The other morning, I received an email on my personal Gmail account from a person claiming to be the CEO, using the actual real name of the CEO, however using a strange-looking URL email address. The sender asked me to do a ‘’small favor’’ because he was busy at the office, without specifying further what this favor was about. Luckily, I have seen a lot of scam attempts to know that this email was probably a scam. I shared it with our IT department to double-check if I was dreaming or not. Well, I was not, and it turned out to be a scam. It was scary to think that the recipient’s name on this scam email was the (correctly spelled) name of the CEO. This example shows how sophisticated scams and fraud attempts are becoming.
What is fraud in B2B payments?
In this context, we are referring to payments from the business-to-business (B2B) perspective including salaries, payments from subsidiaries, taxes, other external companies, etc. Especially in big organizations, before the payment funds end up at the bank account of the receiver party, they pass through the organizations’ finance department which approves them, usually using at least a four-eyes principle if not involving even more parties to accept the payments before sending them to the bank.
Fraud in B2B payments occurs when payment funds end up in a third party’s account owing to unintentional or malevolent activities. The fraudulent activity is normally either reoccurring or a one-off action.
No business, whether large or small, is immune to fraud. Therefore, it is imperative to stay vigilant and proactive to spot fraud in a timely manner.
Not all frauds come from malevolent employees, scammers, or an overzealous hacker in a basement. Frauds may also occur from erroneous setups like duplicate payments or other human actions.
What are the different types of payment fraud out there?
There are many types of payment fraud out there, and you must be aware of them in order to find ways to prevent them. Think of getting the necessary controls to prevent fraud as taking the annual flu shot: you may not get the flu, but it’s better to try to prevent them. The same goes for fraud: you may not be a target this year, but you should do your best to prevent it.
Phishing in the workplace can take the form of emails or websites that persuade employees to give away sensitive information such as social security numbers, login details such as passwords, credit card numbers, bank account information, etc. In phishing attempts, the perpetrator may use threats or raise the urgency of the request including suspicious attachments in an unprofessional design and URLs or emails which do not correspond to the company’s real domain, email addresses, or URLs. Usually, phishing emails do not include the victim’s name unless they are highly personalized.
Spear phishing is a sub-type of phishing attack where criminals are typically targeting C-level individuals. CFOs are often a target of spear phishing, but it could be also someone else in the organization that has the rights to execute payments. This type of phishing attack can be so complex and well-crafted that it can be extremely difficult to spot them. To no surprise, finance professionals often fall victim and send payments to attackers.
Kickback is a type of bribery whereby a third-party such as a competitor is illegally collaborating with your organization’s employee to obtain info or (worse) funds from your organization.
Identity theft in your business may take the form of a cyber lawbreaker stealing an employee’s personal information, using it to penetrate your systems gaining access to confidential documents, your accounting software, or sensitive billing info, social security numbers, addresses, etc. Hackers can break into outdated firewalls or highjack login details via a public WIFI enabling them to approve questionable payments and charges or even exceed credit limits.
Fake reimbursement is a fake expense claim that originates from within the organization, usually from an employee. For example, it takes place when an employee files for a false or fake expense claim to receive a reimbursement that they are not eligible to receive.
Malware, as the name suggests, is a form of malicious software including viruses, spyware, adware, browser hijacking software, fake security software, and other forms. Malware is often hard to detect as it may look like an everyday file or be embedded in a regular file. A sign that you are witnessing malware is when the software suddenly demands information updates or when you receive sudden intrusive alerts of your system being full of viruses, offering to scan systems.
Duplicate payments are usually overlooked as a form of fraud. It may be unintentional but large sums in duplicate payments can cost your business thousands. Especially when it comes to large organizations, multiple undetected duplicate payments may be sent away without noticing.
There are multiple ways for a fraudster to gain information online without authorization or illegally. Fraudsters can email you, call you, text you or use more sophisticated means such as rerouting traffic to malicious websites or even texting malware to smartphones. Even though you cannot be 100% fraud-proof, there are many ways you can maximize your protection against all types of fraud. Don’t forget, financial fraud is big business, and criminals can spend weeks planning and executing successful attacks as the gains can be significant.
