B2B payment fraud is a growing concern for companies: in fact, 56% of US companies have been targeted by at least one fraud attempt in 2022. 12% have been targeted by more than 10. These record-breaking numbers prove it: payment fraud should be taken seriously and addressed with relevant tools and security measures.
That’s what stands out in the latest fraud study by Trustpair, GIACT, and Treasury & Risk. This study delves into exclusive insights about fraud and divulges record-breaking numbers and trends.
Our experts, Baptiste Collot from Trustpair, and Ramesh Menon from GIACT go into detail to explain the facts and figures of the study. Download our whole report for more trends and insights about B2B payment fraud in the US.
- We can see in the survey that paper check fraud is the highest type of fraud. With that being so common, do you think that will speed up the transition to digital payments?
Baptiste: That’s an interesting one. Obviously, companies have been paying by check for decades now. Even though it seems to be quite an “old” means of payment, it’s still quite massive in the US, used by 40% of companies. By moving to wire transfer, you’re moving to a more secure and easy way to pay your bills. It’s no wonder check fraud is the most common type of payment: it’s very hard to fight! With a digital alternative, it will be more secure and easier to detect fraud. It’s definitely an opportunity for companies to do this move. Digital payments should be the present: and the move to wire transfer or ACH is completely logical, for security and productivity reasons.
Ramesh: The use of paper checks has been declining for a long time, but unfortunately organized criminals have recently been targeting paper checks more and more. In fact, this type of fraud nearly doubled last year: it’s still very substantial. Some keys to fighting this fraud include verifying supplier or company identity before actually sending and accepting payments from paper checks.
Ultimately, of course, the answer is reducing the use of checks and going more digital. There is already a trend, that has been accelerated by the pandemic: people are getting more and more used to digital interactions. We think it’s going to continue but it’s definitely our job an industry to raise awareness and help companies move to digital payments.
- Do you think the reason checks are so common is because of a misperception about them: that they’re safer than online transactions?
Ramesh: I think it’s just inertia actually. The procurement and P2P processes have always been paper-based. Large companies with large sets of vendors and suppliers tend to have platforms but the bulk of the smaller businesses still write checks.
Baptiste: I think there are many reasons: companies made investments around checks, and they probably have existing providers and processes. They have their habits, they’re used to doing it this way and it’s not always easy to do the switch. But keep in mind that checks have many disadvantages, on top of security. When you send a wire transfer, you put a date on it. You know when the money will be leaving your bank account. When you send a check, maybe the person will take one week, two weeks, or a month to get the money. In the meantime, the money is still in your account. And checks mean so many time-consuming processes: re-editing the check if it’s been lost… All of this is very costly in the end.
- We also saw that changes to supplier credentials were a huge source of fraud. What are some examples of how organizations can better verify changes to supplier credentials?
Baptiste: In the study we have this really impressive figure: 70% of companies are still using phone calls in case of supplier credentials changes. It’s manual calls: very risky, very time-consuming… The cost of this type of process is really high. You basically pay someone to be on the phone. And it’s not even secure: you don’t know that the person you’re talking to on the phone is actually your supplier or the person you want to talk to.
And that’s why there are so many frauds. You spend time and money on a process that’s inefficient, to end up being frauded: the cost is double! Doing the call and losing the money with the fraud.
Digital is the answer. Maybe not the only answer, but definitely a big part of it. You have to completely transform the way you check credentials.
Two other interesting figures on this: 74% of companies check these credentials when onboarding a new customer. But only 20% of companies actually check these credentials before paying their suppliers. It’s crazy when you see that 55% of frauds are associated with changes in supplier credentials.
To sum up: Only 20% of companies check data before payments while 55% of frauds are associated with the data used for these payments! Companies have to completely change the way they secure their P2P process. They need to cover all the P2P processes: and this concerns all teams, from procurement to AP teams or even the Treasurer.
Ramesh: I agree with Baptiste. Human callback is inherently risky. Fraudsters use very sophisticated and ever-changing techniques. Expecting your frontline employees who actually do the callback to always act consistently and at a high standard, is impractical and almost impossible.
On top of that, the human callback system is inefficient: you need a lot of people to do it and need training, etc. By nature it’s costly and unscaleable. If you want to handle more calls, you need to hire people and train them. And that takes time and money.
The real answer is automation. If automation is done well, it will be as good as your best employee and standardize processes. It equips the organization to deal with fraud more rapidly: it’s about having a system, not about training a many employees and hoping they get everything perfectly.
Automation involves robust verifications: not only at the onboarding stage but also during the whole lifecycle. You need to have the same level of diligence as when you onboard someone in case of changes in credentials. This means account verification, identity verification: all the techniques to check that this isn’t an account takeover. Insights and analytics are also very important: if you’re able to see how many times an account has been verified in the last 24hrs and the account has 10 000 verifications, it means the account is being used for fraud.
- And so, in the scenario where a supplier sends an email to change his bank account number, what would a good control look like?
