With the Colonial Pipeline ransomware crisis still in full bloom and grabbing the collective attention of millions, one must remember that the everyday threat of payments fraud still looms for businesses across the globe. This posting at the BAI site is from a fraud exec at Bottomline Technologies and speaks to results from a recent fraud survey conducted amongst financial professionals (mostly treasury).
Although a different survey from the annual AFP fraud survey, including a multi-regional aspect, some of the findings do overlap so represent a relatively consistent view of certain threats faced by companies. Those interested can download the referenced report as well.
‘One-fifth of survey respondents said their fraud experiences had a pandemic connection. This isn’t surprising considering that the rapid transition to remote working scenarios often outpaced the ability of businesses to ramp up defenses. That trend was harsher for smaller businesses, who attributed a quarter of their experienced fraud to the pandemic….In the world of remote working, two factors likely drove this finding: an increased incidence of malicious link clicking, and greater use of personal devices for work activity. Nearly half of these small businesses said that providing compliance through treasury fraud and controls services has become more burdensome….Smaller firms have fewer payment junctions and channels to protect, but they also have far fewer resources to defend against scaled, syndicated attacks that increasingly hit them by “accident.” So, as we think increasingly about protecting across payment junctions, we have to collectively respond to the implications for smaller corporates.
The direct commonality with the AFP report is the threat of business e-mail compromise (BEC), as well as the choice of wires and rising use of ACH for the actual type of payment in the fraud scheme. This has been quite consistent for a few years now, as we have reported in member research as well.
Many readers will likely have been confronted with such attempts, especially during the remote working environment, where some may have let their guard down or been prey to new twists in the old schemes. We will typically thwart attempts like these (which the author refers to as ‘authorized fraud’ as well) by deleting the e-mails, etc, but some get through of course.
The piece also discusses what companies are investing in regarding payments modernization, including anti-fraud tech, so the piece and the report are worth spending some time reviewing for interested parties.
‘Close to 90 percent of bank respondents to the Strategic Treasurer survey perceive business email compromise (BEC) and “authorized” fraud to be the greatest risk to their businesses over the next year or two. Those reporting fraud losses due to BEC and related fraud have nearly doubled over the last two years….This establishes a clear call-to-action. Recognition of risks and potential gaps across the customer base, combined with education and training, are critical efforts that can be undertaken by banks to protect customers. It’s not enough to have compulsory, static training. We’re seeing increasing success among those who are modernizing the education within payment landscapes. They’re gamifying education, leaving a message that sticks….The uptick in internal fraud, authorized push payments and invoice fraud beg questions about how to tackle these threats better. Tools like Confirmation of Payee (CoP) in the UK start us on this road. We expect bigger banks and bigger companies to do more on this front. Bringing our resources and intelligence together across financial services, fintech and business can and will make a difference here.’
Overview by Steve Murphy, Director, Commercial and Enterprise Payments Advisory Service at Mercator Advisory Group