Exclusive T&R Research: How Treasury Teams Are Fighting Payment Fraud

For years, malware and digital fraud have been rising across all areas of business, with corporate payments one of the prime targets of cyber criminals. Inefficient processes built around paper checks or card payments often leave these funds flows vulnerable. New digital and accelerated means of payment entail the added risk that a payment might be routed correctly by staff but subsequently intercepted along the way.

There are many avenues for perpetrating payment fraud these days. Bad actors may impersonate company executives in business email compromise (BEC) schemes, trying to convince employees that the CFO or CEO needs a one-off payment to be made immediately, no questions asked. Or they may impersonate a supplier, requesting a change in the vendor or payment information. They may hack into the corporate network, infiltrate remote users’ connections, or breach web-based systems.

Businesses are using dual authentication methods, human callbacks for changes to payment instructions, and an assortment of technology solutions to improve the chances that they will catch any attempted fraud, but staying a step ahead of attackers is a race without a finish line. As a Treasury & Risk contributor commented about the FedNow Instant Payments service, which is due to launch in July:

“In some ways, the service will include natural protections from payment fraud. Faster payments can make it harder for fraudsters to intercept payments. However, we can reasonably expect fraud to increase after the platform goes live. That is because instantaneous payments do not give financial institutions any time to identify suspicious transactions. … If bad actors are able to intercept a transaction and divert funds, by the time the parties involved notice the fraudulent activity, the company’s money might be impossible to recover.”

As the landscape of available payment types continues to evolve—and as we come off the broad increase in cyberattacks that followed companies’ widescale shift to remote work during the pandemic—Treasury & Risk conducted an editorial survey of our readers to get a better understanding of the current state of payment fraud. We also examined what treasury groups expect the future to hold. Here’s what the survey, sponsored by Trustpair and GIACT, found.

Fundamentals of Fraud

The first conclusion from the “2023 Treasury & Risk Payment Fraud Survey” is that payment fraud is widespread. More than half of the survey’s respondents said they have fallen victim to payment fraud in the past year. Among those who have experienced fraud, nearly a quarter (24%) experienced just one successful fraud attempt, but nearly as many (21%) fell victim to payment fraud in more than 10 separate incidents. (See Figure 1, below.)

Half of the successful fraud attempts perpetrated against respondents’ organizations involved payments by paper check, while 36 percent involved credit cards and 33 percent wire transfers.

In most companies that fell victim to fraud, staff were duped by social engineering. Fifty-five percent of the successful attacks revolved around changes to supplier credentials, bank account data, or address information on a legitimate payment. And one-third (33%) were BEC, or impostor, scams demanding illegitimate payment.

Hacking of systems was also a factor in our readers’ experience of fraud last year, although to a lesser degree. Breaches of a treasury or payment system accounted for just 5 percent of the successful fraud, but 21 percent of incidents involved a hacker taking over internal staff accounts. (Among these, 67 percent revolved around a breach of remote-user connections, while 33 percent entailed hacking into on-premises systems.) Another 5 percent of the fraud incidents that survey respondents experienced were perpetrated by internal employees.

Most of respondents’ fraud incidents (75%) cost the victimized company less than $100,000. But in addition to the financial costs, 39 percent of the incidents caused issues with suppliers, 24 percent damaged the company’s reputation with customers, and 17 percent resulted in regulatory consequences for the fraud victim.

Why Companies Should Put Treasury First in Fraud Prevention

Both the number of fraud incidents that our readers faced, and the cost of those attacks, held fairly steady from 2021 to 2022. Thirty percent of all respondents experienced more fraud attempts in 2022, but 27 percent experienced fewer. And although a quarter (25%) said fraud incidents cost their company less in 2022 vs. 2021, 29 percent said fraud cost more last year than in the year prior. So, fraud prevention is top-of-mind for many Treasury & Risk readers.

Forty percent of survey respondents said that fraud prevention within their organization is extremely important; a top priority at the highest levels of the company. Another 42 percent reported that fraud prevention is more important than most other organizational initiatives. Alarmingly, 3 percent of survey respondents said fraud prevention is not important at all to their senior leadership. It’s worth noting, though, that all these respondents work in companies with less than $100 million in annual revenue.

Cross-tabulation of the data shows no clear relationship between executives’ prioritization of fraud prevention and the number of fraud incidents that have impacted the organization in the recent past. However, there is a correlation between the frequency of fraud within a given company and the corporate functions that respondents deem most critical for mitigating the risk of fraud.

See also:

• Exclusive report with additional survey details, plus interpretation of the survey results by Trustpair and GIACT
• On-demand webcast, produced by Trustpair and GIACT, that delves into the survey results

Companies that put treasury and accounts payable (A/P) front and center in the fight against payment fraud are substantially more successful in their fraud-prevention efforts. Among organizations that did not fall victim to fraud over the prior year, 75 percent consider treasury to be one of the most critical functions in fraud prevention, and 72 percent have that opinion of A/P. Meanwhile, among organizations that fell victim to payment fraud more than 15 times within 12 months, not one said the treasury function plays a leading role in their battle against payment fraud.

