How to prevent payment fraud?

Payment Process Controls explained

Payment security should never be overlooked. Secure corporate payments are crucial to protect financial assets, maintain trust with stakeholders, and ensure compliance with regulatory standards. Put more succinctly, safe and secure payments are the backbone of business resilience and continuity.

As technology has advanced, payment fraud and payment fraud tactics have grown increasingly more sophisticated and prevalent. AI, machine deception, real-time payment systems, and even collaborative fraud networks are making methods like phishing, social engineering, and even synthetic identities more common. The defenders of payment security have their hands full. The fraudsters launch new attack vectors, forcing defenders to scramble— tweaking rules, updating models, and adding more layers of authentication just to keep up. 

Failing to do so can have dire consequences, not just reputation damage or operational disruptions, but fines and legal consequences – not to mention substantial financial losses due to fraudulent transactions. These financial losses can significantly impact the bottom line of your organization and potentially lead to reduced profits and shareholder dissatisfaction.

I had the opportunity to touch base with Jukka Estola, one of Nomentia’s Senior Product Managers, to discuss the evolving landscape of payment fraud detection and prevention and how Nomentia’s Payment Process Controls work to secure corporate payments from payment fraud.

Meet the expert

Jukka Estola, one of Nomentia’s seasoned experts with nearly 20 years of experience in developing software solutions designed to secure corporate payment processes, is the person you want to hear from.

As a Senior Product Manager, he has been instrumental in creating advanced tools to prevent payment fraud, enhance compliance, and optimize financial workflows for global organizations. His extensive experience and deep understanding of the payment technology landscape make him a trusted source of information in the field.

Payment fraud: The current landscape

Payment fraud is a deceptive and increasingly publicized act that targets a company's financial transactions. While it is often suggested that much of the payment fraud that occurs goes unnoticed or at least unpublicized, there is no shortage of headlines toting its near-epidemic prevalence. Examples, like Toyota Boshoku Corporation being defrauded $37 million through fake invoicing or Nikon losing approximately $29 million due to a Business Email Compromise (BEC) scam, underscore payment fraud's increasing prevalence and sophistication.

Using advanced, even AI- or machine learning-driven techniques to create deceptively convincing fake invoices or emails, fraudsters are making it difficult to distinguish them from legitimate ones. Scammers employing social engineering tactics or convincingly impersonating trusted contacts or high-ranking executives can manipulate employees into bypassing standard verification processes by creating a sense of urgency or authority.

Nomentia Payment Process Controls 

During our chat, Jukka explained how Nomentia’s Payment Process Controls are all about strengthening security and maintaining the integrity of outgoing payments. Drawing from his nearly two decades of experience building software solutions to secure corporate payment processes, he emphasized the comprehensive approach Nomentia takes to prevent payment fraud.

“At its core, our solution adds a critical layer of protection against payment fraud by constantly monitoring and detecting unauthorized transactions. This not only reduces the risk of financial loss but also helps companies stay compliant with internal policies and external regulations,” he explained. The system uses a blend of predefined rules, customizable settings, automated alerts, and anomaly detection to flag suspicious transactions, which he says, “significantly improves the overall efficiency of payment processes.”

Critical components of payment fraud prevention with Nomentia's Payment Process Controls

The role of blocklists in payment fraud prevention

“Blocklists are an essential tool in our payment fraud prevention arsenal,” Estola noted. “Utilizing blocklists helps to streamline payment processing by identifying proper and appropriate payees — like regular suppliers or partners- and what kind of payments can be made to what accounts. This minimizes the risk of mistakenly flagging routine payments as suspicious, which helps reduce operational friction.”

Blocklists serve as a safeguard against unauthorized or suspicious entities, which can sometimes include also internal actors. “Blocklists should be thought of as a way to catch any attempts by employees or insiders to divert funds to their own accounts,” he explained. Organizations can include specific bank accounts—such as those of employees—or even payment types in their blocklists. This allows them to flag unusual transactions, like attempts to modify accounts payable data to route funds to unauthorized accounts. “It’s an effective way to prevent internal fraud without interfering with normal salary payments.”

Payment fraud prevention through conditional payment rules

Estola explained that conditional rules are another critical component of Nomentia’s Payment Process Controls. “Conditional rules allow companies to set specific criteria that a payment must meet to proceed,” he says. For example, organizations can establish rules based on payment amounts, frequencies, or even destinations. “If a payment doesn't align with these predefined conditions, it’s flagged for further review.” This proactive measure helps to identify potentially fraudulent activities, like unusually large transactions or payments to unknown recipients.

