom-and-pop shops that don't want to give their banking information to us,” said Brown. “We have been able to move a lot of them to virtual payments through a credit card. The challenge there is that a lot of them want us to pay the fee. It's tough. They're very leery of receiving electronic payments.”

Brown added that Austin Industries is taking additional measures to combat fraud. “We have moved away from putting any information regarding payments or payment approval in emails,” she said. “We’ve gone back to ‘wet’ signatures on paper and looking at the whites of people's eyes when they sign.”

Fraud mitigation strategies

Fraud prevention requires a multi-layered approach, combining tools like positive pay, payee positive pay, tamper-resistant checks, segregation accounts and daily reconciliations. “There’s not one single thing you should do and just assume you can sleep at night,” said Ward. “You have to layer all these items in.”

Hunt offered some advice in regard to positive pay: “If you do have positive pay, check your exceptions in a timely manner before cutoff, and certainly don’t have your default set to pay those. If you don’t review them, have them set to do not pay.”

Fraudsters often make incremental changes to vendor details (e.g., phone numbers or addresses) before altering bank accounts. This means all change requests should be verified thoroughly, even those that seem minor.

“Fraudsters are in this for the long haul,” said Brown. “They know that practitioners refer to ERP systems for trusted information. So, they’ll try to change personal or banking information, and then try again two or three months later. As a result, we trust nothing, and verify everything.”

The panelists recommended two-factor authentication, external email notifications and email scanning software to help reduce BEC fraud risks. “Austin’s IT group has several tools to combat spyware and spam,” said Brown. “We thoroughly scan every email message, which adds a little time for delivery to your inbox, but it’s added additional layers of security.”

“If you click on a link, and the next thing it’s asking you for is the user ID and password for your financial institution, you should be stopping dead in your tracks,” said Ward. “It’s not something a financial institution usually does, but people fall victim to it all the time.”

Tools like Early Warning and GIACT are increasingly in demand for validating banking details, but they should not be used as your sole barrier to fraud. “It is one of our tools in our toolbox, but it’s not the only tool,” said Brown. “We have many processes that we use to verify any information that a company’s trying to change.”

While services like account name matching are common in Europe and the U.K., their global adoption remains years away. “There are services that are sprouting up around the globe in certain jurisdictions, but it’s not universal,” said Ward. “I think we’re probably years away from that, but we are making progress as an industry and in totality, but no one has 100% coverage around the globe.”

“Everything is multi-layers of security and double-checking what you’re doing — and know who you’re doing business with,” said Ward.

Ransomware threats

When it comes to ransomware, some of the industries we would least want to be at risk are most at risk. “Healthcare and public health are most likely to be affected by ransomware, and then critical manufacturing, government facilities, IT and financial services,” said Hunt.

Preparedness is key in the fight against ransomware. Organizations should maintain and regularly test their response playbooks, train employees to recognize phishing attempts, and simulate attacks. “You should make sure that you've talked through that with your senior leaders and ensure that you've got a playbook to walk through,” said Ward.

He also cautioned that when it comes to embedded finance, you need to think about how you’re embedding things. “There was a ransomware attack recently on a technology provider for a certain industry, and those entities could not accept payments because they had relied 100% on that entity to facilitate their payments for them,” he said. “Working with your financial institution, you’ve got to make sure that while you want the payments to work seamlessly with the solutions, you don't want all your eggs in one basket and so tightly integrated that you can't keep your business going should there be issues.”

Another point to consider carefully is the fact that paying the ransom can expose companies to legal risks if the funds are traced to prohibited entities. So be sure to evaluate this scenario in advance. “It seems the choice to pay or not to pay the ransom can be subject to more legal action, especially by the federal government, if they can deem where the payment is going,” said Hunt. “You have to be careful there.”

Conduct periodic reviews

The panelists all agreed that all organizations should evaluate their banking relationships, internal controls and security policies on a regular basis. “You need to be doing periodic reviews with your banking partners as well as with your technology teams and the folks who are responsible for the policies and procedures that everybody's going through,” said Ward.  

He added, “It's good hygiene to be talking through all those things and double checking what you have set up on an account and what you don't have set up on an account. You'd be surprised how many financial accounts are out there today that don't have the proper controls on them.

“Look at all of your processes. You can't just rely on the things that are occurring at your financial institutions. Thinking about what you can convert to digital. And once you have them on digital, be really careful when somebody's asking you to change aspects of that digital payment. If you're not using positive pay, you should be.

“You have lots of access to your financial institutions, so you have a lot of insight as to what's going on and trends. Also, talk to your peers, other CFOs, other treasurers, other accounts payable teammates and payroll teammates at other firms about what they're seeing. It helps to work together to prevent others from being victims, but also somebody else might have a good practice that they've implemented that you might want to deploy.”

---