A Bite-sized Analysis of the Payment Security Microcosm

A Bite-sized Analysis of the Payment Security Microcosm

The 2010s were all about disruption—the 2020s promise to zero in on payment security.

Last year, the Association for Financial Professionals published its 2019 AFP Payment Fraud and Control Survey. The comprehensive report was filled with enormous amounts of information on the variety of fraudulent activities that businesses are seeing these days. One image that stuck with me, however, was the reporting of payment fraud over time by payment type.

payment fraud over time by type, from AFP

Image from 2019 AFP “Payments Fraud and Control Survey Report”—Comprehensive Report

As a financial technology (fintech) company, we scrutinize our most important data in terms of payment type, and this graph reinforces what we have said all along: ePayments reign supreme when it comes to security and fraud protection.

Before we break down this chart, I want to highlight Nvoicepay’s realist perspective on payment security: fraud is going to happen, no matter what payment types you use, no matter how secure your protocols are. Fraudsters are good at what they do, and their technology improves and changes constantly. But you can take measures that raise the quality of your own technology, and offer flexibility and adaptability in the wake of security threats. One of those measures is adopting payment automation.

The Rise and Fall of Check

Back to the chart: The first thing that drew my eye was the top line, which shows a decrease in fraud threats on check payments over the last decade, from a 93 percent high in 2010 to 70 percent—its lowest ever—in 2018. Does this mean that Positive Pay and Positive Payee efforts put in place by banks are working? Maybe a little. But it probably isn’t the whole story.

It’s more likely that companies are making fewer payments by check, so there’s just less in circulation worth stealing. But even though the overall percentage of check fraud has reduced, it’s still astronomically high when compared to every other payment type available, by at least 25 percent. Paired with the generally high expense of issuing checks, and the way that Positive Pay and Positive Payee solutions eat up money and AP time, check payments almost certainly have one foot out the door.

Recent Spikes in Wire Payments

When most people hear the term “electronic payment,” they think of wire payments. Unfortunately, this is also probably true for most fraudsters, because the study shows that wire fraud cases rose from a paltry three percent in 2009 to 48 percent in 2015 and 2017. In 2018, it lowered to 45 percent. Though we’ll probably never again see the low fraud percentages that we enjoyed at the beginning of the decade, it will be interesting to see how 2019 fares, since more companies are shoring up their security.

How could wire payments get so bad so quickly? The AFP survey highlights the parallels between the rise in wire payments and instances of Business Email Compromise (BEC), by which fraudsters hack into legitimate business emails and request that payments be routed to fraud accounts instead of authentic ones.

Even though wire payments ranked as the second-highest payment type to experience fraud from 2015 to 2018, they remain significantly lower than checks, despite the rise in their use. Sometimes wire payments are unavoidable, such as when making payments across certain international borders, or when taking advantage of payment discounts. In those cases, it’s best to tighten security protocols among your AP processes, or enlist the help of a payment automation solution to do it for you.

ACH is Best… or is It?

AFP breaks ACH into two groups: ACH credits (“push transactions,” when money is pushed to the supplier’s account) and ACH debits (“pull transactions,” when money is drawn from your account at the supplier’s request).

At first glance, either ACH option looks like the way to go, despite ACH processes requiring an ample amount of paper. Even though reported fraud cases have risen over the last decade, neither push nor pull transactions have seen a major spike, and both remain consistently low in relation to other payment types. If I were a weary business owner brainstorming how to escape the nightmares of check fraud, this chart would push me to look a little more closely at ACH.

Then why the trepidation? There’s no doubt that ACH is a good option, especially for someone who has kept electronic payments at arm’s length. And the simplicity of depositing funds straight into supplier accounts makes this method ideal for suppliers who want to reduce bank trips. But when fraud occurs, it can be a huge pain to sort out, and can sometimes result in big losses.

For example: say you just pushed money to a supplier account, only to realize that your supplier’s email request to update bank information was spoofed, and the money is heading for a fraudulent account instead. Generally, you have between three and seven days (depending on your bank) to request a reversal of funds—but the bank’s capacity to execute a full reversal depends completely on each unique circumstance. Most commonly, when the money’s gone, it’s gone, and there’s no getting it back. And you still have to pay your supplier.

The Many Faces of Card

Here’s where things become less cut-and-dried. It appears that the AFP report specifically tracked credit and debit card fraud instances. But these days, the term “card” is multifaceted. It could mean any number of things to each business, including:

  • Physical cards, which represent an established line of credit granted by a card issuer to a cardholder. These cards are generally used for card-on-file purposes in business settings.
  • Prepaid or payroll cards, which are loaded with a certain amount upfront. Companies often use these cards for payroll and other employee expenses.
  • Virtual one-time-use (or single-use) cards. Similar to prepaid cards, these virtual cards are usually front-loaded, and the data (such as the card number, CCV code, etc.) is provided to pay using “card not present” regulations on net-15 or older payments.

Even though credit cards began the decade as the second-highest payment option to experience fraud, by 2018 they remained consistent, even slightly lowered (-8%), despite the rise in credit card use. Security protocols like the Address Verification Systems (AVS) and Payment Card Industry (PCI) Security Standards played a large role in keeping card fraud in check over the years. The fact that credit and debit cards are now among the fraud-prone payment types in the AFP study says a lot about their viability as a leading payment option.

What, then, of the other card types? For now, they’ll have to settle for being grouped together. On the back end, however, payment automation solutions that offer prepaid cards or single-use card numbers have reduced card fraud even further, while adhering to the same strict card standards as the traditional plastic ones.

What to Do…

What can we learn from all this information? I think, more than just the rise of payment fraud, it gives us insight into how the payment microcosm is shifting. A higher percentage of companies reported fraud across more payment types in 2018 than in any previous year—and that number is likely not going to drop much. But there are ways to mitigate risk.

Here are a few ideas on how to do that:

  • Don’t put all your eggs in one basket—try not to pay exclusively with one payment type. Aim for paying 75-80 percent of your payments using electronic means (i.e. virtual card, ACH, and wire) with the other 20-25 percent as print check. Don’t let your preconceived notions of whether your suppliers will accept electronic payments determine how you pay your invoices. You’d be surprised how many suppliers are ready to accept electronic payments when asked.
  • Partner with an electronic payments solution that takes on the liability for payment fraud, and takes responsibility for resolving issues that do occur. Many solutions will take on the support aspect of ePayments while leaving the financial onus on their customers, so it’s important to know beforehand who assumes responsibility for which instances.
  • Support your back-office and free up their time by implementing an electronic payment solution that offers single-file payment submission and reconciliation across multiple company locations. Lifting the manual workload from your AP team ensures more time to focus on other critical initiatives, especially if the solution also assumes supplier and payment support.

I’ll be very interested to see how AFP’s 2019 report captures the heightened awareness of fraud within the last 12 months. We’re in the midst of a B2B payment evolution, and each year of data continues the story of the quest for secure payments. Despite the rise in fraud, electronic payments provide more protection from fraud than was ever possible for manual check. No matter how your company chooses to splice your payment types, the question remains: how will your AP team scale with the growing fraud instances that come with manual payment processes?

  • Previous Article
    4 Key Metrics to Help Finance Leaders Manage AP Goals, Part 1
    4 Key Metrics to Help Finance Leaders Manage AP Goals, Part 1
  • Next Article
    Your Payments Deserve the Best Support Possible
    Your Payments Deserve the Best Support Possible

Most Recent Articles