Preventing payment fraud with time-based conditions

“Time-based conditions are particularly useful in preventing fraud that takes advantage of off-hours or low-oversight periods,” Estola pointed out. Companies can define specific times when users are allowed to log in to process payments. "When users are blocked from initiating payments outside working hours," he said, "it helps to reduce the likelihood of fraudulent activity slipping through during periods with lower oversight."

Automated detection of anomalies in outgoing payments

“We’ve built automated anomaly detection into the system to identify any transactions that deviate from the norm,” Estola explained. The solution analyzes payment patterns in real-time and flags transactions that stand out — for example, if a payment amount is significantly higher than usual or the destination country is unexpected. “This real-time detection capability allows for immediate intervention, stopping a suspicious payment before it’s even processed,” he highlighted.

Manual or automated review of payments

Nomentia’s Payment Process Controls solution provides flexibility in both automated and manual review options. "Payments that are flagged as irregular can either be halted automatically or sent to the finance team for manual review," Estola said. This combination of automation and human oversight “creates a robust mechanism for catching and stopping fraud before it causes any damage.”

Notification and alert system

“Our notification system is designed to ensure that the right people are alerted immediately when a payment is flagged as an anomaly,” said Estola. “It is all about enabling a quick response. The sooner you know about a potentially fraudulent transaction, the faster you can act to stop or investigate it.”

Compliance with internal and external policies

Estola also brought up how Nomentia’s controls also make sure that every payment complies with both internal treasury and finance policies and external regulations. By enforcing consistent adherence to these rules, the solution “reduces the risk of regulatory penalties and minimizes the chance of errors or fraudulent activities slipping through,” he said.

How to prevent payment fraud with Nomentia's Payment Process Controls

While discussing payment fraud prevention with Jukka Estola, he brought up how preventing payment fraud is not just about catching suspicious transactions after they occur but about building processes that make fraud nearly impossible from the start. “For secure payment processing, it is equally important to combat both internal and external fraud.”

Preventing internal and external payment fraud

Estola pointed out how “internal fraud is a particularly challenging issue because it involves employees or insiders who already have access to company resources. Our payment process controls aim to make this much harder by allowing organizations to set up multi-level approval processes for certain payment types or amounts. This means no single individual has the authority to execute high-risk transactions on their own, reducing the opportunity for unauthorized payments.”

When it comes to external threats, Nomentia’s Payment Process Controls offer similar protection. “Whether it’s a case of a cyber attacker trying to siphon funds or a vendor submitting duplicate invoices, our system is designed to detect these anomalies and stop them in their tracks,” Estola added.

Detecting duplicate payments

“Duplicate payments are one of the most common forms of payment errors and can sometimes be exploited for fraud,” Estola explained. “Our solution automatically compares key details like creditor account numbers, payment amounts, and currencies to identify potential duplicates.” Nomentia’s controls can go even further by checking remittance information, like invoice numbers or reference numbers. “It’s about ensuring that each payment is legitimate and only processed once.”

Frequent creditor checks

To detect suspicious activity, such as an employee making repeated payments to their own account or to a fraudulent entity, Nomentia’s system includes frequent creditor checks. “Organizations can define acceptable frequencies and conditions for payments to specific creditors,” Estola said. “If a payment falls outside these parameters, it’s flagged for further review.”

Blocking high-risk payments

“To tackle the issue of high-risk payments, we’ve allowed companies to set up specific blocklists for high-risk accounts, countries, or even payment types,” Estola explained. “If a payment matches any of these blocklist criteria, the system automatically stops it from being processed.” This feature is particularly effective in preventing funds from being sent to known fraudsters or high-risk jurisdictions.

Detecting unusual currency-country combinations

“One of the more subtle signs of payment fraud is an unusual currency-country combination,” said Estola. “For instance, a payment from a U.S. company to a German supplier in Japanese Yen should immediately raise red flags.” Nomentia’s controls are designed to catch these discrepancies. “By identifying and flagging such irregularities, we can prevent fraudulent or erroneous payments from going through,” he added.