Specific Actions Organizations Are Taking

In an effort to minimize fraud, 53 percent of all companies in our survey changed their internal payment initiation and/or approval processes over the past year. More than a third added manual review for every requested change to supplier payment instructions (37%), began requiring multifactor authentication to log into all payment systems (36%), and/or changed the authentication process for supplier profile updates (33%).

For most respondents, implementing new technology solutions has also been key to battling payment fraud. The most effective technologies for fraud prevention may be the controls built into companies’ enterprise resource planning (ERP) and/or treasury management systems, as these controls are the most popular technology among survey respondents who experienced no fraud in 2022 (cited by 56 percent of them). However, many of these organizations are also using payee positive pay (50%), ACH filters (44%), and user-authentication and cybersecurity tools (38%). (See Figure 2, below.)

Of course, a full slate of technologies is not guaranteed to prevent all payment fraud. The largest companies in the survey (annual revenues above $10 billion) are also the most likely to use each type of technology. Two-thirds utilize both the controls built into their ERP or treasury platform (or both) and user-authentication and cybersecurity tools. More than half (56%) use ACH filters and check blocks. Seventy-eight percent use payee positive pay. And a third use an automated supplier account validation system.

Nevertheless, the largest companies were also the most likely to experience payment fraud in 2022. Sixty-seven percent of companies with revenues over $1 billion succumbed to at least one fraud incident last year, vs. only 52 percent of companies with revenues under $100 million. That is likely because big companies tend to have more diverse operations and a broader geographic reach than do their smaller counterparts. Plus, major multinationals are often more appealing targets for cyber criminals than are organizations that spend less time in the public eye.

Some Vulnerabilities Remain

Considering their recent past, it’s unsurprising that companies are concerned about fraud risks going forward. More than half of respondents (56%) expect payment fraud attempts to increase over the next 12 months. Twenty percent think fraud attempts will increase substantially, while only 11 percent expect their organization to face fewer threats of payment fraud over the year ahead.

Overall, respondents’ biggest concern is the continuously increasing sophistication of BEC and social engineering attacks. In fact, this stood out as even more of a concern for companies that did not experience payment fraud in 2022 (44%) than for businesses that did experience a fraud incident last year (40%). (See Figure 2, above.) The inability to wean suppliers off of more vulnerable payment types is another common concern, cited by 37 percent of all respondents and 38 percent of those from small companies.

Meanwhile, organizations that did fall victim to payment fraud last year are considerably more likely than those that didn’t to worry about vulnerabilities created by internal staff violating corporate policy, particularly in the initiation of payments. However, failure to follow company policy in either payment initiation or approval is not a concern for the largest companies represented in the survey. Instead, a majority of these organizations (56%) see the frequency of urgent one-off payment requests as their key stumbling block to eliminating the risk of payment fraud.

What, then, are Treasury & Risk readers going to do about the risks they face in 2023 and beyond?

Survey respondents who expect fraud to increase are primarily focused on providing more training for their procurement, A/P, finance, and other teams involved in initiating and approving payments. This makes sense, as the same respondents see the sophistication of BEC/social engineering attacks as the biggest stumbling block to their organizations’ fraud prevention efforts.

Among respondents who foresee a substantial increase in payment fraud, however, the focus is on education not of A/P and finance staff, but of those requesting payments. Among these respondents, the frequency of urgent one-off payment requests is the biggest stumbling block to reducing fraud risk (cited by 64 percent). Fittingly, they also believe that the most effective approach their organization can use to minimize fraud risk is better education among managers and staff who currently request workarounds that bypass payment policies. Forty-three percent of those who anticipate a substantial increase in fraud attempts selected this option, vs. only 24 percent of all respondents. (See Figure 3.)

Moving Forward on a Path Toward Fraud Prevention

Regardless of what the year ahead holds, payment fraud will undoubtedly remain on the radar of every corporate treasury and finance professional. Bad actors have corporate payments in their sights, and they will continue to grow more sophisticated in their approaches to fraud. A combination of process and technology will put organizations in the best position to defend themselves against these threats.

Treasury teams that take the lead on fraud prevention can help their companies prepare for battle against fraudsters, even as the payment landscape continues to evolve. They can ensure their organization is leveraging the controls built into their core accounting, payment, and treasury systems. They can push for user-authentication and automated supplier account validation tools. They can improve internal education for the people requesting, initiating, and approving all types of payments. And they can evaluate the benefits for their organization of payee positive pay, ACH filters, and check blocks.

The correct approach to minimize fraud will vary from company to company. What should be universal is an understanding of the risk that payment fraud presents, and the prioritization of prevention measures to avoid the financial, reputational, and other costs that a major fraud incident would entail.