With BEC scams, wire payments aren't the problem
The original article is on PYMNTS.com.
While troubling times can showcase humanity’s resiliency, they can also bring out the worst in people.
Case in point: Federal watchdogs continue to sound alarms over fraudsters taking advantage of coronavirus-fueled market volatility and consumer uncertainty, with the Federal Trade Commission (FTC) going so far as to create a tongue-in-cheek “FTC Scam Bingo” card to demonstrate the breadth of scams popping up on the market today.
B2B payments fraud isn’t immune to the trend, either. While scams like Business Email Compromise (BEC) continue to climb to the top of regulators’ lists of concerns, there is a chance that the pandemic could exacerbate this threat for corporates and government entities alike — and remain long after volatility eases.
Authoriti CEO Michael Cutlip spoke with PYMNTS about the biggest points of risk exposure within accounts payable (AP) departments before, during and after a period of immense economic pressure.
Why Payments Aren’t the Problem
Certain payment methods, including paper checks and wire, are particularly prone to fraud, but in the instance of B2B payments scams like BEC, Cutlip said it’s not necessarily the act of the payment itself that is exposing an entity to this risk. Rather, it’s what happens before a transaction is initiated where the mistakes are made.
“Whether a check is written or a wire is sent isn’t putting a company or government entity at risk any more or less,” he said. “The risk is in how the invoice is being received.”
Suppliers that send paper invoices or PDF bills via email are exposing their customers to the threat of invoice manipulation or other nefarious activities, with mail and email presenting insecure channels easily compromised by fraudsters. In the BEC scam, for instance, a bad actor can infiltrate a company email server to view invoices sent from a vendor, generate a similar email address, and trick an AP department into requesting changes to payment directions on that invoice to send funds into a bogus account.
Similarly as dangerous to businesses and government entities is a lackluster onboarding process when working with new vendors, a process than can be particularly compromised during market volatility fueled by the coronavirus pandemic.
For government entities and businesses in certain markets like the healthcare services sector, procurement activity is facing unprecedented pressure to obtain goods and services as quickly as possible, often from unfamiliar suppliers as the usual business partners see their supply chains disrupted or stock depleted.
“A new vendor coming in that might be onboarded quickly is where a criminal element could possibly step in and impersonate that new vendor,” said Cutlip, who acknowledged that while there is not specific data with regard to whether this risk has manifested in heightened supplier fraud schemes, there certainly seems to be a “heightened potential” for this scam.
He noted that it’s similarly possible that organizations’ work-from-home strategies could also place some firms at greater risks for B2B payments and supplier frauds like BEC, with treasurers and AP professionals no longer in the same physical area as their CEOs and chief finance officers to confirm that any payment instructions were actually initiated by the appropriate executive.
And while some organizations have seen procurement volumes plummet, Cutlip warned that it’s likely BEC and other frauds will come roaring back for these entities after coronavirus volatility calms and corporate purchasing returns to normal.
“If you get something that says, ‘We changed our beneficiary bank,’ or, ‘Wire instructions have changed because of coronavirus,’ be very [wary] because that’s a perfect example of what criminals are trying to do to use this disruption,” Cutlip said.
Spotting the Red Flags
With the pre-payment process exposing the greatest security lapses in AP departments, Cutlip is advising government entities and businesses across sectors not to shortcut vendor onboarding processes.
While a request to change payment instructions can be a red flag that something may be amiss, Cutlip also advised that organizations should proactively deploy more sophisticated security measures. Multi-factor authentication tools are key, and with innovation in this space, organizations can adopt an even less disruptive way to verify payments are going where they need to go.
For Authoriti, that means deploying one-time PINs that enable payers to verify payment instruction with their financial institutions. In the B2B payments context, a supplier can put a PIN on an invoice, enabling AP departments to quickly verify the accuracy of that PIN to initiate payment — a process that can occur on all transactions to prevent fraud before any red flags appear.
While payments innovators are exploring how rails can more adequately identify and mitigate fraud of all types, the threat will persist whether an organization is using a paper check or a real-time payment rail to move funds. Rarely can that money be recovered, if at all. As such, Cutlip said the front-end AP processes are key to mitigating risk.