Monitoring for new creditor accounts for attempted payment fraud

“Sometimes, when a new account is added for an existing creditor, it could be a sign of attempted fraud,” Estola warned. Nomentia’s solution monitors changes to creditor accounts, keeping track of known accounts over a set period, like the last six months, for example. “A common tactic criminals use is intercepting legitimate invoices—such as by stealing company mail—and replacing the bank account details with fraudulent ones. The invoice appears legitimate, but the payments are redirected to the fraudster’s account. It can be devilishly difficult to detect if the recipient's bank account is not the same as it was before." he explained. "If we detect an unexpected change, like payments being redirected to a new account, it's flagged for review."

Abnormal payment amount detection

Estola highlighted that another effective feature is the detection of abnormal payment amounts. “We use historical data to identify transactions that deviate significantly from the norm,” he explained. For example, if a payment is three times the average of the last ten payments, it is flagged as potentially suspicious. “This helps detect unusually large or small payments that may indicate fraud or errors.” When it comes to manual payments—just imagine someone typing in an incorrect payment amount and then going through the trouble of trying to claw that money back.

Currency discrepancy detection

“Our system also checks if the payment currency matches the debtor’s bank account currency,” Estola mentioned. “Currency discrepancies can signal mistakes or even fraudulent attempts to divert payments in unusual ways.” Beyond fraud prevention, this feature helps organizations save money by ensuring payments are made from the correct currency account. “For example, making a USD payment from a EUR account incurs unnecessary conversion fees, especially if a USD account with sufficient funds is available,” he explained. By optimizing currency usage, Nomentia’s controls help reduce costs and maintain tighter control over outgoing payments.

Preventing real-world payment fraud

Payment fraud prevention examples

Battling payment fraud in the real world can come with unexpected challenges that businesses should account for. Consider, for example, the following:

1. Payment fraud scenario: Phantom vendors & shell companies

Anna works in the finance department of a mid-sized manufacturing company. She has access to the vendor management system and realizes there is limited oversight over the creation of new vendors. To exploit this weakness, Anna created a fake vendor named "North Supply Ltd." in the company's payment system, making it appear as a legitimate supplier of raw materials. She then generates several fake invoices for non-existent goods. Over the next few months, Anna processes these invoices, and payments are made to an account she controls under the name "North Supply Ltd."

How Nomentia's Payment Process Controls stop this payment fraud:

• Anomaly detection rules: Nomentia’s controls can detect unusual patterns in payment amounts, frequencies, or destination accounts. A vendor that suddenly receives multiple payments without any previous history or approval triggers an alert.
• New creditor account detection: The system checks for changes in creditor information, such as a new bank account associated with an existing vendor. Since "North Supply Ltd." is newly created, it would trigger a review.
• 4-eyes principle for vendor creation: When Anna attempts to create a new vendor, Nomentia enforces the 4-eyes principle. A senior manager receives a notification and must review and approve the new vendor request, adding a layer of approval that Anna cannot bypass.

2. Payment fraud scenario: Duplicate invoices

Henry, a supplier relationship manager, notices that his company’s accounting department is swamped with hundreds of invoices each month. He decides to exploit this by submitting the same invoice twice, several months apart, knowing that with such a high volume, the accounts payable team might overlook the duplication. The duplicate payment goes through, and James pockets the extra funds.

How Nomentia's Payment Process Controls stop this payment fraud:

• Duplicate detection rule: Nomentia’s controls are set to automatically detect any duplicate invoices by comparing key details such as the creditor account, invoice number, payment amount, and payment currency. When James submits the same invoice for the second time, the system flags it as a duplicate.
• Notification and alert system: Upon detecting a potential duplicate, Nomentia immediately sends an alert to the finance team, which can review and confirm whether the payment is legitimate or fraudulent.

3. Payment fraud scenario: Intentional overpayment

Sophia, a member of the procurement team, colludes with a vendor to overpay an invoice by €15,000. After the payment is processed, Sophia contacts the vendor to request a refund of the excess amount but provides her personal bank account details for the refund instead of the company's account details. The vendor, believing this to be a legitimate correction, refunds the overpaid amount to Sophia.

How Nomentia's Payment Process Controls stop this payment fraud:

• Abnormal payment amount detection: Nomentia’s system compares the payment amount against historical data and identifies that the €15,000 payment exceeds the average invoice value for this vendor. This anomaly triggers an alert.
• Manual review requirement: The flagged payment is held for manual review, where finance personnel must verify the details and approve or reject the payment. This process prevents the overpayment from going through unnoticed.
• 4-eyes principle for payment adjustments: When Sophia tries to adjust the payment details for a refund, the system enforces dual approval. A second person must review and approve the adjustment, preventing her from redirecting funds to her account.