Baptiste: Good control isn’t about reaching back to your vendor but having a digital answer for this. A tool that can validate automatically that this bank account belongs to this supplier. Companies should really stop doing these controls manually: or keep the manual work for the extra checks, not the first check. Automation is the key here. Several tools exist: Trustpair is one of them. These tools will ensure that the data associated with a supplier is correct. Doing systematic manual checks is a failure today: the cost is high for companies.
At Trustpair, we have different levels of checks. We’ll start by checking that the company and the supplier actually exist. Then we’ll check that the bank account exists and that the number is correct. And to conclude we’ll check the correlation between the company and the bank account. And we check this correlation at different moments of the supplier relationship: not only when the supplier is created. It’s really a continuous check of the correlation: that’s what makes a very good control.
And imagine when you have thousands of suppliers around the world: it would be so time-consuming to check suppliers manually and continuously. It’s basically impossible.
Also, we often see that fraud occurs because processes aren’t respected and there’s a breach in the process. Processes existed but people don’t abide by them: the person could’ve been on holiday, or not here, or not know about the details of the process… There’s a breach in the process and this is how failure happens.
Digital is here to help people respect processes: digital gives finance teams the means to respect processes. It’s here to ensure that every check that needs to be done, is done, and nothing flies under the radar.
Ramesh: In a completely automated scenario, the supplier is challenged with some kind of response. It could be a knowledge-based authentication, or a text message being sent to phone numbers that are trusted. It could be that the identity of the person initiating that change is verified independently. With automation, all these things are done behind the scenes.
But automation is also here to support human beings. It can help call center employees kick off a lot of verifications for example and provide data & insights directly, rather than having employees need to dig them up. Automation supports decision making. It’s not necessarily a completely hands off process.
Nothing by itself says the bank account is fraudulent. It’s the association with other signals that indicates that.
- What are some examples of issues with suppliers that fraud incidents tend to cause? What happens with the relationship once fraud occurs?
Baptiste: Obviously, the first impact is late payment. Your company paid a fraudster and hasn’t paid its’ actual supplier. It can have a big impact if the fraud was a big amount of money.
The second impact would be a reputational risk: when you work with a company where fraud occurred, you can have doubts about their credibility and seriousness. If it happened once, it could happen again: is the company strong enough or will the fraud end up impacting us?
And the third impact would be friction with your supplier to determine the responsibility for the fraud. Unfortunately, this can lead to legal actions in some cases: that’s something we already saw among our customers. The company can consider that responsibility lies with the supplier himself and that he shouldn’t have been hacked or impersonated. Trials have occurred in situations like this. And obviously, if you’re on trial with your supplier, that’s not good!
Let’s not forget the credit risk also, the solvency of the company. You’ve paid money to the wrong company: that means you still need to pay your actual supplier. If the fraud was a big amount, it can impact your supplier awaiting the funds, and you have to pay twice. Moreover, chances are you’ll never get the money you lost back.
Ramesh: There are some immediate and some longer term effects of fraud.
The immediate effect is the financial loss from the fraud itself. It usually leads to almost immediate legal issues: I have to set up a legal team, divert some of my employees to work on it, etc. It’s a distraction and an inefficiency.
Obviously for suppliers there’s late payment: the supplier hasn’t been paid for the service he’s provided, because the money has been given to fraudsters. The supplier is at risk and therefore my business is at risk.
If these vendor frauds happen to smaller or medium sized businesses: they are more easily at cash flow risk than large businesses.
The longer term impacts are negative impact on customers: they might have longer wait time, lost orders and eventually higher fees, because I have to pay for these inefficiencies. Obviously there’s also reputational risks in the ecosystem, whether it’s customers or suppliers.
- Do you think the reputational risk can spread to other suppliers in the same industry or does it just damage the relationship with the current supplier?
Baptiste: I guess it depends on the amount of the scam. But of course, when you read the press and you see “this company lost X million, and this company lost X million”, it’s never good for reputation. There can definitely be long-term damage.
And let’s not forget about third parties that aren’t suppliers: fraud can also impact your relationship with your banks for example. Your bank could object to giving you additional funding, or it might be harder to obtain this funding. After all, you “lost” some of your money, so how can you assure your bank that it won’t happen again with the money they lent you?
- And what about employee moral issues? For example, AP departments dealing with fraud, I guess it can be hard to retain them.
Baptiste: Of course! Fraud is associated with human actions. So in case of a successful fraud attempt, the person responsible for the control who failed to do it, or missed the fraud has high pressure on him. We see cases where the whole finance department is fired because of fraud. When companies lost millions of dollars, unfortunately, it’s a lot and someone usually loses his job. And even if you don’t lose your job, you still have all of this in your mind. The impact on individuals can be very big.
- How can organizations find a better balance between using technology to reduce fraud risk, without creating new risks as more work occurs online?
