A 2021 report by the Association of Financial Professionals (AFP)1 found that nearly 75% of organizations were targets of payment fraud in 2020. On average, businesses will lose 5% of their gross revenue to fraud2. And while incidents of fraud seem inevitable, the monetary loss doesn’t have to be. Gauge your risk and learn how to protect your business from fraud loss as you step into three common fraud scenarios.
Loss: $500,000
Business Email Compromise (BEC) was the largest, single source of payment fraud attacks in 2020 – up from 2019, when BEC first topped the list. Whether we see it continue to rise in the coming years or not, it’s easy to imagine how this type of attack could happen in your organization. A simple lack of awareness and operational control often allows companies to become victims of significant revenue loss in a matter of minutes, as was the case for the company in this first scenario.
The scheme: A finance executive at a wireless technology company received an email impersonating the company’s chief executive officer in both tone and email address. The content of the email was a request for a new vendor payment. Eager to please the CEO, the executive took the next step. She followed protocol, which required the approval of two high-ranking managers. The finance executive in question qualified as one and the requesting CEO qualified as the second.
The aftermath: This was a sophisticated phishing email directed to a top executive who would be able to move large sums of cash. Since it seemed apparent the email was coming directly from the CEO (the address had one variation that would have been almost undetectable to anyone not specifically looking for it), the finance executive wired nearly $500K to the fraudsters. It was not until hours later when the finance executive mentioned the wire directly to the CEO that the company realized it had been involved in a wire fraud scheme. The bank was immediately notified, but in the case of a wire transfer, there’s no guarantee of funds being returned even if they are found still in the recipient’s account. More often than not, as it was in this scenario, the money is moved quickly and accounts closed.
The way forward: The fraudsters had conducted thorough research on this company and their staff members to determine the most effective targets and best timing. Realizing this, the technology company took equally critical measures to ensure that its employees stay educated on warning signs to look for and what to do if they received any suspicious emails. Structural measures were taken to see that all wire transfers receive systematic approvals and a wire transfer email notification system was implemented, providing designated parties a greater level of detail about pending outgoing wires, including information about the receiving party.
Ask yourself: What would happen to my company today if fraudsters attempted to perpetrate this same scenario? What tools or protocols are in place to mitigate risks? If you don’t know, you might want to speak to one of our experts.
Loss: $35,000
Of all the payment methods that were targets of fraud in 2020, checks topped the list. There are many different types of check fraud, including forged endorsements and altered amounts, but counterfeit check scams are a growing concern. According to the Federal Trade Commission, complaints of fake check scams jumped 65% from 2015 to 2019. As check fraud increases, so do the skills of fraudsters, whose forgeries and cons were already difficult to spot, as illustrated by this next scenario.
The scheme: A fraudster used replication software to create counterfeit checks from a successful property management business with an annual check volume of 1,700. He then arranged to purchase goods and services through an online seller. The fraudster sent the seller a counterfeit check for an amount over the negotiated price. He explained that the check was incorrectly allocated, but asked the seller to deposit it anyway and simply pay back the difference once the check clears, telling the seller to keep the extra $100.
The aftermath: The property management company was unaware of the fraudulent activity until one of the sellers asked about the legitimacy of a check. The company immediately contacted its bank to place a stop payment on the check. However, they were not aware of how many counterfeit checks the fraudster had issued, and they had no way to stop fraudulent payments from continuing. Until a more permanent solution could be implemented, a fraud hold was placed on the account, which froze the company’s financial assets for a period of time in the hopes of preventing future losses. In the end, the property management company lost approximately $35,000. Equally damaging were the man-hours lost as their Accounts Services team had to confirm every payment issued against the account during the fraud hold and audit all payments made from the account over the past six months (or more).
The way forward: With firsthand experience on why it’s so important to protect every account against every type of payment fraud, the company implemented Check Positive Pay and Positive Pay Payee Verification. The company’s Account Services team now submits a check issue file to the bank daily. The bank matches in-clearing checks with the file and provides exceptions through an online banking system, which enables the property management company to review before deciding to pay or return. By setting up Check Debit Blocks on accounts from which they do not issue check payments, all checks posted are automatically returned without team members taking any action.
Ask yourself: How might a fraudster get ahold of one of my company’s checks? Do we have check fraud protections in place? How much money could we lose?
Loss: $150,000
Automated Clearing House (ACH) debits and credits fraud accounted for 34% and 19% of payment fraud in 2020, respectively. As these transactions are typically considered more difficult to compromise, the increase in ACH fraud (debits were up 1% from 2019) suggests a more sophisticated approach. Fraudsters may compromise the processes leading up to payment initiation or recruit assistance from inside targeted businesses. A combination of these two approaches was used to originate fraud in the next scenario.
The scheme: An employee of a tile retailer with access to ACH transactions received an email from a fraudster impersonating a contract partner. The email urged the employee to update the company’s business contracts by downloading an attachment. The employee clicked on the attachment, but was directed to an infected site, which installed a keylogger that enabled the fraudster to gain access to authentication information. Armed with the company’s checking account number and a bank routing number, the fraudster was able to impersonate the company’s authorized representative and withdraw funds.
The aftermath: Because businesses get as a little as one day to report fraud to their bank, detection is critical in ACH fraud. While it only took the fraudster 30 minutes to withdraw funds, the employee didn’t realize the loss or connect the dots to a fraudulent event for several days. With the tile company liable for costs, the business suffered a severe blow to its revenue, losing nearly $150,000.
The way forward: Troubled by the lack of red flags being raised during the fraud event, the tile company investigated various solutions designed to protect it from future losses, including ACH Blocks and Filters. This service systematically blocks all incoming ACH transactions or automatically returns any transactions that are not from pre-authorized companies. In addition, the company implemented ACH Positive Pay, enabling the payables team to review all daily exceptions to their pre-authorized ACH debits and credits rules and to make a pay or return decision on them.
With $40 billion in assets, Texas Capital Bank is a trusted financial institution focused on serving businesses and entrepreneurs. In addition to offering guidance from experienced fraud personnel, Texas Capital Bank offers a wide variety of treasury solutions designed to minimize the risks of fraud and protect clients’ accounts in the case of a fraud event, including ACH positive pay, check positive pay, wire transfer email notifications and more. Member FDIC.
Contact Texas Capital Bank to learn more about payment fraud and the solutions that can protect your business.