4. Payment fraud scenario: Reactivating dormant vendors

Michel, who works in accounts payable, discovers that several vendor accounts in the system have been dormant for years. He decides to reactivate one of these vendors, "Greenfield Solutions," and updates the payment details to an account he controls. Michel then processes several payments to the reactivated vendor under the guise of settling old debts.

How Nomentia's Payment Process Controls stop this payment fraud:

• New creditor account detection: Even if the dormant vendor is reactivated, the system checks for changes in bank account details. Since Michel has updated the payment information to a new account, this change is flagged for investigation.
• Conditional rules for reactivations: In Nomentia, reactivating a previously deactivated vendor requires dual approval under the 4-eyes principle. Any changes to the creditor must be reviewed and approved by a second person to ensure oversight. If done in the ERP system, the new creditor rule will still detect and flag this case.

5. Payment fraud scenario: Payment to the wrong account

Laura, a junior accountant, receives an email from what appears to be a trusted vendor requesting payment to a new bank account. Unaware that the email is from a fraudster, Laura updates the payment details in the system and processes the payment. The funds are diverted to the fraudster's account instead of the legitimate vendor's account.

How Nomentia's Payment Process Controls stop this payment fraud:

• Creditor account change detection: Nomentia’s controls flag the change in the vendor’s bank account details. Any update to creditor information triggers a mandatory review process.
• Anomaly detection rules: The system identifies that the new bank account does not match the usual country or currency combination for that vendor, triggering an alert for further review.

6. Payment fraud scenario: Fake change of bank details

A fraudster impersonates a senior executive of a regular supplier and sends a fake email to the company’s accounts payable team, requesting an update to their bank account details. The accounts payable clerk, believing the request to be legitimate, updates the bank details in the system and schedules the next payment. The funds are sent to the fraudster's account.

How Nomentia's Payment Process Controls stop this payment fraud:

• Verification of creditor registry changes: Nomentia’s controls require verification for any changes to supplier bank details. Changes in the creditor registry require special rights and are subject to the 4-eyes principle, ensuring that modifications are reviewed and approved by two authorized individuals before they are finalized. The system automatically flags these changes for review.
• Notification alerts: When the change is made, Nomentia’s alert system notifies the finance team of a high-risk change, prompting a manual review.
• 4-eyes principle requirement: Before the change is finalized, Nomentia requires the accounts payable clerk to initiate the change, which must then be reviewed and approved by a senior manager under the 4-eyes principle. This ensures multiple checks are in place to verify the request's legitimacy.

7.    Payment fraud scenario: Accelerating Payments

Tom, an internal employee, realizes his fraudulent payment scheme is on the verge of being discovered. To quickly move the funds before the fraud is detected, he attempts to push through several urgent payment requests outside office hours, claiming they are critical to business operations. He attempts to bypass routine approval procedures to expedite the payment processing.

How Nomentia's Payment Process Controls stop this payment fraud:

• Time-based conditions: Nomentia’s controls enforce working hours restrictions, preventing Tom from accessing the system outside office hours. Tom’s not able to sign in to the system to complete his fraud attempt when fewer people are watching.
• Anomaly detection for payment speed: The system monitors the frequency and urgency of payments. If a sudden increase in high-priority payments is detected, it triggers an alert for a review by a senior manager.
• Anomaly detection for multiple payments to the same creditor: The system flags a sudden increase in payment frequency and triggers an alert for a review by another employee or manager, preventing the fraud from succeeding.

Combating payment fraud with Nomentia

By deploying Nomentia’s Payment Process Controls in combination with MFA in approval, which prevents fraudsters from abusing user credentials, organizations can prevent a wide range of payment fraud schemes. The solution integrates automated anomaly detection, conditional rules, alerts, and MFA to ensure all payments are rigorously monitored and reviewed. This multi-layered defense strategy provides robust protection against both internal and external fraud attempts, safeguarding the organization's financial assets and reputation.

Best practices for payment fraud prevention

As organizations grapple with the growing sophistication of payment fraud schemes, preventing fraud has become a critical priority for finance teams worldwide. In addition to highlighting tactics to prevent payment fraud, my talk with Jukka Estola offered expert insights into the best practices for securing payments and highlighted how Nomentia's Payment Process Controls can support these efforts. 

