Business-to-Business Payment Fraud

Who's at Risk?

No organization is immune. Of the 617 firms responding to the 2019 Association for Financial Professionals (AFP) Payments Fraud and Control Survey, 82% report their organizations were targets of payment fraud in 2018 — the highest level ever reported in the 15 years of the survey^†.

Furthermore, 34% of respondents reported an increased number of payment fraud attacks in 2018^†. Larger organizations with more payment accounts were the most likely to see an increase in attacks.

These numbers suggest that criminals are succeeding in their attempts to swindle companies and will continue to target more organizations over time.

“Payments fraud is a persistent problem that is only getting worse despite repeated warnings and educational outreach,” said Jim Kaitz, AFP president and CEO, in a statement. “Treasury and finance professionals need to learn the latest scams and educate themselves — and perhaps more importantly — their work colleagues on how to prevent them^‡.”

How does it happen?

Payment fraud ranges from age-old tactics to new, technology-driven methods. The most common types of fraud reported in the AFP survey are as follows:

Check Fraud

Check fraud continues to be the most common type of payment fraud, as paper checks remain a commonly used payment method by businesses^†. Fraudsters can acquire unsecured check stock directly from the business or intercept mail to get a check that they will chemically wash to alter payment information.

Wire Transfer Fraud

This type of fraud has grown to become the second-most reported type of payment fraud—increasing 800% since 2011. The dramatic increase in wire transfer fraud is commonly associated with an increase in Business Email Compromise (BEC) tactics^†. (We’ll detail more about BEC later in this section.)

ACH Fraud

Though ACH is considered more secure than checks, a 17.86% increase in reported ACH debit fraud from 2017 to 2018^† could indicate that criminals are getting savvier at bypassing current security measures.

Corporate Credit Card Fraud

Currently the fourth-most common type of payment fraud^†, incidents of credit card fraud tend to have more upward and downward swings from year to year that seem to coincide with large data breaches at retailers where card data was stolen.

“Businesses may not notice fraud attempts right away because criminals might test a small amount first,” said Ashley Sutor, senior vice president, enterprise payments and fintech program manager at Huntington. “Once they have routing and account numbers, they attempt a $5 or $10 transaction. If that’s successful, they continue to access the account for more money. Businesses need a full account reconciliation to guard against fraud^§.”

Business Email Compromise

Business Email Compromise (BEC) is a tactic that fraudsters are increasingly using to trick unsuspecting company personnel into making an unauthorized transfer of funds.

Percentage of Attempted/Actual Fraud reported by the surveyed organizations^†.

• Checks - 70%
• Wire Transfers - 45%
• Corporate Credit Card - 29%
• ACH Debit - 33%
• ACH Credit - 20%

Commonly, the criminals spoof the email account of an established vendor and request the company wire all future invoice payments to an alternate, fraudulent account. Or they hack an executive’s internal email account and send an urgent request for a funds transfer directed to the criminals’ account^†.

“BEC scams have evolved beyond the fraudulent transfer of funds,” says Jessica Greene, vice president, treasury management fraud at Huntington. “During the last tax season, criminals targeted human resource departments posing as company executives requesting employee W2 information via email. This information was then used in a variety of identity theft scams^#.”

Account takeover is a growing concern for businesses as well. In account takeover, a fraudster gains control of a customer’s account and places an order shipped to him instead of the true account holder. Since only the shipping address changed on the order, merchants rarely identify it as fraudulent.

According to data from Forter’s 2019 Fraud Attack Index, Account Takeover (ATO) has remained high, increasing by 45% by the end of 2018 compared to the beginning of 2017^Ұ.

Tips to Help Prevent Business Email Compromise Payment Fraud

1. Be suspicious of requests for secrecy or to take action quickly.
2. Don’t rely on email when requests are made to change payment instructions. Verify using a known phone number.
3. Beware. Criminals attempt to make emails look legitimate by using the name and logo of a real company.
4. Look for poorly worded messages and grammatical errors.
5. Remember that government agencies will never request a wire transfer.
6. Watch for phrases “code to admin expenses” or “urgent wire transfer” found in many fraudulent communications.
7. Create an environment where staff members feel comfortable voicing concerns when they think something is amiss.
8. Implement a dual approval process to verify whether the transfer should occur.

Why does it Matter?

The potential financial loss from an attempted or actual payment fraud can create a serious hardship for a company.

Thirty-one percent of businesses that responded to the AFP survey as having experienced payment fraud reported potential losses of $250,000 or more. And a staggering 12% of those expect potential losses of $2 million or more^†.

“It’s not just about the stolen money,” said Will Carlin, D & O and cyber product manager for Huntington Insurance. “Many businesses don’t even consider that the cost also includes lost productivity from staff shifting focus to investigating the incident and any technology investments or process remediation that is required to prevent future fraud^¥.”

Plus, fraud can expose your confidential business and personnel information, which can impact your organization’s reputation and put your valued employees at risk.

“Most companies focus on the immediate monetary loss. But there’s a reputational risk to payment fraud,” said Sutor. “If other companies don’t believe payments are safe, they may shy away from doing business with you^§.”

Bottom line: Not having protection against fraud leaves an organization exposed to unnecessary risk and expense.

What can you do?

Companies cannot be complacent in their efforts to manage and mitigate payment fraud. The most important step is to create a plan.

“Businesses need a fraud plan in place to know exactly what steps to take when an incident happens. For example, do you know who to call first if you experience fraud? You should,” said Sutor. “We’ll help you figure it out ^§.”

Your bank can be a great resource for advice and assistance in establishing your payment fraud plan.

“A knowledgeable institution, like Huntington, can help a business establish a proactive defense,” said Greene. “Over the years, we have helped many clients deal with payment fraud attacks. Using that experience, we have developed products and services that can help organizations of all kinds minimize their exposure^#.”

For example, Huntington offers a Business Security Suite of Treasury Management products designed to help guard against both paper and electronic payments fraud.

At the heart of the Business Security Suite is Check Positive Pay and ACH Positive Pay. Check Positive Pay is a daily verification process to detect fraudulent, altered or counterfeit checks by matching all issued checks to a check-issue file you provide. If the dollar amount, check number and account don’t match, the check is flagged. ACH Positive Pay helps you control your ACH transactions using filters and blocks.

Check Block is another product in the Business Security Suite. It designates your business checking account to make only electronic transactions. All paper-based activity is automatically rejected to eliminate altered, stolen or forged check fraud. Wire Block is an electronic fraud mitigation solution that helps reduce the risk of wire fraud by blocking wire debits from coming out of your business account.

Huntington also provides Cyber Liability Insurance through Huntington Insurance^Ɫ. By offering insurance coverage in addition to standard financial services, Huntington offers a more comprehensive and convenient way to help businesses protect themselves against the negative impacts of payment fraud^Ⱡ.

Customized cybercrime insurance coverage can include any or all of the following:

• Breach Response/Crisis Management
• Cyberextortion
• Business Interruption Extra Expense Loss
• Data Restoration Coverage
• Network Security Liability
• Privacy Liability
• Regulatory Coverage
• Website Media/Multimedia Coverage
• Professional Liability

For businesses that need to upgrade technology or replace aging IT infrastructure as part of their payment fraud mitigation plan, Huntington has a variety of financing options to assist with updates^Ω.

Ask your banker to help review the risk management plan for your business. It’s a great way to help identify potential gaps and learn about what products and services will make the greatest impact on your ability to defend against payment fraud.