In the digital age, a cyberattack is like a natural disaster – a persistent and unpredictable threat. Nearly 8 in 10 U.S. organizations were targets of payments fraud in 2017, the Association for Financial Professionals (AFP) reports in its annual study of payments fraud risks and realities.
What’s the best way to prevent getting hit by a payments fraud scam?
“Know your organization’s vulnerabilities and prepare for attacks,” says Dan Kautz, a vice president with Global Treasury Management at U.S. Bank. “It’s not necessarily the amount of money sitting in a company’s account that makes them a target; it’s their weaknesses,” Kautz says.
Those weaknesses include a lack of IT infrastructure, smaller staffs and fewer controls – all of which attract cybercriminals. Although criminals’ tactics constantly evolve, business email compromise (BEC) is a growing threat, with 77 percent of organizations having experienced it in 2017.
Although it fell after the Great Recession, payments fraud once again is on the rise. The number of organizations that say they’ve experienced attempted or actual payments fraud reached a record high of 78 percent in 2017, marking the fourth consecutive year of increase.
The percent of organizations that experienced attempted and/or actual payments fraud in 2007 was 71 percent, in 2008 was 71 percent, in 2009 was 73 percent, in 2010 was 71 percent, in 2011 was 68 percent, in 2012 was 61 percent, in 2013 was 60 percent, in 2014 was 62 percent, in 2015 was 73 percent, in 2016 was 74 percent, and in 2017 was 78 percent.
“These are legitimate payments, and that makes them very difficult to detect,” Kautz says of BEC attacks, wherein criminals persuade employees to initiate wire, check or credit card payments by sending fraudulent emails. The emails appear to be from genuine customers, vendors or executives. These sophisticated scams also include requests for personally identifiable information (PII) or Wage and Tax Statement (W-2) forms for employees.
Between October 2013 and December 2016 there were 40,203 domestic and international BEC incidents that caused $5.3 billion in losses, the FBI reports.
However, while this overall loss was large, individual organization losses were less significant. In 2017, less than half of organizations say they suffered a financial loss because of BEC.
The greater threat to those organizations comes from the theft of personal and confidential information. Damages from these thefts can be difficult to measure, ranging from financial penalties to legal and regulatory actions.
Despite 77 percent of organizations saying they’ve implemented new internal controls to prevent BEC attacks in 2017, BEC is up 3 percentage points from 2016 and 13 percentage points from 2015. BEC and other types of fraud may be difficult to detect and prevent, but their impacts can be mitigated.
Increasingly, criminals harvest personally identifiable information through the web and social media and use it to execute sophisticated BEC scams. They pose as trusted executives or vendors to either initiate unauthorized payments or change payment information to intercept disbursements.
The percent of organizations that experienced attempted and/or actual payments fraud in 2017 with checks was 74 percent, with wire transfers was 48 percent, with corporate or commercial credit cards was 30 percent, with ACH debits was 28 percent, and with ACH credits was 13 percent.
Although businesses operate in a digital world, checks remain the primary target. This is thanks to their prevalence and technological advancements that have made it easier to create more convincing forgeries.
The percent of organizations that experienced business email compromise in 2015 was 64 percent, in 2016 was 74 percent and in 2017 was 77 percent.
Kautz recommends that your organization take the following steps to help protect itself:
“Companies read about fraud in the newspaper, but they think it won’t happen to them,” Kautz says. “That couldn’t be further from the truth. All it takes is one bad email or one wrong click.”
Don’t wait until your organization experiences a fraud attempt. Take time now to search for gaps in your fraud prevention program. Our payments fraud prevention best practices and fraud prevention checklist can help:
U.S. Bank is committed to helping you meet your treasury management needs, including fraud prevention. To learn more, contact a U.S. Bank relationship manager or treasury management consultant.