How to Safeguard Your Business From Payment Fraud
Previous

With smart technologies enabling fraud attacks, it pays to be proactive.

While it may seem natural that emerging technologies are bolstering businesses against incidents of payment fraud, that is not always the case.

“With the rise of more sophisticated technology and cybercrime, businesses are actually more vulnerable today, not less,” says Jeffrey A. Taylor, Head of Fraud Forensics and Commercial Payments Strategy at Regions Bank in Birmingham, Alabama. “It’s more important than ever to understand the attack vectors these criminals might use, in order to be proactive and keep your enterprise secure.”

Business email compromise (BEC)—the use of impersonation emails that appear to be from someone the recipient knows, like a vendor or company employee—is the most common method of attack, according to industry reports. Paper check fraud is the type of payment that’s most vulnerable. In addition, instances of fraud via commercial cards are on the rise, as are ACH fraud and fraud involving virtual cards.

So what proactive steps can business leaders take to prevent payment fraud?

Certain Sectors Can Be More at Risk

According to a 2023 analysis published by the Financial Crimes Enforcement Network, one of the industries most frequently targeted by criminals is the real estate sector.

Several key factors make real estate transactions particularly vulnerable, including:

  • The large dollar amounts associated with real estate transactions.
  • Access to readily available public records.
  • Ease of impersonation via email.
  • Lack of strong authentication processes within the industry.

In addition, both the retail and financial sectors are frequent targets for scammers and other such criminals. Retail businesses can be vulnerable owing to the high number of transactions, much of it conducted via e-commerce and digital payment sites. Financial institutions attract those with malicious intent owing to their vast number of customer accounts.

This graphic is called, “How Scammers Can Compromise a Payment.” The introduction reads, “Tactics vary, but here is a common way for cybercriminals to target your business.” There are five steps: “1. They Research You. Criminals search for public information (including social media) about your business, your vendors and your employees. 2. They Impersonate a Vendor. Criminals send an email that appears to come from an existing vendor. They may even have access to a legitimate vendor’s email. 3. They Change Terms. Criminals email you a new bank account number for all future payments. 4. An Invoice Arrives. You receive a legitimate invoice from your vendor who doesn’t know about the change in terms. 5. You Pay the Invoice. You or your employees pay the invoice, but the money goes to the new bank account controlled by the scammer.”

Examples of Payment Fraud

Payment fraud can take many forms. Here’s a look at some real-world examples of payment fraud.

  • Case #1: Internal, ACH and check fraud. An affordable housing developer learned that a former controller had been using company funds to pay personal bills via ACH. The client also learned that checks had been duplicated and attempted to be cashed.
  • Case #2: Wire fraud. An office manager at an affordable housing developer and property management company received an email that appeared to be from the company CFO, requesting a wire transfer of funds to another institution. The office manager fulfilled the request, and the company later learned the email had been fraudulent.
  • Case #3: Business credit card fraud. When seven business credit cards were compromised within three weeks, the owner of this multifamily and affordable housing client had his personal credit card shut down because his Social Security number was connected to those business cards.

How to Prevent Payment Fraud

Taking proactive steps to prevent payment fraud is a necessary part of risk management in today’s business landscape. Two of the most effective ways to protect your business are educating yourself about common threats and training your employees on how to identify fraud attempts.

“Establishing internal controls to prevent payment fraud is no different than having a business continuity plan in case of a disaster,” says Taylor. “It’s something you need to do.”

After all, there is a lot at stake. Many businesses are unsuccessful in recouping any stolen money. And a company’s reputation can suffer as well.

Here are several steps you should take to protect your business against payment fraud:

  1. Train your staff.

    Hold regular training for staff members so they can learn how to spot the signs of payment fraud. Your employee training program should cover how to detect fraud as well as best practices to proactively prevent it, such as the “stop, call and confirm” method. When an employee receives an unusual or suspicious request, they should stop, contact the individual the request appears to be from using a known phone number or email address, and confirm the details of the request before proceeding.

