One of the most disturbing aspects of present-day fraud is just how prevalent it has become. Around 80% of respondents to an Association of Financial Professionals survey said they were victims of payment fraud in 2023. It was a 15% increase from 2022 and the highest number since 2015.

In a recent PaymentsJournal podcast, Ryan Clayton, Director of Solution Consulting at Bottomline, and Albert Bodine, Director of Commercial and Enterprise Payments at Javelin Strategy & Research, discussed the technology and tactics criminals employ and the ways organizations can defend themselves.

PaymentsJournalOut of a Spy Novel: Mitigating Modern-Day FraudPaymentsJournal Out of a Spy Novel: Mitigating Modern-Day FraudPaymentsJournaljQuery(document).ready(function ($){var settings_ap30407968 = { design_skin: "skin-wave" ,autoplay: "off",disable_volume:"default" ,loop:"off" ,cue: "on" ,embedded: "off" ,preload_method:"metadata" ,design_animateplaypause:"off" ,skinwave_dynamicwaves:"off" ,skinwave_enableSpectrum:"off" ,skinwave_enableReflect:"on",settings_backup_type:"full",playfrom:"default",soundcloud_apikey:"" ,skinwave_comments_enable:"off",settings_php_handler:window.ajaxurl,skinwave_wave_mode:"canvas",pcm_data_try_to_generate: "on","pcm_notice": "off","notice_no_media": "on",design_color_bg: "111111",design_color_highlight: "ef6b13",skinwave_wave_mode_canvas_waves_number: "3",skinwave_wave_mode_canvas_waves_padding: "1",skinwave_wave_mode_canvas_reflection_size: "0.25",skinwave_comments_playerid:"30407968",php_retriever:"https://www.paymentsjournal.com/wp-content/plugins/dzs-zoomsounds/soundcloudretriever.php" }; try{ dzsap_init(".ap_idx_453534_4",settings_ap30407968); }catch(err){ console.warn("cannot init player", err); } });

The Wide-Open World

Criminals are becoming more sophisticated every day. They use technologies like ChatGPT to create more convincing phony emails and voiceover deepfakes to trick finance offices. Business email compromise is on the rise, causing losses of over $300 million per month.

“It’s hard for organizations to stay above water because fraudsters are always one step ahead,” Clayton said. “It’s under any and every vertical, all industries are under attack. Public entities like higher education institutions, healthcare facilities, and government agencies are at higher risk because their data is much more readily available. But fraud is everywhere.”

Criminals especially target companies that process a high number of payments. In commercial real estate, for instance, where invoices come in and payments go out rapidly, it’s easy for something to fall between the cracks. Companies that have high turnover, or are understaffed, are more vulnerable to attacks.

The continued use of paper checks exposes companies to fraud risk as well. More than 80% of organizations still accept paper checks, and more than 90% still use checks to make payments. The Financial Crimes Enforcement Network reported in 2021 there were 350,000 cases of check fraud, and that number rose to 680,000 cases in 2023.

“It’s so susceptible,” Clayton said. “Once that paper instrument leaves a company’s hands it’s out in the wide-open world. It may seem like something out of the Wild West, but the United States Postal Service has had postal carriers held up at gunpoint, and what they’re really looking for are business checks. If they find one, there’s no tracking it. It’s gone.”

Social Engineering

Criminals have increasingly employed tactics that exploit social engineering to manipulate employees’ actions. They study businesses to learn their behaviors. Because organizations have so much data that’s readily available online, it’s not difficult to learn how a company operates and who its partners are.

Someone posing as a vendor might call claiming their company will lose its business license if it doesn’t receive a payment today. The criminal is hoping the employee will have an emotional reaction and break protocol. Though it might seem like a spur-of-the-moment call, these criminals have likely been targeting the companies they go after for months before an attack.

Criminals have also hacked voice-over-internet-protocol (VoIP) phones. Once the phone system is breached, they can listen in on business conversations, record them, and use them against the organization.

“There have been instances of account takeover,” Clayton said. “When there are corporate phones across an organization, there have been SIM takeovers. There’s one famously involving former Twitter CEO Jack Dorsey. They took over his SIM, swapped the phone number to another phone, and acted as though they were him. To prevent that, organizations should add SIM PINs across all their phones.”

Although it’s important to leverage technology, social engineering methods mean it’s equally important for an organization to train its workforce to spot criminal tactics. However, fraud prevention training can’t be a one-time thing.

“It’s so critical that this is not just something that’s done once a year,” Bodine said. “Many companies get a survey about fraud, and they fast-forward through, check the box, and get the approval from the fraud and risk management team. Then they never hear anything about it until next year.”

Companies must continually audit themselves and stay vigilant because criminals are extremely patient. Criminals will pose as a fictitious company and charge the organization an amount that’s too small to be flagged. Over time, they gradually increase the amount. Once they have established trust, criminals will conduct a concerted attack for substantial billings. By the time the company finds out, the attackers are gone.

Prevention is Key

It’s extremely rare to recuperate funds from fraud, especially when the attack involves checks. That means prevention is the key aspect of fraud mitigation.

“Protecting yourself against business email compromise is critical, because it’s targeted at a business directly in those cases,” Clayton said. “In spear phishing, fraudsters target payers in an organization and impersonate a vendor. Sometimes public entities have a contract out for bid and the fraudsters pose as the winner of the contract, because all that information is public.”

In those instances, criminals will often ask for funds upfront, or at least a certain percentage for services or materials. Once the check is cut, the funds are lost. One way to mitigate that risk is to use a virtual card, which is a safer and faster way to pay vendors. ACH is an option, but there are risks involved if businesses don’t fully verify the vendor’s information before sending the payment.

Accurate vendor verification should include digital bank authentication and follow-ups to ensure the organization is routing the payment to the correct vendor and bank account. Another way to verify vendors is through device fingerprinting. If a vendor normally logs in from Chicago and one day the login comes from Nigeria, it’s a red flag.

Verification should include an Office of Foreign Assets Control check to make sure the vendor isn’t on a terrorist watch list, plus a validation to ensure the vendor isn’t operating from a blacklisted IP address. Another way to spot fraudulent websites is to confirm the age of a site’s URL. Criminals will often create new websites to impersonate vendors.

Integrated Leadership

A fraud management plan should be integrated into every aspect of an organization, including its leadership.

“Make your fraud mitigation leaders a meaningful part of the leadership team,” Bodine said. “Much too often, organizations reach out to their fraud and risk management team after it’s already too late. Don’t put those people in a closet and take them out once a year.”

Though training is a critical step in fraud prevention, many aspects of modern-day fraud require technical solutions. Unfortunately, many companies don’t have the bandwidth to research and implement them.

Partners can help companies upgrade to electronic payments like virtual cards and facilitate the elimination of paper checks. They can also conduct vendor verification and email reviews and can deploy multifactor authentication across an organization.

“Ask yourself, what do I have the capability to do?” Clayton said. “Most organizations don’t have network-wide shared threat intelligence. That may sound like something out of a spy novel, but those are the kind of tools that are required to beat the fraudsters at their own game. There are so many facets to this, and if a company can’t check all these boxes, it’s time to talk to a partner that can help.”

Discover more actionable ways to protect against payments fraud in this guide from Bottomline.

The post Out of a Spy Novel: Mitigating Modern-Day Fraud appeared first on PaymentsJournal.