As I have previously written, payments fraud has in the past year increased to levels we have not seen before. The 2018 AFP Payments Fraud and Control Report revealed that, after a couple of years of decline, payments fraud rose to a record high of 74 percent in 2017. While I wasn’t surprised to see an additional increase in the past year, I certainly didn’t expect fraud levels to jump up to 78 percent. This dramatic increase in just one year must be seen as alarming.
So, what is behind this increase? Well, when you look at fraud for different payment methods, it is clear that checks and wires stand out. Checks previously saw a steady decline, but this has leveled off over the past few years. Wire fraud began to surge around 2014 and remains at a very high level.
One likely reason for the high level of check fraud is the generally high use of checks for B2B transactions in the United States. Check fraud has also become easier to commit, thanks to new technologies, such as sophisticated devices for imaging, etc.
The most likely reason for increase in wire fraud is the pervasiveness of business email compromise (BEC) scams. When these scams started emerging, they took everyone by surprise. Criminals gathered as much information they could on their targets and managed to impersonate CFOs’ and CEOs’ emails requesting payments to fraudulent accounts.
The reason BEC scams most often target wire payments is that they are fast and very difficult to retract. Criminals also often use the time difference of various regions to their advantage. If a BEC scam aims to have a wire released by the end of the work day in the U.S. and sent to a region in Asia, detection of the fraud may take a long time, since the fraud may not be detected until the next morning. By then, the funds are most definitely gone.
But BEC scams also may be a key reason why check fraud is elevated; for the third year in a row, checks as a target for BEC scams increased, though they are still considerably lower than wires. In the most recent report, we noted that smaller organizations actually saw more BEC fraud than larger organizations. This is a trend breaker, since large organizations historically have seen more of these scams. When criminals target smaller organizations, it is also plausible that they would request the payment to be done by a check, just to follow what would be seem as a normal routine when dealing with smaller businesses.
The release of the AFP Payments Fraud & Control Survey was followed by a companion webinar that looks more into the latest trends of payments fraud. The webinar had a poll question on what payment method worries the attendees the most. For the past couple of years, checks have seen a steady decline, while wires have seen a similar increase. At this year’s companion webinar, the results actually came out a little different; concern for checks saw an increase while wires saw a decrease. This may be another affirmation that smaller organizations and checks are being targeted more for BEC than previously.
Why BEC Scams Still Work
Most professionals I talk to are well aware of BEC scams. At the same time, our survey shows that this kind of fraud is increasing. Why is that? You would think that once the awareness of the scams is well known, they would not be as attractive anymore.
It is important to note that criminals are very careful not to raise any red flags; they do their homework and make their messages extremely authentic looking. That’s why BEC scams continue to work, even after years of warnings from law enforcement and countless articles detailing the methods criminals use.
Furthermore, BEC scams take new shapes and forms, making them increasingly difficult to detect. At a recent event where I gave a presentation on payments fraud, an attendee mentioned something that made perfect sense. She noted that email messages may look different on mobile devices than on computer screens. Reading an email on a mobile device may make you more susceptible to falling for a scam, as you may not be as much on your guard. Could this be? If so, it may also explain why phishing attacks are still working as well as they are. Your guard may be down when using a mobile device. I think there is a lesson here.
I will definitely bring this up during my next speaking engagement at the Payments Innovation Alliance meeting in Geneva, Switzerland in June. I’m also very much looking forward to gaining more insights from our European friends on this topic and what they are doing to battle payments fraud—particularly BEC scams.
When it comes to payments fraud, there is no such thing as a safe space. If there is value to be had, criminals will want to pursue it. Protecting your organization completely against fraud is not possible. However there are a number of things you can do. For example:
- Use protective services, such as Positive Pay
- Look into enhancing internal controls, especially regarding initiation of payments
- Beware of the information exposed on the company website, it can be used against you
- Segregation of duties
- Multilayer authentication.
Having protective measures in place makes your organization safer. Criminals often look for cracks in the systems, or weaker systems. If they encounter strong protection, they will likely move on to an easier target.
We’ll be covering this topic in depth at AFP 2018 with sessions like “Financial Reporting and Employee Theft-You Think You Are Immune?,” “Cybersecurity: The Critical Role of Your Human Firewall” and “Treasury Fraud: Locking Down Your Best Defense.” Check out the full schedule here.