The Most Common Payments Fraud Threats
- Keywords:
- fraud
Payments fraud has always been prevalent, but fraudsters tend to increase their activity in times of uncertainty and change—and not-for-profit organizations are not immune. According to the Association for Financial Professionals, 74% of financial professionals reported their organizations were targets of payments fraud in 2020.
While organizations are aware of increasing threats, the tactics fraudsters use continually evolve and are more sophisticated than ever. The pace at which we all operate and the continued demand on payment staffs leaves many organizations exposed, especially in the context of the COVID-19 pandemic. As a result, fraudsters are more successful each year.
The following outlines some of the most common types of fraud.
Check fraud. Despite a steady decline in the use of checks, they remain the most popular payment method for transactions between businesses in the U.S. That’s why check fraud, while on the decline, remains the most prevalent type of payment fraud. Checks are more vulnerable to fraud as they contain critical information (account number, routing number, signature, address). Check fraud can include the following:
- Check theft. This includes two types. 1) Stolen canceled checks—when banking information from stolen canceled checks is used to order checks from a mail-order check printer; checks can then be written on the new stock. 2) Stolen check stock—when blank check stock already encoded with customer account information is stolen.
- Check alteration. An unauthorized change made to one or more of the completed details of an originally authorized item (date, payee, amount, MICR line); check washing is a method used to alter checks.
- Counterfeit checks. Checks produced without authorization from the account owner that may or may not resemble the valid check.
ACH fraud. As organizations shift from checks to electronic payment methods, ACH fraud has been on the rise. ACH payment fraud can be executed in one of two ways:
- ACH debit fraud. The most common type of ACH fraud in which a fraudster initiates an ACH debit against your organization’s account. The fraudster only needs two pieces of information: your bank routing number and bank account number.
- ACH credit fraud. A fraudster gets your organization to initiate an ACH payment to their account. Often, a fraudster imitates an existing vendor and advises you of a change in their banking information (typically via email, fax or phone). In other cases, a fraudster hacks an employee human resources profile and updates the direct deposit bank account information to redirect funds.
Wire fraud. According to the 2021 AFP survey, wire fraud remains the second most common payment method targeted for fraud. Fraudsters that compromise an organization’s email may use the information they find, such as banking credentials, to access its banking systems.
Corporate credit cards. This is commonly perpetrated via phishing and business email compromise schemes. It often occurs through bigger data breaches when card data is made available to unauthorized users. Fraudsters will often use this data to create counterfeit cards for use in card-not-present transactions (such as online or phone orders). The AFP survey cites a few other examples of credit card fraud, such as employee abuse, cash advances on purchasing cards and cards used for personal purchases.
Business Email Compromise, or BEC. While the source of the fraud may vary by payment type, BEC represents the largest source of attacks. In 2020, 62% of organizations reported exposure to BEC attacks. While BEC fraudsters continue to improve their schemes to request seemingly legitimate payments at the financial and reputational expense of their victims, they usually involve common elements.
- Email impersonators. Fraudsters attempt to mimic members of your team or vendors you have a relationship with. Impersonators often assume the identity of someone with authority, such as the CFO or executive director, to direct staff to act urgently and without question. They can also pose as a vendor and request a low-profile administrative task to update routing and account information.
- Lookalike email addresses. BEC fraud attempts often use email addresses that closely resemble a legitimate address. For example, they may use “cornpany.com” as a lookalike domain for “company.com.” Review every email address carefully to ensure the message is actually coming from within your organization or a known vendor. In some cases, fraudsters can mask an email address to make it appear like the message is coming from within your organization. However, by hovering over the email address or hitting reply, the actual email address appears. When replying to emails, it’s a best practice to delete the information in the “To” field and manually enter the contact information you have on record.
There is no single action an organization can take to prevent fraud. Given the financial and reputational damage at stake, it’s imperative to establish a comprehensive fraud-mitigation strategy, if your organization hasn’t already. Doing so will help reduce the likelihood of an event, as well as minimize the damage should one occur.
Mark Bockelmann, BMO Commercial Bank TPS Treasury Consultant, contributed to this article.
Read more
Oscar Johnson
U.S. Head of Commercial Sales for Treasury and Payment Solutions
Oscar is the U.S. Head of Commercial Sales for Treasury and Payment Solutions for BMO Commercial Bank. His group is responsible for providing cash management, …(..)
