Fraudsters are smarter and more devious than ever before. With that evolution comes an increase in successful fraud attempts, seen especially by companies that do not practice modern payment safety protocols. This number is higher than it should be: According to the 2019 AFP Payments Fraud & Control Survey, a record 82 percent of organizations surveyed reported fraud incidents in 2018.
Business Email Compromise (BEC) also set a record, with a whopping eighty percent of companies reporting an incident. Now we're starting to see reports of fraud schemes involving "deepfakes," which are artificial intelligence (AI) technologies designed to imitate real images and sound. For example, late last year, Nikkei, a Japanese media company, reportedly sent $29 million via wire transfer in response to a phone call purportedly from a company executive—but in reality, a robocall using an AI-generated imitation of the executive's voice.
What's a company to do? Even for companies already investing in fraud prevention, it's hard to keep up. The payments landscape keeps getting more complicated. Just a little over a decade ago, most businesses paid exclusively by check, and only had to worry about check fraud. Now, in the digital age, they are also paying by ACH, card, and, as more businesses go global, by wire. That means the battle against fraud is on multiple fronts, leaving AP to juggle all these different payment workflows.
Positive Pay and Positive Payee, available for a fee through most banks, can help catch fraudulent check and ACH payments. Accounts payable receives a list of checks or ACHs presented for payment from their bank every day, which they cross-check against those that they issued. If anything is amiss, they can catch it before the bank pays the funds, which saves the trouble of trying to retrieve their money after it leaves their account. However, this process is very manual and, as experienced AP managers will tell you, time-consuming. Add more payment workflows on top and they've got a mess of processes to sift through each week.
Companies need to combine advanced technologies with human effort to mount a comprehensive effort across all payment types. For example, virtual cards can reduce card fraud. Sometimes referred to as VCNs (virtual card numbers) or SUGAs (single-use ghost accounts), these are one-time use "card" numbers that can only be used once by the specified payee in the specified amount. That's a significant improvement from the days of giving out card numbers over the phone or keeping a card on file.
More companies are consolidating their payment processes with single-payment-workflows through electronic solutions. This simultaneously minimizes AP teams’ workloads—enabling them to focus on more complex initiatives—and shores up security by limiting the entry-points available to bad actors.
Despite the many security protocols in place, fraudsters are not easily deterred. If they can't insert themselves into the flow of funds, they attempt to subvert the payment process, which is why there's a rise in schemes like BEC and deepfakes. These kinds of attacks, sometimes called "social engineering," are designed to take advantage of human weaknesses, posing as an executive or a supplier and tricking someone into sending money to their own bank account.
Fending off these kinds of attacks requires training personnel on a strict process for validating suppliers' banking data during supplier onboarding, especially when receiving any data change requests.
You have to have the technology to be able to support this at scale. According to a recent survey by consulting firm Strategic Treasurer, 45 percent of corporations are handling over 10,000 payments globally each month. Once you get past about five thousand payments annually, your accounts payable team isn't going to be able to keep up with validating every request manually.
Suppliers change banks all the time for legitimate reasons—about every four years, according to our internal data. Maybe they've merged, been acquired, or they had to move their services to a new bank as a condition of securing a line of credit. There are many reasons, and authenticating requests and verifying information is a significant workload.
The first safeguard against fraud is software that analyzes a variety of data sources to make sure that companies and people are who they say they are. At Nvoicepay, we use our own data from our supplier network to verify bank data change requests. If one of our customers tells us to send a supplier's payment to a new bank account, then all of our customers who pay that supplier should be making the same request. If they aren't, that's a problem.
In a way, we use technology as the green light to proceed with account changes. Employees handle the exceptions by reaching out to the appropriate parties and verifying requests before making any changes. Once the information is confirmed, one employee updates the account, and a second employee validates it.
It's easy to say, "well, why didn't the employee at Nikkei just pick up the phone and confirm the request?" but it's really not that simple. First of all, there's the difficulty of challenging a company executive without any data to back you up. Then there's the constant stress in AP to get payments processed on time, which leaves little time for all the extra legwork of data validation. It's not something they're focused on, or well-positioned to do.
There is some good news. With new regulations coming into play, and with heightened fraud awareness, data security is getting more attention within organizations. As companies push toward digital payments, CFOs and treasurers are thinking about risk and looking for ways to make payments more secure. There are providers, such as Nvoicepay, that use technology and a human touch to manage supplier data and indemnify all payments.
The battle for payment security is no longer a battle AP has to fight alone. As companies recognize the inevitable fraud risk, they are looking at their vulnerabilities and realizing that it takes an army of humans and vendors equipped with an arsenal of technology to fight back.