If you have read our latest article on how artificial intelligence (AI) and machine learning (ML) can help to tackle fraud, I hope you got excited about the future and how fraud prevention could be revolutionized. You may already consider building a new business case to implement a solution.
Maybe you don’t need to go that far ahead just yet. While AI and ML are promising trending technologies and we expect them to develop rapidly over the coming years, maybe it’s time to get back to the basics of tackling payment fraud. While for sure, some companies may already be so ahead of the rest of us that they have the power and resources to experiment with AI and ML, the rest of us still need to wait to see what the future brings and how these technologies will disrupt finance and treasury.
Fraudsters specifically target the finance department
Your company's cash is at constant risk! It's on the news weekly, if not daily: fraudsters are increasingly targeting the finance department and team members with rights and access to the company's funds. Beyond the CFO, most finance team members can be considered to have financial authority. Therefore, they should get training on emerging social engineering tactics. While security awareness teams are training us constantly to eliminate the risk, besides training your workforce, you must also find tools to mitigate the risk of error and incidents to keep your cash safe.
Four attack vectors that are commonly used to target finance teams
While security training is essential to build the so-called “human firewall” against attackers, people can unintentionally make mistakes. In a survey research called The 2023 AFP® Payments Fraud and Control Survey, conducted by The Association for Financial Professionals and J.P. Morgan, 65% of the participants reported that their organization has been attacked.
We have identified four main attack vectors that are used against your payment department: business email compromise (BEC), account takeover fraud, fake reimbursement, and wire transfer scam. Let’s take a look at what you should watch out for:
Business Email Compromise
Business email compromise (BEC) is one of the top attack vectors used against financial professionals. According to the National Cyber Security Center, BEC can be defined as the following:
“Business email compromise (or. BEC) is a form of phishing attack where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information.”
Account Takeover Fraud
Account Takeover Fraud occurs when fraudsters gain access to a person’s account and they are able to make fraudalent transfers and payments. There are various ways how fraudsters can get a hold of somebody’s account, but a common one is using social engineering techniques.
Fake reimbursement
Fake reimbursement requests usually come from within the organization when someone files an expense claim they’re not eligible for.
Wire Transfer Scam
Another way, financial departments can be hit is wire transfer scam. The fraudsters pose as a trustworthy company or individual and they request a payment for goods or services that do not exist.
Remember to practice your work carefully
As fraudsters can get creative, it’s best to watch out for all the possible ways that could put your cash in danger!
Why do you need a payment hub to tackle fraud better?
As financial crime is increasing, no wonder that CIOs have been advising the implementation of a payment hub – and treasury and finance teams have been taking the advice seriously.
Nomentia HQ is located in Helsinki, Finland – where it’s been the norm to use a payment hub regardless of the size of the company. Now, we see that this trend is picking up in other regions as well. As Lauri Bergström from Nomentia said:
“During the past couple of years, the interest in payment hub has been rapidly increasing and it’s not just for the sake of automating payments. The standardization of processes, compliance reasons, and capabilities for additional securities are equally important for our buyers”.
From a fraud prevention perspective, we have found that the standardization of the payment process, pre-defined rules to catch anomalies and errors in all outgoing payments, and screening against sanction lists make the payment hub a desirable tool for digitalizing payment operations in a secure way. Now we will go deeper into how these functionalities and add-ons of a payment hub can help you to tackle payment fraud better.
Standardization to eliminate unauthorized payments
With global operations, it’s often quite normal that the payment process varies within the organization by country or business unit. It’s also not unheard of that an organization would use multiple ERP systems that make the payment process even more complicated. This inconsistency, leaves room for error and fraudsters can use it for their benefit to find their way to your organization’s cash.
The first step to enhanced safety against payment fraud is to create a consistent process – and that’s possible with a payment hub. This is also an opportunity to review your payment policies that aim at enforcing controls over all outgoing payments throughout the entire organization. Creating a standardized process leaves less room for errors and it’s easier to catch something suspicious when there’s clarity on how the process works in practice across the organization.
When payments are managed via a payment hub, you will ensure that you can implement different approval scenarios such as multiple people need to accept a payment before it can go to the bank (so called six-eyes principle). In addition, most payment hubs provide a full audit trail that not only helps with compliance but in case an incident would happen, you have the full history of your payments available for forensics. Typically, payment hubs are also hosted on the cloud that bring additional security elements such as MFA for login or centralized user management to control who has what rights.
Anomaly detection to prevent payment fraud
There’s a myriad of data and stories on the internet about payment fraud and how badly it can affect businesses. So, while using a payment hub is already an improvement and improves the security of your payment processes, that still may not be enough. Depending on your organization, you may have hundreds or even thousands of outgoing payments monthly – and while certain functionalities and processes of the payment hub help, it’s difficult to catch errors or fraud attempts manually.
Looking for additional security is a new normal in payment operations – most payment hub vendors have some sort of automated anomaly detection to control the payment processes even more. Often, it’s a set of pre-defined rules to help automatically detect errors, anomalies, or even to catch accidental double payments.
Vendors can normally provide advice on which rules you should set up, however, you can also identify your own criteria based on the trends you have identified. It’s good to remember to create rules for both internal and external fraud prevention.
With rules in place, the system can check all outgoing payments and notify you if there’s anything that requires your attention. At that point, you can make a decision: you can either stop the payment from going to the bank or you can approve it.
Sanction screening may be a good add-on too
Besides payment fraud and errorous payments, your team should be careful with sanction list violations as well. A sanction list is a compilation of individuals, companies, or countries that have been restricted or penalized by governments or international bodies, for example financially or they are under trade embargoes or travel bans. In our case, individuals or companies that are included on a sanction list should not receive payments from your company. Catching outgoing payments to sanctioned individuals or companies is important as corporates can be fined for violating sanctions lists. With sanction screening tools, it’s possible to check all outgoing payments against lists provided by third-party service providers, public sanction lists (e.g., from OFAC, EU, UN, etc.), or your own private black lists.
A central system gives you more control
Having a payment hub in place will give you more control over all outgoing payments. If you aim to use a payment hub to minimize the risk of financial losses, here are a couple of things you want to remember:
- A payment hub will help you to comply with your payment policies. At the same time, you will be able to standardize the payment process.
- Look for a solution that satisfies the requirements of your IT/security team.
- Focus on the implementation of the payment hub before you focus on the security add-ons.
- Plan already in the beginning how you will add more payment process controls and sanction screening for avoiding payment fraud.
It’s still important to remember that having security awareness training and practicing carefulness is a must for your finance team to ensure safe payment processing.