View Full Profile >Payments fraud has always been prevalent, but fraudsters tend to increase their activity in times of uncertainty and change—and not-for-profit organizations are not immune. According to the Association for Financial Professionals, 74% of financial professionals reported their organizations were targets of payments fraud in 2020.
While organizations are aware of increasing threats, the tactics fraudsters use continually evolve and are more sophisticated than ever. The pace at which we all operate and the continued demand on payment staffs leaves many organizations exposed, especially in the context of the COVID-19 pandemic. As a result, fraudsters are more successful each year.
The following outlines some of the most common types of fraud.
Check fraud. Despite a steady decline in the use of checks, they remain the most popular payment method for transactions between businesses in the U.S. That’s why check fraud, while on the decline, remains the most prevalent type of payment fraud. Checks are more vulnerable to fraud as they contain critical information (account number, routing number, signature, address). Check fraud can include the following:
- Check theft. This includes two types. 1) Stolen canceled checks—when banking information from stolen canceled checks is used to order checks from a mail-order check printer; checks can then be written on the new stock. 2) Stolen check stock—when blank check stock already encoded with customer account information is stolen.
- Check alteration. An unauthorized change made to one or more of the completed details of an originally authorized item (date, payee, amount, MICR line); check washing is a method used to alter checks.
- Counterfeit checks. Checks produced without authorization from the account owner that may or may not resemble the valid check.
ACH fraud. As organizations shift from checks to electronic payment methods, ACH fraud has been on the rise. ACH payment fraud can be executed in one of two ways:
- ACH debit fraud. The most common type of ACH fraud in which a fraudster initiates an ACH debit against your organization’s account. The fraudster only needs two pieces of information: your bank routing number and bank account number.
- ACH credit fraud. A fraudster gets your organization to initiate an ACH payment to their account. Often, a fraudster imitates an existing vendor and advises you of a change in their banking information (typically via email, fax or phone). In other cases, a fraudster hacks an employee human resources profile and updates the direct deposit bank account information to redirect funds.
Wire fraud. According to the 2021 AFP survey, wire fraud remains the second most common payment method targeted for fraud. Fraudsters that compromise an organization’s email may use the information they find, such as banking credentials, to access its banking systems.
Corporate credit cards. This is commonly perpetrated via phishing and business email compromise schemes. It often occurs through bigger data breaches when card data is made available to unauthorized users. Fraudsters will often use this data to create counterfeit cards for use in card-not-present transactions (such as online or phone orders). The AFP survey cites a few other examples of credit card fraud, such as employee abuse, cash advances on purchasing cards and cards used for personal purchases.
Business Email Compromise, or BEC. While the source of the fraud may vary by payment type, BEC represents the largest source of attacks. In 2020, 62% of organizations reported exposure to BEC attacks. While BEC fraudsters continue to improve their schemes to request seemingly legitimate payments at the financial and reputational expense of their victims, they usually involve common elements.
- Email impersonators. Fraudsters attempt to mimic members of your team or vendors you have a relationship with. Impersonators often assume the identity of someone with authority, such as the CFO or executive director, to direct staff to act urgently and without question. They can also pose as a vendor and request a low-profile administrative task to update routing and account information.
- Lookalike email addresses. BEC fraud attempts often use email addresses that closely resemble a legitimate address. For example, they may use “cornpany.com” as a lookalike domain for “company.com.” Review every email address carefully to ensure the message is actually coming from within your organization or a known vendor. In some cases, fraudsters can mask an email address to make it appear like the message is coming from within your organization. However, by hovering over the email address or hitting reply, the actual email address appears. When replying to emails, it’s a best practice to delete the information in the “To” field and manually enter the contact information you have on record.
There is no single action an organization can take to prevent fraud. Given the financial and reputational damage at stake, it’s imperative to establish a comprehensive fraud-mitigation strategy, if your organization hasn’t already. Doing so will help reduce the likelihood of an event, as well as minimize the damage should one occur.
Mark Bockelmann, BMO Commercial Bank TPS Treasury Consultant, contributed to this article.
What to Read Next.
Identifying and Controlling Fraud Beyond the Pump
Bo Osburn, CTP | September 05, 2019 Fuel Services, Manage Cash Flow
There’s been a lot of attention on card skimming, and with good reason—it’s something that directly affects customers and can have …
Continue Reading>
Tell us three simple things to
customize your experience.
