How to Prevent Payment Fraud
The number one way to prevent payment fraud is to verbally verify payment instructions using a trusted phone number. A trusted phone number is a phone number NOT included in the body of an email/text or in an invoice (whether received through regular mail or attached to an email).
For most businesses, hardly a day goes by when they don’t perform critical functions such as paying bills, employees, fund contracts, and purchasing inventory. Whether payment is made by wire, ACH, or a good old-fashioned check, unfortunately, if a fraudster is successful, once the funds are transferred/ deposited, they frequently can’t be recovered.
How Payment Fraud Happens
To commit fraud, scammers must either obtain the bank and other account login information of their target (online takeover), or for payment fraud reroute a payment to the fraudster by posing as a vendor, employee, etc. While scammers use several methods to fool customers, Business Email Compromise (BEC), or email phishing, is the most prevalent method. More than 255 million phishing attacks were reported in the first six months of 2022, a 61% increase over the prior year. That could mean as many as 1 billion phishing attacks occurred in 2022. There’s no telling how many go unreported.
For payment fraud, phishers often create emails that are made to appear as if they were sent by a legitimate source, such as a vendor or someone from within the company. In certain cases, the legitimate source’s email was compromised first to increase the validity of the communication. The fake email directs payments to be remitted to the fraudster; this is why it’s so important to verbally confirm any new or updated routing instructions to ensure you’re corresponding with your intended payee.
For online takeover, phishers create emails or texts made to appear as if they were sent by a legitimate source, such as a financial institution, a vendor, or someone from within the company. The fake message typically includes some sort of urgent request or call to action, such as an account alert, a payment verification, or an information request, along with a link. Once the recipient clicks on the link, they are sent to a fake website masquerading as a legitimate site. When the victim attempts to log on to the site, the phisher monitors their credentials and then immediately uses them to gain access to the legitimate website. For instances where multi-factor authentication (MFA) is in place, like it is with the CBNA Online Banking portal, the victim may even receive an additional email, text, or call asking for a code. Once on the site, phishers can drain the funds or use them for purchases.
With up to a billion attacks in one year, phishers are becoming more experienced at disguising their emails, making them look genuine and hard to detect. They can even personalize them with information about the targeted recipient that they gather online. Tens of thousands of fake emails are sent each day, increasing the odds that an unsuspecting employee will bite.
Steps to Preventing Payment Fraud
When it comes to reducing the possibility of a successful payment transfer fraud occurrence, businesses are their own first line of defense. Employee education is crucial to minimizing the threat—teaching employees about the dangers and how to approach all payment transfer requests.
Be on the lookout for phishing expeditions: Cyber criminals have elevated their techniques for masking fake emails and even text messages to make requests for funds or information appear valid. Emails and texts must be closely scrutinized for phony email addresses and domain names, and salutations that appear personalized. If anything looks even slightly off, tag the email for further examination.
Be suspicious of links to login pages embedded in emails or texts: Only enter login credentials on a trusted site (or app) you can independently navigate to, not from a link included in an email or text.
Be wary of urgent calls to action: Any email that urges a quick response to a request should be carefully inspected.
Verbally confirm all money and information requests: The email account of a colleague or vendor may have been compromised, enabling the phisher to make an email look as if a valid source sent it. All email requests should be verified by contacting the sender using a trusted phone number from the business’s contact list.
Act immediately: If you think a phisher has targeted you, contact your financial institution directly to warn them of the attempt. You should also report it to the FBI Internet Complaint Center, the Federal Trade Commission spam unit, and the Cybersecurity and Infrastructure Security Agency.
With the surge in cybercrime and attempts at payment transfer fraud, banks are working tirelessly on systems and processes for detecting and preventing them. However, the only way for businesses to prevent them from happening initially is by stopping them at the source, which is incoming emails/ texts. Businesses must make it a priority to educate their employees on preventing payment transfer fraud.