The Association for Financial Professionals (AFP) recently hosted a virtual roundtable to discuss how finance professionals are handling payments fraud. Moderated by AFP Director of Treasury Services Tom Hunt, CTP, participants shared what they’re seeing, how they’re handling it, and how the coronavirus pandemic changed things.
One of the most prevalent scams organizations are seeing is business email compromise (BEC), also known as email account compromise (EAC). In these types of scams, the criminal sends out an email that appears to be from a known source, such as a colleague or vendor, and the request appears legitimate. Examples given by the FBI include:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
Participants in the community discussion confirmed these scenarios with their stories. Matt, treasurer at a large specialty retailer, provided two examples of BEC emails he’d received. In the first, the scammer used formal first names for both himself and the sender, which was not the norm, so he knew it was a scam. In the second, the scammer hacked into or spoofed a supplier's email, but they changed an R and an N to an M.
“On first glance and without careful study, it's easy to get fooled by that stuff,” said Matt. “One of the things that we have done — and it causes some consternation — is that if we ever get a request for a change of payment, the confirmation has to be done by phone to a different known contact at the company by a different department. It's cumbersome to be sure, but it seems to have really helped us.”
In another scenario, shared by Connie, assistant treasurer at large media corporation, the receiver was fooled by the willingness of the recipient to have them call their mobile number for confirmation. “In the email chain, the interloper actually said, ‘Yeah, you know what? Since we're working from home, just call me on my mobile.’ So they thought they were talking to their original source from the company and they said, ‘Oh, if he's saying just to call him on his mobile …’ So they did, and that created a fraudulent payment,” she said.
At least Connie’s story has a happy ending. “They were the most honest fraudsters in the world,” said Connie. “The money was going to the Martin Luther King Foundation, and they said that that's really a source close to their heart, so we could have the money back, which is like the strangest thing I think I've ever heard of.”
Confirmation — of any request — with your known source at a given location is one of the biggest preventative measures everyone agreed on. Not the person who requested the change, but your original source. “You have to go back to your known source, not the first person, in order to do the confirmation,” said Matt. “Again, it makes it a little bit more cumbersome, but it helps.”
Vigilance and diligence are key to prevention. “If we receive something a little different, we’ll make an individual phone call out to the entity,” said Dean, director of treasury at an online media company. “I tell everybody on our team: it's not a matter of if, it's a matter of when.”
David, assistant treasurer at an energy corporation, said software validation saved his company $100,000 in a scam perpetrated on them several years ago. “I'm a strong believer in that service because it saved us about a hundred thousand dollars three years ago when our system unfortunately generated an invoice at this SVP's request and tried to send it. The bank said that the payee name didn't match the owner of the bank account, so they declined to process the transaction.”
The discussion then came around to the infamous Colonial Pipeline hack and Hunt asked participants if anyone had, as a result, run ransomware simulated attacks or setup a bitcoin account. The former did not appear on anyone’s list, but bitcoin accounts were something that had been researched.
Lisa, treasury in the financial services industry, said they looked into setting up a bitcoin account, but that it was not legally possible. “We would have had to lie on our KYC form in order to open up the bitcoin account, because in effect, we were admitting to your point: opening up the Bitcoin to facilitate a future crime if it happened,” said Lisa.
“You're almost stuck in limbo,” said Matt. “Your hope is that you have someone you can deal with who has access to bitcoin and can send it on your behalf in case you need it, but when we've looked at buying it upfront, it really is problematic. We had discussions with some banks and realized that it was a dead end from a law enforcement perspective, and so it was dropped.”
Lisa said they also tried going through the [bitcoin/cryptocurrency] exchange, but it was riddled with red flags. First, you have to call a 1-800 number, and it’s hard to get a live person on the line. Plus, it’s not face-to-face, which for Lisa was another strike. “You have an 800 number. It's to a call center. Does that mean everybody on the call has access to that information?” she said.
“With our bigger banks, obviously we don't necessarily have to provide social security numbers and residential addresses. And only in certain instances or for certain key officers, but for the exchange, they wanted the social security number of the person who would be monitoring the bank statement. From a personal confidential data standpoint, that was another huge red flag for us,” said Lisa.
Matt brought up the issue of paycheck fraud. While less of an issue in an age where the majority of workers and employers prefer direct deposit, he said that California is one state in which his company does business where it is illegal to force employees to accept electronic payment. As a result, some still insist on being paid with a paper check.
The type of fraud experienced by his company happens most often when someone is fired. “The thing that we were seeing more of was employees who were becoming ex-employees depositing their final paycheck via mobile deposit and then walking into a check-cashing location and depositing the physical check,” said Matt.
“The banks realized that Check 21 is a complete open door to this sort of fraud, and it's their policies, their rules and their procedures,” said Matt. “So, in effect we've said to them, it's your problem. We do use Positive Pay, so we are taking all the precautions that we know to take.”
The pandemic had one positive effect on AP: a lot more vendors requested to be paid via ACH. “Vendors were calling us and wanting to switch to ACH because they didn't want to send anyone into the office to pick up the checks,” said Lisa.
Another safety policy practiced by some is requiring dual signatures for payments over a certain amount. “Dual signatures are required to make sure that any payment requests we receive (especially over a hundred thousand) are signed off on by two people. We don't do it based on an email, they have to complete a form, and again, the signatures are verified before any payment is processed,” said Penelope, treasury operations manager for higher education. With the pandemic, these requests became electronic. “We get PDFs sent into the office, and then they are routed electronically to whoever needs to sign, and then returned before it's entered into the system and sent via wire or other payment method.”
Wrapping up the discussion was how lockboxes had been affected by the pandemic. Cindy, treasury management in the financial services industry, said their system was affected by the pandemic. “There was mail that was delayed through the postal service because of staffing challenges that they had,” she said. “That created a lag for the banks receiving those items to process.” But they’ve seen a big improvement since, she said.
Added Hunt, “You don't necessarily want to penalize your customer for late payments when it's beyond their control, but it also could be a good reason to move them to electronic payments. They might like the mail float, but in a low interest rate environment, there's really not a lot of advantage to it.”
For more information, download the 2021 AFP Payments Fraud and Control Survey.