Crooks have more tactics for committing payment fraud at their disposal than you think.
For example, these are just the different types of phishing attacks being used to exploit busy A/P staffers and steal money and sensitive data from companies:
- Email (which can include links to malware, a forged invoice that looks like it came from a real vendor or a spoof of a vendor’s website or domain name)
- Spearphishing (requests for access to data or a computer system which can involve mentions of personalized information gleaned from LinkedIn or other social media to gain the trust of team members)
- Whaling (spearphishing targeting executives, which criminals often do to impersonate a CFO or CEO)
- Vishing (phone calls impersonating trusted contacts like bank reps or suppliers)
- Smishing (malicious links in a text message)
- Clone phishing (fraudsters clone an email message with attachments and resend it, replacing the original attachments with malware), and
- Cross-site scripting (injecting malicious executable scripts into the code of a trusted application or website).
And as we reported, AI is being diabolically deployed to make payment fraud attempts even more difficult to detect.
“The cunning, the regularity has increased to such an amount that every single day … fraudulent emails, text messages, attempts to steal mail are going on. It wasn’t to that degree three years ago,” said Dan Reeve, vice president of sales for North America at P2P and order-to-cash automation software provider Esker.
Attendees of a recent IOFM webinar seemed to agree. When polled, 61% said their risk of payment fraud was slightly or significantly higher compared to three years ago, and 41% said their organizations experienced attempted or actual payment fraud four or more times in the past year.
Payment fraud by bank account change request
Lack of secure routing or visibility of actions being taken on invoices and payment approvals are part of what make email a major contributor to payment fraud risk. Criminals love using email to impersonate suppliers and request bank account changes that allow them to intercept payments – which might go unnoticed until the real supplier calls to ask where their money is.
During the webinar, Financial Operations Networks CEO Phil Binkow, anecdotally reported that at least one out of every 10 bank account change requests fielded by A/P departments is fraudulent.
Financial Operations Networks, a vendor self-service and vendor relationship management SaaS applications company, took a survey of finance pros and a sizable majority (71%) said fraudulent bank account info was the greatest payment fraud risk in their vendor onboarding process.
To avoid becoming a victim of payment fraud, bank account changes can be verified by:
- calling suppliers or supplier internal stakeholders
- calling the vendor’s financial institution
- obtaining a bank letter or voided check
- reviewing the supplier’s previous banking information details on file, or
- a penny test transaction.
However, these best practices may no longer be adequate in 2024. For example, what if your trusted vendor contact changed jobs and you didn’t know about it?
“We’ve been talking to (companies that) have either … half (or) a FTE (full-time equivalent) … sometimes two FTEs, doing nothing but verifying bank account information. And it’s a tedious process because the vendor master file doesn’t always have the current or updated information about contacts at the vendors. Nobody wants to contact a vendor with an email because (it) may be compromised. Folks are even searching social media and doing search engine lookups to try to find contacts at vendors … who can verify that the bank account request is legitimate,” Binkow said.
Vendor portals mitigate risk
Secure online self-service vendor portals that integrate with enterprise resource planning systems are one tool companies are turning to because it’s up to the vendor to make any changes that happen to their bank account or routing numbers, name, address or preferred payment method.
A/P thought leader Mark Brousseau added that the best-in-class vendor portals:
- integrate with financial institutions
- automatically verify bank account ownership
- collect important data and documents
- verify Taxpayer Identification Numbers (TIN) with the IRS, and
- check if the entity is on the Office of Foreign Assets Control (OFAC) sanctions list.
Modern banking info verification best practices
To stay ahead of current payment fraud threats from bogus banking change requests, you’re going to need to:
- stay informed about industry threats
- pass that info along in employee training
- conduct periodic security reviews with IT
- regularly update procedures
- maintain direct communication with suppliers, so you know who the right contacts are
- verify banking changes through more than one channel
- monitor for unusual activity
- audit your invoice review and payment approval workflows, and most likely
- automate A/P.
Invoice processing best practices for fraud prevention
According to Reeve, the leading automation solutions are an effective weapon against payment fraud, and are also flexible for use in a variety of A/P process environments:
- Purchase order (PO)-to-invoice verification controls. The software enforces spend limits, verifies the vendor, and handles the matching of PO and invoice so payment processing is automatic unless an exception is found.
- Tech-enabled non-PO-to-invoice verification. No PO? No problem. Invoice data can be automatically verified against master data records and the software verifies invoice balances and checks for duplicate invoices.
- Contract-based invoice verification. “Maybe you’d like the … technology to … say, ‘Is this the right contract? Is that contract still valid?’ Or do we need to get Procurement involved to renegotiate the contract? … The quantities, the prices, the dates, are they relevant based on what these folks are invoicing us for?” Reeve said.
Automation platforms should also offer a standalone bank verification module or subscription service. That’s ideal for organizations working with an A/P platform that doesn’t have application programming interfaces or third-party interfaces, or a vendor portal that doesn’t TIN match or OFAC check.