Baptiste: I think people and technology are complementary. Technology should be used to enhance human actions and not replace them. People get better at their jobs thanks to technology. In the case of Trustpair for example, we allow our users to have more time for high-value tasks. How? By automating bank account validation, providing real-time dashboards and alerts, etc. This is important because if you just do manual controls, you’ll be doing tasks and tasks and tasks, without really gaining any value from it.
Technology will help you focus on where your risk really is. This is where your intelligence and brain will matter.
But let’s keep in mind that today, it’s just impossible to handle fraud without technology. Just because frauds are more and more sophisticated. Identifying and detecting fraud with only manual means when fraud itself has become increasingly cyber and online.
In some cases, you’ll receive an email that actually comes from your supplier, asking to change his credentials. It’s the right email address and everything. How can you manually detect that it’s not actually your supplier and that it’s a phishing attempt? Manually it’s impossible! Only technology will spot that the new credentials aren’t associated with your supplier’s company.
Trustpair ensures that processes are respected and controls are made automatically throughout the whole payment chain.
Ramesh: Today, people committing fraud are using very sophisticated automated tools that can get the maximum yield. And obviously, when companies go online with software, it makes it “easier” for fraudsters: your target potential dramatically increases.
That’s why fraud prevention is going to be a journey that everybody’s on. There’s no destination of defined conclusion. It’s going to keep happening.
Organizations need to approach this holistically. The answer’s isn’t “lets not go digital”: we talked about it earlier with check fraud, it’s going to happen no matter what.
Going online means more efficiency & security,
It’s also really important to make sure there’s diligence across all the supplier lifecycle: a lot of attention is paid before letting someone in through the door but not enough throughout the rest of the relationship. The best practices we’re seeing is verifying at every interaction, when somebody is coming in for anything at all: whether it’s changing credentials, adding a new bank account, a change in the contact person.
- And are there any new controls that you should be doing? If you’re switching to online banking versus paper checks?
Baptiste: Of course, the operational risk evolves when you switch to digital payments. I’m not sure it’s heavier though, just different. And of course, when you switch to automated tools to do controls and prevent fraud, you need the people to know how to use that tool, you need to train them and everything. It’s not just about having a tool.
There are many different options for security: there’s multiple identification or secret keys for example. On the whole, using technology will make everything more secure.
- The survey suggests training and education are the favorite options for treasury teams looking to reduce fraud. Does this seem right, considering the data? Or does it mean companies are still clinging to old-school methods?
Baptiste: Training is not optional: companies will always need training. But training isn’t self-sufficient. Training your employees about fraud whilst still using manual detection methods isn’t enough. It needs to be associated with the right tools and technology.
People always need to learn, so training is fully complementary to digital. Having software is great but you obviously need to train your employees so they can use the tool to its full potential.
When it comes to fraud, training needs to focus on two things. First, what is the risk itself? How is risk evolving? What kind of fraud is happening right now? What are fraudsters doing?
Secondly: how will we secure our company against these frauds? What processes will we set up and how will we fight? You need to make sure employees understand the process and know how to use the tool. If you just focus on one part of the process, it won’t work: everyone will think the next person did the control or has to do the control, and so on.
Having a global vision of the risk itself and the processes in place to prevent this risk is key. Training and tools are complementary: they’re both lines of defense against fraud, stronger together than alone.
But adding more training to training, without the right technology just won’t cut it anymore. It’s heavy, costly, and still not efficient.
It’s paradoxical to see that companies are aware that fraud is getting more and more sophisticated and see this complexity as a major blocker in their fight against fraud but still think they’ll be able to stop fraud with training only. You can’t fight cyber-attacks with humans only.
And also, on another note, hiring finance professionals is getting harder and harder for companies still relying on manual tasks. You’re basically hiring them to do low-value and manual tasks. Having the right tools will allow people in your organization to work correctly and serenely and it makes you more attractive as a company.
Digitalization is a good way to attract talents: you allow them to spend time on what matters, not on time-consuming and inefficient processes.
Ramesh: Like Baptiste, I don’t want to say that training isn’t needed. Training is very important. But the challenge is still that training as the favoured to fight fraud implies that the favoured way of preventing fraud is through frontline employees. It implies that everybody will be excellent and work at the same level. We know that that’s not the case and it’s normal: some people will be better, more experienced.
On the long run, training will end up being much more expensive than a fight against fraud that’s system-based and relies on automation. Expecting all employees to become fraud detection experts is impractical. And systems empower humans and help them make better decisions.
- To conclude, what are your main impressions? What stands out in the survey? What can you foresee for the coming years?
Baptiste: We can definitely say that the pace of payment fraud isn’t slowing down, quite the opposite. A decade ago it was about very manual fraud: now it’s sophisticated and complex fraud. We clearly see in the study that it’s a big concern for any company. And the change to digital payment means is also going fast: in fact, when it comes to international payments you have no choice at all. So as a finance team, you need to think about what’s next. How will you prevent fraud effectively? You need to take the lead on your own risk and ensure you have the right answer. There’s space for fraud prevention: and the answer needs to be both human and digital.
Download the complete report about B2B payment fraud for more trends and insights.