By Bob Stark, Global Head of Market Strategy, Kyriba
According to the 2022 AFP Payments Fraud and Control Survey, 92% of finance leaders observed that fraud in 2021 was as bad as, if not worse, than the year before. As payment fraud continues to be a major concern for all types of organizations, state and local governments in particular are experiencing an increase in fraud attempts, with many falling victim to cybercriminals’ intricate deception tactics.
Payment Fraud Threats
Cybercriminals aim to find weak payment controls, frequently deploying effective social engineering tactics. They’ll target specific employees and attempt to manipulate them into providing confident and personal information that can prove useful.
Once they gather enough information on the company and its staff, they may attempt to execute a business email compromise (BEC) scam. The most traditional version of this scam involves a cybercriminal impersonating a manager or executive via email and requesting a payment. They typically attempt to create a sense of urgency so that the employee processing the payment acts rashly and doesn’t follow proper protocols. Another common scheme involves impersonating a routine vendor, requesting that a payment be sent to a new bank account.
Accounts payable (AP) departments are the most susceptible to BEC scams; 58% of organizations who responded to the AFP survey reported that their AP departments were compromised through email scams in 2021.
Fraudsters’ impersonation techniques have grown increasingly sophisticated, with some more advanced criminals using deepfake technology to dupe employees into sending a fraudulent payment. These scams can be highly effective; in 2020, deepfake voice technology was used to commit a $35 million bank heist.
Fortunately, the training and controls that organizations have put in place to prevent BEC scams have had some success. AFP reported that 68% of organizations were targeted by BEC in 2021, 8 percentage points down from the previous year and the second lowest number since 2015, when AFP began tracking BEC scam proliferation.
Payment losses can be in the millions of dollars, and so public disclosure of an incident can do significant financial and reputational damage to an affected organization. When incidents are reported, the public only becomes aware of a loss months or even years after the fact.
Scenarios Ripe for Fraud
AP and treasury departments using multiple systems with different approval processes or staff members performing tasks manually are easy targets for fraudsters. Many organizations also have executives, managers and employees who can release payments with just one approval.
Additionally, storing electronic payment backup documents in multiple systems without centralized controls can add risk for an organization. Establishing standardized procedures is difficult across multiple technology platforms.
Lastly, a lack of real-time visibility into all payments-related matters is a critical issue. In most instances, once fraud is discovered, the payment has already been debited from the targeted bank account.
In recent years, the public sector has been a key target for fraudsters. Vendor impersonation schemes have been particularly successful.
In 2020, a fraudster impersonated a known contractor who regularly provides services to the government of Brunswick County, N.C. The criminal was able to spoof the contractor’s email by inserting an extra hyphen in the email domain address.
The email requested an update to the contractor’s bank account and routing information. A county employee was suspicious, and contacted the CFO of the contracting company, who confirmed that the email was fake.
But the fraudster tried again about five months later, and this time was successful. For the next couple of months, the county made routine payments to the fraudster’s bank account, believing it to be the contractor’s, with losses totaling more than $4 million. The county only found out about the scam when the real contractor reached out, requesting payment for overdue invoices.
Similarly, a Texas school district lost $2.3 million in a 2020 phishing scam. The fraudsters contacted multiple employees at the school district posing as a vendor, requesting that a bank account be updated to a fraudulent account. One employee took the bait, completing three transactions before realizing something was amiss.
Misconceptions about Cyber Insurance
Many organizations have invested in cyber insurance to protect themselves against fraud. Unfortunately, many cyber insurers have refused to cover losses for BEC scams. Most have made the argument that a money transfer voluntarily sent by an organization to a criminal—even when it is the result of the criminal breaching the company’s email system and impersonating an employee—is not covered under the policy. Over the years, court decisions in these cases can go one way or the other and typically drag on for years.
Furthermore, cyber insurance premiums are going up. The Washington Post reported that over 80% of insurers reported a rise in cyber claims in the fourth quarter of last year, which drove premiums up 34%. So, your organization could be paying more for coverage that ultimately doesn’t help you out when you need it.
Real-Time Payment Fraud Prevention
The best protection against current and future threats is to ensure that fraud doesn’t happen. But building a system of controls and real-time validation is an expensive investment for any organization, private or public sector. To take pressure off IT departments, finance teams increasingly opt for hosting payments data and bank connectors externally, where hosting providers are able to invest significantly more in cybersecurity. By working with a trusted partner that already specializes in payment fraud detection and prevention, public sector finance teams are maximizing resilience to cybercrime while efficiently managing their technology budgets.
In addition to hosting data and securing bank connections in the cloud, public sector finance leaders need to ensure that payments workflows can operate in real-time, digitizing payments policies and screening for suspicious and unauthorized payments against sophisticated checks and balances.
This includes rules-based, machine learning processes that validate compliance with the organization’s payment policy, quarantining non-compliant payments to be reviewed and cleared by designated managers. Examples include comparing payments with the organization’s payment history, reviewing against known fraud scenarios, verifying the authenticity of bank accounts and screening against government sanctions lists.
Ideally, fraud detection occurs in real-time to ensure payments to suppliers and beneficiaries are uninterrupted and finance teams can benefit from new instant payment services from their banking partners.
While public sector finance teams are proving to be more vigilant, being careful is not enough. Organizations need to have real-time screening to ensure internal policies, standardized controls and automated processes are effectively guarding all payments and financial transactions. Working with a trusted partner can offer an efficient pathway to safety. Today’s threats are constantly evolving; organizations who want to stay out of headlines need to evolve with them.