In 2023, the landscape of payment fraud has drastically shifted to the cyber realm, profoundly impacting businesses: 83% of US businesses were targeted by cyber fraud at least once in 2023. This surge in sophisticated fraud attacks fuelled by automation and AI has led to significant damages for US companies. Lee-Ann Perkins, assistant Treasurer for more than a decade and NACHA advisory board member gives us her insights and thoughts on a phenomenon that’s not about to slow down.
To get more details and numbers about 2024 fraud trends, watch our Fraud Report On-Demand Webinar!
- To start, could you present yourself and your expertise in terms of payment fraud?
Lee-Ann: My name is Lee-Anne Perkins. I am an assistant treasurer and have been in Treasury for about 19 years. I’ve had a lot of experience in different types of companies with different payment methods.
When I started in Treasury, roughly 19 years ago, there was a very different fraud landscape. We used to pay mainly by check and used very manual processes. Mostly we worried more about checks getting lost in the mail or checks being stolen and whitewashed and names changed. Positive pay review for checks was the only solution that banks offered us. That’s what we used to protect the company.
It’s interesting how quickly things have changed over 2 decades now. Check fraud is still there. In fact, it’s rather making a comeback because digital fraud is getting more difficult – fraudsters need to be really specialized now.
We have two issues in payments right now: going back to old-school ways of reviewing and ensuring checks are not breaching our systems, but we’re also having to worry about the different types of electronic fraud that are coming at us.
As a treasury professional, I am very risk-aware and I know that there are people out there who are making a lot of money by trying to hack into our systems and take control of our bank accounts or reroute our payments.
My job as a treasurer is to safeguard our company’s funds and we do that in many ways, but one of the ways is to prevent fraud from happening. That’s why I have such a keen interest in preventing fraud and keeping up with companies that offer solutions to safeguard our funds.
- So you partially answered already, but how would you describe the fraud threat, the fraud landscape today, do you think? Do you think on the whole fraud attempts are increasing? Do you think companies are more vulnerable? What are the main trends when it comes to fraud today?
Lee-Ann: Fraud is definitely increasing in many different ways.
What I’ve seen in the last few years is that fraud is now so elevated in complexity that we as companies need to elevate the solutions and controls to fight back.
We need to rely on companies such as Trustpair and other Fintech companies and our banks who are providing these very complex solutions, using AI and machine learning to help us prevent fraud.
The reason it’s increasing is because fraudsters can make money out of it. What we’re hearing from the FBI and other sources is that there is a lot of money to be made with fraud. F
raudsters are now organized – almost in companies – and can create sophisticated techniques to get into vulnerable systems. Obviously, this wouldn’t happen if there wasn’t the ability to make money off it. Fraud is increasing and it’s increasing in different ways.
I mentioned earlier that check fraud is making a comeback.
Digital fraud is on the rise, especially with all the AI and machine learning solutions that are out there. It’s making it easier for fraudsters to get into our systems and diversify their attacks.
There is also physical fraud that’s happening and is more pronounced in some specific industries. In retail for example: there are many brazen attempts of snatch and grab.
There’s also taking high-value products off the shelf while distracting the retail workers and being able to walk away with products.
From my perspective, that type of fraud is also part of what we as companies need to protect against and we need to come up with solutions and use companies that can help us protect our funds. It’s no longer an area that just needs a little bit of attention. It needs as much attention as any other area of treasury or finance.
- So getting back to the whole AI part, which is very interesting, do you believe that in the last 10 years in terms of techniques and complexity, do you think that fraud has become increasingly linked to cyber risk and is that making fraud more dangerous and fraudsters more dangerous than they used to be?
Lee-Ann: I really think it is.
All these available AI solutions like ChatGPT, we use them in our everyday lives and our working lives to make work easier, create efficiencies, and eliminate repetitive tasks and errors. Just as much as we’re using these solutions for good, fraudsters are using them for their good too: to defraud our companies and get into our systems.
And technology evolves so fast. It’s making it harder for us to protect our companies. It also asks for new skills on the Treasury & Finance side, to be able to detect and prevent these issues.
So I do think cyber advancements are making it harder for companies to mitigate fraud risks, to understand where they’re coming from, and how to prevent them.
And AI is a fantastic tool. I mean machine learning is phenomenal.
It’s been around for a long time but it’s just more recently come into everyday life. And now we need to understand how we can prepare for these threats.
It’s happening, it’s happening to every company and it’s real. We have to first accept that and then we have to look for ways to organize, control and mitigate these risks that are out there.
