Digital Transactions Authoritative, insightful and timely information for payments professionals
Nearly three-fourths of corporate treasury and finance executives say their organizations were hit by actual or attempted payment fraud in 2016, with check, automated clearing house debit, and email fraud attempts all rising, according to the Association for Financial Professionals’ ninth annual payments fraud survey.
Some 74% of respondents said their organizations were victims of business email compromises in 2016, up 10 percentage points from 2015. In all, 74% of survey respondents said their organizations were hit by attempted or actual payments fraud, up from 73% in 2015 and 62% in 2014.
The Bethesda, Md.-based AFP obtained 547 responses from financial executives in a wide range of private-sector industries as well as banks, non-profits, and government for its latest survey. JPMorgan Chase & Co. underwrote the study.
Fifty-five percent of respondents said fraud remained about the same last year as in 2015, while 36% said it increased and 9% said it declined. Some 75% of organizations reporting that they were exposed to at least one payment-fraud attempt last year said they suffered no direct financial losses. Thirteen percent reported losses of up to $24,999, while only 1% said they sustained losses of more than $2 million.
Fraudsters still like checks, despite generally declining use of checks by consumers. Some 75% of organizations hit by payment fraud last year experienced check fraud, up from 71% in 2015, representing a reversal of the decline in check fraud that began in 2010.
The survey didn’t ask why check fraud rose, but part of the reason could be a reduction in risk vetting, according to Magnus Carlsson, the AFP’s manager for treasury and payments. Fewer companies are using positive-pay services and doing daily check reconciliations, he says. Positive pay is a credentials-matching service in which a company sends check information to its bank before the checks actually clear.
“The use of this service is going down,” says Carlsson. He believes that in the face of a long-term decline in check volumes, some companies have concluded that “we don’t need to pay for this extra service. You look at ways to cut costs.”
After exploding for four years, wire-transfer fraud slipped in 2016, with 46% of companies that experienced actual or attempted payments fraud reporting it, down from 48% in 2015. In 2011, only 5% of organizations cited wire-transfer fraud.
Thirty percent of respondents cited ACH debit fraud in 2016, up from 25% in 2015. Corporate credit card attempted or actual fraud fell from 39% to 32% in 2016, while attempted or actual fraud through ACH credit transactions held steady at 11%.
Like check fraud, ACH debit fraud may be rising because of less risk control. In 2016, 60% of organizations that experienced at least one ACH fraud attempt reported reconciling accounts daily to identify and return unauthorized ACH debits, down from 69% in 2015. While noting again that the survey didn’t go into the ‘whys’ of risk control, Carlsson says some companies may be continuing the expense-reduction measures they instituted in the recession that began nearly a decade ago.
“I guess we’re not completely out of the woods here,” he says. “Are companies still feeling the pinch? I don’t have a good answer, unfortunately.”
The AFP’s findings about higher email fraud run parallel to the increase in phishing fraud reported a month ago by The Anti-Phishing Working Group. Carlsson says fraudsters attempting to get payments credentials from companies are sending more targeted and less suspicious-looking emails to finance employees, emails that request payments to accounts they control. “The sophistication that’s used to gather this [payment] information is getting better and better,” he says.
In other findings, the AFP says 63% of payments-fraud attempts were made by people outside of the target organization. The survey also found that more than 70% of financial professionals are reluctant to adopt mobile payments at their organizations because of security concerns.
