With all our attention consumed by the shapeshifting new normal, you probably want to hear that payment fraudsters have taken a holiday. But they haven’t.
A new AFP survey on payment fraud shows 80 percent of organizations experienced attempted or actual payment fraud last year. Payment fraud remains at a high level, having jumped up 11 points in 2015 to 73 percent of organizations and rising to 81 percent in 2018.
The target areas? Checks (at 75 percent of organizations), followed by wire transfer (40 percent), commercial credit card (34 percent), ACH Debit (33 percent), and ACH Credit (22 percent). As the AFP report states, “ACH payment methods appear to be of interest to fraudsters.”
Business email compromise or “BEC” has boomed, the study says. It is the first year that BEC has taken the lead spot among the sources of payment fraud. Fraudsters are becoming more sophisticated in their BEC technique.
NACHA’s Michael Heard, SVP ACH Network Administration, points out that checks “not only have the highest level of reported fraud, but also an increasing rate of fraud during a period when check use has dropped substantially.” At the same time, he continues, “The report also shows that fraud rates remained nearly flat for ACH during a period when the use of ACH is increasing robustly.”
That’s the good news for ACH payments. The bad news is that a flat rate is not the same as a flat total number and even if it was, if you were in that number, you still got attacked and maybe stung.
Same-day ACH, together with an increase in the use of ACH for business payments over the last several years, has made ACH a more attractive target. Remember why Willie Sutton robbed banks: “That’s where the money is.”
Frank McKenna is co-founder of PointPredictive and writer of the blog FrankonFraud.com. Frank says, “Hackers and fraudsters have learned that infiltrating and taking over corporate and business accounts is extremely lucrative. Business and Corporate deposit accounts can result in million-dollar fraud schemes while personal accounts may only net the fraudsters a few thousand dollars.”
InvoiceInfo has just closed a survey of its own looking at ACH in the context of vendor information management. The survey will be published soon. But one of the early findings is that 71 percent of organizations collect vendor bank account information via email. That is not a secure way to collect sensitive financial information.
There are two problems with using email. One is that a fraudster could intercept the vendor’s email and alter the account information, leading to a misdirection of payments. The other is that a fraudster could capture the vendor’s account information, whether in transit or through a data breach of your server, then rob the vendor’s account.
These possibilities point to the critical importance of controls such as account validation processes and the use of ACH debit blocks. But they also point to the need to transmit account information more securely than through email.
So, while companies are focused on operating in the new safe ways from a health standpoint, payment fraud continues to be a threat. Companies cannot drop their guard, but must sustain the processes and procedural controls to address fraud. For more on best practices for fraud protection, see NACHA.org, and other resources available online.
For help with secure vendor account data transmission, contact us to see how VendorInfo can help.