- So the treasurer role has evolved in the last decade, right? The challenges are new and so are the expected skills, aren’t they?
Lee-Ann: Yes, it’s about upskilling treasury teams and receiving specific training.
But you know, what I’ve seen in the past few years is that it’s not just the Treasury Department’s responsibility anymore. We have to train our own departments, but we have to train anyone who has any interaction with banks, vendor databases, receivables, and our IT systems.
Everyone needs to have the same information because as a team we can strengthen our companies and we can come up with solutions to help us. It’s no longer just those who have bank access who should be trained.
What I think has worked effectively is having teams trained by experts outside the company.
I always try to get the message out there to use your banks, your vendors, and your partners to help train companies because the more we know, the more we can do to help our companies. We spoke earlier about how one of the treasurer’s main goals is to safeguard the company’s funds.
And we do that in ways that are not only just going to banks and getting funding and helping us to run the company, or generate returns for our shareholders. It’s also about physically protecting the funds of the company. And the more global a company and the more complex a company, the more difficult it becomes.
You have to train your staff to think like criminals but just don’t act like them.
- And in your career as an Assistant Treasurer have you already you know encountered fraud events that have endangered the company or a team or have had big repercussions on the company?
Lee-Ann: 10 years ago, I was spending a lot of time ensuring that our checks and our physical methods of payment were safe.
We did have an incident at a company where checks were intercepted in the mail, they were washed and then those same checks were presented to criminals. They cashed the checks and they tried to clear our accounts. Fortunately, we had positive pay on the account.
So we managed to stop that, but I will say it took a lot of time, a lot of investigation. The FBI even got involved because it was a bigger case than we expected.
It was a very good way for me to learn the importance of detection, low response time, prevention, and how much energy it takes to mitigate these types of risks.
And then as I grew into my career and also as technology grew, I’ve seen many attempts. Automated fraud attempts like phishing, smishing… We’ve been flooded with these.
Once we had a successful fraud event. And it was the company’s “fault” in a way because we didn’t have the right controls in place. And I’d say it was a really sad time in the company. I realized at that moment that it was never going to stop. Fraudsters take advantage of vulnerable people, vulnerable systems… And in the end, it’s sad when it actually succeeds.
It’s really up to all of us in the company to have our guard up and to know these things are happening very quickly and that we have to have measures in place. Time is of the essence.
- And overall how would you rate companies’ level of awareness when it comes to fraud? Do you think that companies have the right level of education?
Sadly I have not seen enough companies taking this issue seriously enough.
We hear about it, we go to conferences and we know it’s happening. But I haven’t seen with my own eyes enough seriousness in companies. It’s happening and it could potentially be disastrous for companies, but not many take it seriously enough.
You can’t just buy cyber insurance and think “It’s fine, we’ll be protected if something happens.” It’s much more dangerous and deeper than that. We have to prevent these things from happening and there isn’t enough prevention. The tools exist but it’s the adoption of these tools by companies that is concerning.
We have to think one step ahead of the criminals and unfortunately, it’s not the case right now. So while companies have the basic tools they need and the basic training, I haven’t seen enough emphasis on realizing the dangers of these events.
And once it happens it’s too late. Companies risk a lot: there’s reputational risk which I think is the the hardest part for companies to control. Of course, there’s the direct financial loss, but reputation and downstream impact are the most concerning.
There are so many benefits in putting in the right solutions, having the right attitude, and framing the right perspective for fraud awareness. Companies will save money but also enhance trust around the company, for customers, investors, etc.
We all need to work towards taking fraud more seriously.
- You were talking about cyber insurance. So what about cybersecurity? Do you think that finance teams today are more cyber aware than they were five years ago or do you think it’s still mainly a concern for IT teams and that finance teams aren’t necessarily aware of the dangers of cyber fraud?
I absolutely agree. Obviously, it’s one of IT’s main tasks to protect anyone from penetrating the company’s systems. But while it’s their main responsibility, finance teams are also impacted by system infiltrations. They work with sensitive data.
We should definitely be just as aware and just as skilled in detecting or understanding the threats that come our way. Maybe we’re not involved in the coding or the actual firewalls, but we should know what’s out there. We should know what can happen.
We should know how it happens and we should know what we can do as a finance team or a treasury team specifically to prevent this from happening.