  2. Be on the lookout for suspicious emails.

    Email is a common method of attack. There are two main types of fraudulent emails to keep an eye out for: BEC and phishing emails.

    • Business email compromise: With BEC scams, fraudsters often use information gleaned from public records and social media to make these emails appear legitimate. If you receive an email asking for a payment or requesting a change in vendor payment terms, call the sender at a number known to you to verify the request. If the email appears to be from an internal employee, remember to stop and verify the request with someone else at your company. Don’t respond to the email or call the number listed in the email—it may be controlled by an impersonator. Instead, use known contact information to verify the details.
    • Phishing emails: Criminals create realistic-looking emails purporting to be from a familiar business such as your bank, a package delivery company, your cell phone provider or a popular online retailer. If a recipient clicks on the link and enters any sensitive information, the criminal can steal this data and use it for malicious purposes. If you receive an email or text message that you’re unsure about, avoid clicking any links. Instead, manually enter the site’s URL into your browser, or contact their customer service team for guidance.
  3. Set up dual approval processes.

    In addition to knowing how to spot the signs of a payment scam, it’s also important to prevent fraud with internal controls. Set a dollar amount threshold and require two-employee approval for any transactions exceeding this amount. Requiring two sets of eyes on large transactions decreases the chance of a fraudulent payment going through, while also protecting your business against occupational fraud.

  4. Avoid use of paper checks.

    While the use of paper checks has gone down over time, check fraud remains high. Criminals continue to target these transactions because the time it takes for a check to process provides leeway for criminals to get away. While technology has made it easier than ever for criminals to create realistic-looking checks using stolen account information, some fraudsters also use low-tech methods, such as altering the name or the amount on a legitimate check, a technique called “check washing.”

  5. Practice strong cybersecurity.

    Because criminals can also target more modern payment methods by exploiting network vulnerabilities, it’s also important to boost your cybersecurity efforts. In addition to best practices such as using an encrypted wireless network, be sure to establish the following safeguards:

    • Require employees to communicate via company email addresses. The use of free email accounts (yourcompany@gmail.com, for example) can make it easy for scammers to impersonate your business.
    • Set up multi-factor authentication for all company accounts and require employees to do the same.
    • Use strong passwords and avoid using the same credentials on multiple platforms.
  6. Monitor account activity.

    Often, payment fraud victims don’t realize a crime has occurred until months after the event, making it harder to figure out what happened and mitigate damages. Spot issues early by appointing someone to monitor account balances regularly and report any suspicious activities, or use a product designed to do so.

    Consider implementing ACH Alert, which automatically monitors ACH debit activity to alert you of any unauthorized or suspicious transactions or transactions above a specific amount or transaction level. Users then have the option to decline ACH debits.

Protecting Your Business

In addition to the above steps, your Regions banker is a good source of information about the latest trends in payment fraud, as well as products and services designed to help you stop fraud attempts against your business. To learn more about ACH Alert and other tools to help you protect your business against fraud, visit regions.com/stopfraud.


Three Things to Do

  1. Set up flexible security controls using Regions’ iTreasury platform.
  2. Implement Positive Pay, which lets you compare and verify the checks you issue to those presented for payment against your account.
  3. Learn more about fraud prevention and awareness.

Next

The information presented is general in nature and should not be considered, legal, accounting or tax advice. Regions reminds its customers that they should be vigilant about fraud and security and that they are responsible for taking action to protect their computer systems. Fraud prevention requires a continuous review of your policies and practices, as the threat evolves daily. There is no guarantee that all fraudulent transactions will be prevented or that related financial losses will not occur. Visit regions.com/STOPFRAUD, or speak with your Banker for further information on how you can help prevent fraud. References or links to third-party websites do not imply endorsement.

Regions provides links to YouTube and other websites merely and strictly for your convenience. The site is operated or controlled by a third party that is unaffiliated with Regions. The privacy policies and security at the linked website may differ from Regions' privacy and security policies and procedures. You should consult privacy disclosures at the linked website for further information