Expert perspective on payment fraud prevention rules

1. Duplicate payment check: "Duplicate payments are more common than people think, and they can result from either error or deliberate fraud.” Nomentia’s Payment Process Controls address this issue by comparing transaction details such as creditor accounts, amounts, and currencies to automatically identify and prevent duplicate payments. This reduces both financial loss and operational inefficiencies, ensuring every transaction is unique and verified.
2. Fake invoicing detection: Identifying fake invoices can be a daunting challenge, especially when fraudsters employ increasingly sophisticated techniques. “The key is to look for patterns that seem out of place,” Estola advised. Nomentia’s payment controls scrutinize remittance information, invoice details, and transaction history to detect anomalies, allowing only legitimate invoices to be approved. This reduces the risk of fraudulent invoices going undetected and helps maintain a healthy payment ecosystem.
3. Multi-factor authentication (MFA): “MFA is one of the simplest yet most effective security measures.” While not a direct payment control, MFA serves as a robust barrier against unauthorized access to payment systems. By requiring multiple forms of verification before approving transactions, it prevents fraudsters from easily breaching systems and adds an extra layer of security to the payment process.

Best practices for implementing payment process controls

To effectively prevent payment fraud, organizations must look beyond individual rules and adopt a comprehensive approach to payment security. This starts with a thorough review of the organization’s entire payment operations, from start to finish.

1. Start with a holistic review of payment operations: Before implementing any controls, organizations should map out their entire payment process to identify potential vulnerabilities. “Understanding the flow of payments within your organization is critical,” said Estola. This includes identifying all stakeholders, payment types, and points where fraud could occur. Conducting a detailed review helps in developing tailored controls that address specific risks within the organization.
2. Balance global payment centralization with local independence: “A centralized payment system enhances security but must be balanced with the need for local independence to comply with regional regulations." Nomentia's solution allows organizations to centralize their payment controls while supporting local entities in adhering to global and local regulations. For example, companies can implement a unified policy framework across all locations while still allowing flexibility to address local nuances and regulatory requirements.
3. Regularly update your blocklists: One of the most effective ways to prevent fraud is by maintaining up-to-date blocklists of risky or unauthorized entities. “Regular updates to these lists are essential," Estola said. Nomentia’s solution simplifies this process by allowing organizations to automate updates based on recent transactions and trends. This proactive approach minimizes the risk of sending payments to where they’re not supposed to go.
4. Frequent policy reviews and audits: “Policies must evolve with the threat landscape,” emphasized Estola. Regular policy reviews and audits help ensure that payment controls remain effective. Nomentia’s Payment Process Controls support this by offering detailed reporting through the Standard Validation & Process Controls Report. This journal collects data that organizations should monitor closely. It can reveal issues that may require manual adjustments or highlight problems in source systems that need fixing to avoid recurring issues in Nomentia.
5. Employee training and awareness: "Technology alone is not enough; employee awareness is critical," Estola added. Regular training sessions can help employees recognize potential fraud attempts.

Actionable steps to strengthen payment security

For companies looking to bolster their payment security, a multi-pronged approach is recommended:

• Conduct comprehensive risk assessments: Regularly assess the organization's payment process to identify new vulnerabilities and ensure all existing controls are working as intended.
• Update whitelists and blocklists regularly: Keep trusted and blocked entities up to date to reflect the current business environment and emerging threats.
• Implement multi-factor authentication (MFA): Utilize MFA wherever possible to add an extra layer of protection against unauthorized access.
• Schedule routine policy reviews: Establish a regular schedule for reviewing and updating payment policies, ensuring they align with both internal goals and external regulations.
• Ongoing employee training: Develop ongoing training programs to ensure that all employees understand the importance of payment security and are familiar with the latest threats and prevention techniques.

How Nomentia supports best practices for payment fraud prevention

Nomentia’s Payment Process Controls are designed to seamlessly integrate these best practices into an organization’s payment operations. “Our solution is built to be flexible, adaptive, and aligned with your specific needs,” said Estola. By combining automated checks with customizable rules, real-time alerts, and comprehensive reporting, Nomentia enables businesses to stay ahead of potential fraud risks.

As Estola put it: “We provide the tools, but it’s up to organizations to use them wisely.” With a sturdy foundation of best practices and the right technology in place, businesses can build a secure, efficient, and fraud-resistant payment process.

Learn more about payment fraud detection and prevention:

• Can a payment hub help you tackle fraud?
• Webinar: Controlling Your Payment Processes
• Ebook: Are your cashflows safe from fraud?
• Three main pillars to consider to tackle payment fraud