Unfortunately, there’s a tendency to get sloppy in companies because we’re often under-resourced in terms of manpower and funding. And so we just think, “Well, if I send an unsecured e-mail, I’m sure we’ll be fine. No one’s looking for that information and we’re a small company. It’s not going to happen to us.”
So whilst the IT department has probably more skills in that area and more span of control, we should be just as involved and also come to IT with solutions and information.
So in our study, we see that there are still some companies that mainly use manual processes to fight fraud. What would you say to these companies and what would be your advice to companies that still believe that manual processes can still fight fraud?
It’s a rampant problem because as I mentioned earlier, treasury departments are usually under-resourced and are just trying to get the work done, get the books closed, get the funding, get the cash management done. We don’t necessarily have the skill set or the resources available to help set up these automated processes, but I don’t think that manual processes are going to cut it anymore. It’s like going to a gunfight with a knife.
You just have to use technology that’s out there to help you. These tools and fraud prevention software are what is going to help you fight this war against fraud. They’re the way to detect anomalies, intrusions, and so on. You can’t fight the war with manual processes. And yes, it takes resources, money, and time. But you’ve got to put these solutions in now to be ready for the future.
Our adoption of technology is too slow.
What I’ve seen in the past is that tools get put into companies once fraud has happened while in fact, we should be proactive. That’s what Treasury should be about being proactive and helping the company prevent these things from happening.
It’s also about building trust with customers, banks, vendors, investors… Avoiding fraud and setting the right defenses in place.
- Do you think that budget today is the main restraint when it comes to implementing solutions to fight fraud?
I think so.
Budget is always something that’s a problem to get resources for in a department as small as the Treasury. And there is still a misconception about what the Treasury does and how beneficial and impactful we can be to a company. So it’s hard for us to get resources, it’s hard to fight for them.
Where I’ve been successful in the past is partnering with the IT and the legal departments to get the resources because it isn’t just a treasury issue. It’s not just a bank account that gets defrauded and we lose some money. It can be as broad as payroll being impacted.
I had this happen at a company where one of our C Suites’s pay was rerouted to a fraudster because he fell for an e-mail scam. It impacts more than just our bank accounts, it impacts our employees, our vendors, our supply chain, our customers, and our resources shouldn’t just be seen as “Treasury wants more money”, it should be clear that the company needs to be protected.
Fighting fraud should be a company-wide strategy
- Could you give us an overview of fraud prevention tools that you have worked with or that you know about on the market today?
We still have to use positive pay for checks. You have to use ACH filters for electronic payments. And then there are other manual solutions like callbacks: calling for information, calling for a change of information. That’s a way to keep communication with vendors open.
Then there are also incredible Fintech companies out there, creating solutions that are AI-backed and help detect anomalies, changes in the information, and changes in patterns.
Those solutions are beneficial for companies. Some banks also offer solutions and services, sometimes by partnering with these fintech companies. It’s all about creating a circle of trust.
And then there are definitely a number of companies that have solutions integrated into your ERP or TMS. There are many solutions out there.
There’s no excuse for companies not to be equipped. And I think that’s the main takeaway: we have technology out there. We have all these fantastic companies that provide solutions.
As companies, we just have to fight for the resources and we have to adopt them because if we don’t we’re going to be on the other side of fraud.
- Do you think that fraud events will increase in the 12 coming months and future years, do you think it’s a slippery slope going on?
I think it will increase because we’re not paying enough attention to it. And until we take it seriously, implement systems, and do everything we can to prevent fraud, I think it will increase.
To be in a world with less fraud, it’s going to take concerted efforts from all companies, from all payment providers, and from anyone who’s dealing with any sensible or personally identifiable information. It’s going to take a concerted effort from us. It’s going to take regulations from countries to make these things stick.
So while I do see it increasing, I also think that if we put these plans in place, we’ll perhaps see a reduction of this type of of fraud in our lives.
- Is there anything that you’d like to add about this topic?
I think it’s all about trusting your staff and trusting your company but verifying everything.
Although it takes time, the most important thing to do when you have responsibility for sending out payments or making any changes in the system is to pause and remember that time is of the essence.
When fraud happens, you have to resolve it immediately to prevent as much of the damage as you can.
So train your staff and train your companies to spend time on any change or anything that seems to be not right or not part of the process. Just take a pause. Spend a little bit extra time on it, think about it, ask for somebody else’s opinion, and never do anything alone.
Always have four eyes at least on any type of change or payment process and that’ll help you to at least prevent something that could be worse.
If you want to wipe out payment fraud in your business, request a demo!