The rate of payments fraud slightly declined in 2020 but still impacted many organizations, according to the 2021 Association for Financial Professionals Payments Fraud and Control Survey report.
Nearly three-quarters of organizations were still targets of an actual or attempted fraud attack in 2020, down from 81 percent in 2019, the report states. Banks with at least $1 billion in annual revenue were more likely to have experienced attempted and/or actual fraud in 2020 than smaller organizations (78 percent to 67 percent, respectively). However, actual financial losses from such attacks continued to not be damaging in most instances: Fifty-three percent of respondents whose organizations had fallen victim to fraud faced either no loss or less than $50,000.
The surveys, conducted since 2005, are intended to examine the nature of fraud attacks on business-to-business transactions, impacted payment methods, and the strategies organizations adopt to protect themselves against such criminals. AFP surveyed more than 9,000 of its corporate practitioner members and contacts. A majority of the organizations surveyed (33 percent) had annual revenue ranging from $1 billion to $4.9 billion. The next-highest revenue ranges included those with $500 million to $999.9 million (16 percent), $250 million to $499.9 million (12 percent), and $5 billion to $9.9 billion (10 percent).
Business email compromise — a scam in which criminals use emails to trick accounting departments into transferring funds to illegitimate accounts — continued being the primary source of payment fraud activity, a situation worsened during the pandemic as employees working from home were unable to verify such emails with colleagues. Examples of possibly fraudulent emails cited in the report include someone posing as a regular company vendor sending a message with updated payment instructions to use for future invoice payments; a scammer claiming to be a company CEO asking an assistant to purchase dozens of gift cards; and a fraudster purporting to be a company executive sending an email requesting urgent payment and saying they could not speak on the phone.
To prevent such fraud, AFP advises banks to train all employees to identify hoax emails or requests and have validating systems and implement callbacks. In the report, bank leaders said they had prevented fraud by implementing company policies to appropriately verify any changes to existing invoices, bank deposit information and contact information. They also confirmed fund transfer requests by calling back an authorized contact at the payee organization using a phone number from a system of record; instituted internal controls prohibiting payments initiation based on emails or other less secure messaging systems; required authorized signoff from senior management for transactions over a certain threshold; and adopted at minimum a two-factor authentication or added other layers of security for access to company network and payments initiation.
Paper checks and wire transfers continued to be the payment methods most impacted by fraud, according to the report (66 percent and 39 percent, respectively). Corporate/commercial credit and debit cards also continued to be prone to payments fraud attacks but were less impacted by such crime than in prior years due to a widespread shift from magnetic stripe cards to smart-chip cards, according to the report, while the use of algorithms and machine learning is catching and containing fraud faster.