One of the most disturbing aspects of present-day fraud is just how prevalent it has become. Around 80% of respondents to an Association of Financial Professionals survey said they were victims of payment fraud in 2023. It was a 15% increase from 2022 and the highest number since 2015.
In a recent PaymentsJournal podcast, Ryan Clayton, Director of Solution Consulting at Bottomline, and Albert Bodine, Director of Commercial and Enterprise Payments at Javelin Strategy & Research, discussed the technology and tactics criminals employ and the ways organizations can defend themselves.
The Wide-Open World
Criminals are becoming more sophisticated every day. They use technologies like ChatGPT to create more convincing phony emails and voiceover deepfakes to trick finance offices. Business email compromise is on the rise, causing losses of over $300 million per month.
“It's hard for organizations to stay above water because fraudsters are always one step ahead,” Clayton said. “It’s under any and every vertical, all industries are under attack. Public entities like higher education institutions, healthcare facilities, and government agencies are at higher risk because their data is much more readily available. But fraud is everywhere.”
Criminals especially target companies that process a high number of payments. In commercial real estate, for instance, where invoices come in and payments go out rapidly, it’s easy for something to fall between the cracks. Companies that have high turnover, or are understaffed, are more vulnerable to attacks.
The continued use of paper checks exposes companies to fraud risk as well. More than 80% of organizations still accept paper checks, and more than 90% still use checks to make payments. The Financial Crimes Enforcement Network reported in 2021 there were 350,000 cases of check fraud, and that number rose to 680,000 cases in 2023.
“It's so susceptible,” Clayton said. “Once that paper instrument leaves a company’s hands it's out in the wide-open world. It may seem like something out of the Wild West, but the United States Postal Service has had postal carriers held up at gunpoint, and what they’re really looking for are business checks. If they find one, there's no tracking it. It’s gone.”
Social Engineering
Criminals have increasingly employed tactics that exploit social engineering to manipulate employees’ actions. They study businesses to learn their behaviors. Because organizations have so much data that’s readily available online, it’s not difficult to learn how a company operates and who its partners are.
Someone posing as a vendor might call claiming their company will lose its business license if it doesn’t receive a payment today. The criminal is hoping the employee will have an emotional reaction and break protocol. Though it might seem like a spur-of-the-moment call, these criminals have likely been targeting the companies they go after for months before an attack.
Criminals have also hacked voice-over-internet-protocol (VoIP) phones. Once the phone system is breached, they can listen in on business conversations, record them, and use them against the organization.
“There have been instances of account takeover,” Clayton said. “When there are corporate phones across an organization, there have been SIM takeovers.
