Payments executives may abhor fraudsters, but they have to admit the scamsters and hackers are a determined lot. The percentage of organizations sustaining actual or attempted payments fraud increased in 2017 for the fourth straight year, reaching a record high 78%, according to the latest “Payments Fraud And Control Survey” from the Association for Financial Professionals Inc.
This 14th annual survey, which the AFP fielded in January and which drew responses from 682 financial executives at companies of various sizes, pulls no punches in laying out the challenge for the payments industry. “Payments fraud activity continues to increase, and there are no signs of it abating any time soon,” warns the report’s opening paragraph.
Last year’s big increase over 2016, when the survey found 74% of respondents had experienced actual or attempted fraud, comes as companies struggle with an epidemic of so-called business email fraud while also contending with ongoing challenges in checks and cards. “It is concerning that [fraud] is climbing like this. You would hope to see fraud go down, but it goes up,” Magnus Carlsson, manager for treasury and payments at the Bethesda, Md.-based AFP, tells Digital Transactions News. “Fraudsters are one step ahead.”
With business email fraud, criminals dress up email messages to make them look like genuine communications from a responsible finance or treasury official. They send these messages to executives who have authority to release funds, instructing them to wire money to a particular account.
The tactic has helped turn wire fraud into a raging problem after years as an afterthought. Some 48% of respondents that had experienced fraud last year said they had sustained actual or attempted wire fraud, up from just 3% in 2009.
The problem, says Carlsson, is the plethora of information about themselves people expose on the Web, including social-media sites. With this data, “you can really build a profile on your target,” he says. Samples of genuine emails help, too. “How do they typically look? [Fraudsters] will pick up on that to make their attacks look authentic,” he adds.
Wires aren’t the only channel used by these criminals. According to the report, 34% of organizations reported checks had been used in business email compromises, while 15% cited cards. Overall, 77% of respondents experiencing attempted or actual fraud were victims of business email compromise last year, up from 74% in 2016 and 64% in 2015, according to the survey.
There is no easy solution. “You can’t really control what people do on social media,” laments Carlsson. The only option, he says, is to tighten controls on who can disburse funds, when, and how. But more stringent controls may be having an effect, says the survey report, as reflected in the fact that the incidence rate slowed down in 2017.
An emerging area of concern, according to the survey results, is same-day automated clearing house activity. ACH credits cleared and settled the same day, rather than the next business day, were introduced in September 2016, followed by same-day debits a year later. But faster processing requires faster fraud detection, something the AFP study indicates is slow in coming.
“A majority of organizations (54 percent) are not actively taking steps to prepare and mitigate additional risks that might arise,” the study notes. “In addition, 29 percent of respondents report their organizations have no plans to make any revisions to prevent additional risks, and another one-fourth indicates they have not received any advice from their banks.”
One type of fraud on the decline is actual and attempted compromise of commercial cards. This was reported by 30% of responding organizations that had sustained an actual or attempted fraud attack, the lowest level since 2012 (29%) and down from 39% in 2015 and 32% in 2016.
At the same time, actual financial loss from any type of fraud has been muted. According to the survey results, 54% of responding organizations that experienced an attack last year sustained no loss at all. Still, this result comes with a warning from the report: “While financial loss due to payments fraud may not be large, the risk of reputational damage could be far more significant.”
Or, as Carlsson warns, “You can’t be complacent about payments fraud.”