If you are enjoying the topic so far, have a look at our recent blog post ‘’A 750, 000 euro financial scam that could happen even to you’’.
4 best practices to protect your business against payments fraud
With all these types of fraud in mind, what can you do? It is imperative to not only train your staff and establish anti-fraud processes but also reinforce your cyber defenses. Transparency in the processes and communication among personnel are key here.
In the fast-paced digital age, with the development of new technologies, the types of fraud rapidly grow and the spectrum of potential damage to your business as a result of fraud expands. Therefore, you need to improve your anti-fraud countermeasures regularly. Be vigilant!
Staff Training & Processes
Fraud prevention should be viewed as a company-wide effort not solely a responsibility of the IT department. Fraud prevention starts with increasing staff awareness of the types of fraud and threats that exist. The staff should be aware of the different types of fraud and learn how to spot them. They should also make sure to share the potential threats with the IT department. In this manner, the business’s IT department can gather intelligence and better safeguard the business against similar types of threats.
For example, during our company-wide monthly town hall meetings, our Head of IT always goes through the new types of cyber threats that are out there.
Staff should be obliged to change their login credentials such as their passwords on regular intervals. Staff should also make sure to update the operating systems on their mobile devices. These updates usually contain security fixes. All software that is used in the company should be up to date. In addition, making sure that there is access control – e.g., strict rules about system admins and users – should be in place not just to avoid fraud but also for compliance reasons.
To increase transparency and reduce the probability of fraud, it would be advisable to segregate the duties between the initiators of payments and approvers of the transactions. If the same staff is both an initiator and an approver of payments, there is room for fraudulent payments. Luckily, as we will see below there is software that helps you divide your staff into user groups with specific duties when it comes to approving payments.
A reliable way to establish anti-fraudulent measures is to set up a payment hub through software that also has payment process control capabilities.
In this context, Payments Process Controls are defined by setting up measures for preventing payment anomalies with smart rules in the software, enforcing processes in treasury and finance, and preserving payment data quality with validation checks and algorithms.
A payment hub with payment process controls can prevent duplicate payments by setting up rules which identify and block erroneous payments which are then sent for review. The process of catching anomalies can be automated thanks to the smart rules in the system. Apart from spotting double payments, payment process controls require multi-factor authentication (MFA) such as a token and password, an automated text message for approving payments, a password or PIN to verify significant transactions, and a four-eyed principle for approving the payments that go to the bank.
Setting up sanctions screening such as whitelists and blacklists is another way to safeguard your organization from fraudulent payments. Blacklists are lists of contacts to whom it is forbidden to transact payments due to internal or external sanctions. Whitelists are composed of a list of trusted beneficiaries. Sanctions screening automatically prevents payments from reaching sanctioned beneficiaries such as beneficiaries located on territories that are blacklisted by the US and the European Union for example. Luckily, most modern payment hub solutions have sanctions screening capabilities in place.
On a regular basis, the treasury department should establish frequent reviews of payment limits per user and divide and restrict physical and logical access rights to approving payments. The internal audits’ role is to analyze how the controls failed to spot the fraud and identify the ways for improvement. The internal audit serves to predict further errors and fraud across the organization and evaluate the trends and patterns that suggest fraud or errors. When the internal audit team is not capable of identifying the root issue, your business should recruit external parties with relevant experience. A payment hub can enable internal and external auditors to closely check past entries, archives, and error logs to identify fraudulent patterns and actions.
How solutions can help you protect your business against payments fraud
With over a trillion euros worth of yearly processed payments, Nomentia is a reliable software that safeguards your business from internal and external fraudulent activities. If you wish to find out more about Nomentia Payment Process Controls, have a look here.
It is important to set proper processes in place to better manage fraud in every stage of the customer journey starting from the back end to customer-facing. Unfortunately, there are no one-size-fits-all solutions and businesses should utilize more than one to be on top of the game of fraud prevention.