4 ways to help defend against payment fraud

It’s hard to think of a worse place to discover fraud than in your accounts payable function, where the consequences of vulnerability to cyberattacks are significant. 

Some 80% of companies were targeted with actual or attempted payment fraud attacks in 2023, according to a survey by the Association of Financial Professionals. This was a jump of 15 percentage points from the group’s report a year earlier. 

The Federal Bureau of Investigation says business email compromise (BEC) is among the costliest categories of cybercrime. Businesses reported more than 21,000 BEC incidents with $2.9 billion in losses in 2023, and the agency believes this is a conservative estimate of the scope of the problem since many fraud occurrences go unreported. 

Fraudsters can exploit BEC in various ways, including by gaining access to a sender’s email or by creating a fake email similar to the sender. It's important to stay vigilant against red flags and verify updated payment instructions, since BEC attacks often appear to be sent from a vendor or a legitimate email address. In one hard-to-detect BEC scheme, a fraudster may gain access to a trusted vendor’s email, monitor an exchange, and insert fraudulent updated instructions right into the conversation. Neither the recipient nor the sender may realize what’s happening until it’s too late.

“Awareness is key to ensuring that your payments systems and processes are secure,” says Robert Sterrett, a risk manager who specializes in commercial payment fraud at Capital One Commercial Bank. “There are some straightforward measures that can help make your payments organization less vulnerable.” 

As a starting point, Sterrett says, it’s important to understand potential vulnerabilities and how fraudsters take advantage.

The most common avenue for a bad actor to compromise your systems is phishing—in all its forms. With phishing, an attacker sends a deceptive email, pretending to be a legitimate organization or someone the recipient knows. The real goal is to trick the employee into revealing sensitive information, such as passwords or account numbers, or clicking on a link or attachment that places malicious software on your system. 

Phishing relies on social engineering, a tactic by which bad actors exploit human behavior traits.

New generative artificial intelligence technologies may be making this type of cybercrime easier, allowing for the creation of more convincing fakes and more polished attacks. 

In the most carefully targeted phishing schemes, sometimes called spear phishing, the perpetrator may use personalized and detailed information to make the fraud harder to detect. The email may have the recipient’s name and role, make reference to colleagues or clients, or describe specific business activities or procedures.

Educating employees about the types and warning signs of cybercrimes can help prevent successful attacks. However, if an employee does fall victim to a phishing scam, have open conversations about potential vulnerabilities—and about how to identify and respond to an attack.

Phishing can provide fraudsters with a gateway into email systems and IT networks, making it easier to perpetrate BEC fraud. But schemes involving business email compromise can come in many forms. 

BEC fraudsters may imitate a high-ranking executive and provide instructions for an urgent payment or a transfer of funds. An email may also appear to come from a vendor and request payment using a fraudulent invoice. In some cases, criminals rely on a compromised or hacked account to create what looks like a standard payment request.

While phishing may open you to cyber threats from the outside, people inside your business can also create vulnerabilities. Insider cybersecurity issues may stem from someone using their access to your systems maliciously. This can cause significant harm if the person has knowledge of your payment systems or authorization to access it. Even people without malicious intent can also do harm by mishandling data or passwords or failing to follow security protocols. 

Now let’s look at how you can boost your defenses.

Every payments group needs to build awareness of suspicious emails and teach people to never respond, open attachments or click on links. The best advice to employees may simply be to slow down, ask questions and verify instructions.  

Here are some questions team members should ask to help identify communications that might be fraudulent: 

• Do you know the sender? Your first line of defense is to ask whether you know the individual or organization sending the email. 
• Is the domain legitimate? Check the sender’s address carefully since fraudsters may change just one letter in the domain name to mimic a legitimate email. 
• Any red flags? Errors in grammar or spelling can be signs of phishing, along with non-personalized greetings or language that tries to create a sense of urgency. 

While opening an email usually won’t compromise your network, once you click on an attachment or link, you may be inviting a cybercriminal in. One trick to know: You can hover your mouse over a link in an email to see the URL without clicking. If the address looks strange or doesn’t match the domain of the sender, it could indicate a potential threat. 

The payments team should be particularly alert to last-minute changes in payment instructions or account information. This could be a sign of fraud. When a client communicates in a new or unusual way, moving from a payment platform to email, for example, it should also trigger closer scrutiny.  

Sometimes, it can be difficult to sort what’s legitimate from what’s dangerous. When an email seems suspicious but may require action -  a payment request, for example - confirm its authenticity before acting. Contact the sender using a known phone number that’s already in your system.

You want to make it as hard as possible for bad actors to compromise your systems. Use strong passwords, and ensure they are stored properly and never shared. Wherever possible, enable multifactor authentication, which creates additional verification steps using a token, a code on the user’s phone, facial recognition or some other method. Don’t allow sensitive data to be stored or accessed on unsecured computers or devices. A stolen laptop or phone can sometimes be the start of a cybersecurity incident. 

Some businesses will test their systems and evaluate security gaps by sending out fake phishing emails or suspicious transaction requests to their own employees. Be transparent about such efforts to improve security awareness, though. You’ll want to explain the test after it’s completed, and you may be able to use the opportunity to discuss fraud vulnerabilities and best practices. 

Proactive steps can ensure that your payments process is as secure as possible. You should require dual approvals, for example, and keep the pool of people authorized to send money as small as possible. Implement thresholds that require a callback before acting on a payment request or transaction. 

Avoid sharing confidential information until you have confirmed you are communicating with the person you think you are. Work with vendors to create processes for transmitting and verifying payment instructions that will enhance security. 

Keeping software and systems up to date is a basic step to enhance cybersecurity. Software is often updated to fix security vulnerabilities that have been discovered. It’s also a good idea to restrict administrative rights to install software to the IT staff alone. Your organization should also have appropriate anti-virus and anti-malware software that updates automatically. Dedicate a computer for online banking transactions and restrict its use for other purposes. 

Beyond these steps, you should encourage your team to safeguard their user IDs and passwords and protect any mobile authentication tokens. Online user IDs should be deleted as part of the exit interview any time an employee departs. Another good idea is to periodically evaluate employee job functions and remove unnecessary access to online services and sensitive systems. 

Want to learn more? Talk to your bank about how to implement the most effective strategies for avoiding payment fraud. 

For Informational Purposes Only

These materials are for informational purposes only. These materials do not represent any opinion, guidance or recommendation, whether formal or informal, of Capital One, National Association, or any of its officers, directors, employees, advisors, attorneys, consultants, affiliates or subsidiaries (collectively, “Capital One”). Without limiting the generality of the foregoing, these materials do not represent legal advice or guidance by or from Capital One. In no event may the recipient of these materials rely on these materials for any purpose whatsoever. Nothing contained in these materials shall give rise to, or be construed to give rise to, any obligations or liability whatsoever on the part of Capital One. Nothing contained in these materials shall alter or modify, or be deemed to alter or modify, applicable law (including, but not limited to, the limitations under applicable law of Capital One's obligations and/or liability in applicable matters). The recipient of these materials should consult the recipient’s own counsel to understand the recipient’s obligations and liability in applicable matters.