Protecting Your Company From Payment Redirection Fraud

Modern fraud tactics are more sophisticated than they used to be. We’re long past the days where fraudulent messages can be identified by typos or poor grammar. Social engineering communications will generally appear to be legitimate and may include convincing details such as official company logos and signatures. Of course, these details are just a mask for a threat actor working behind the scenes, aiming to profit in some way by exploiting unsuspecting employees. 

While payment fraud can take many forms, the one that affects accounts receivable departments the most is payment redirection fraud and prevents your company from getting money due to them.

What Is Payment Redirection Fraud?

Payment redirection fraud is a scam that involves a criminal deceiving a business or individual into making a payment to a fraudulent account. Also referred to as business email compromise (BEC), these scams generally involve a fraudster impersonating a trusted vendor, supplier, or senior executive by sending an email or phone call requesting that the recipient transfer funds to a specific bank account unaffiliated with the legitimate business.

Unlike malware or other software-based attacks, payment redirection fraud is a type of phishing attack that falls under the category of social engineering—attacks that target a company’s employees rather than its infrastructure.

This type of fraud can cause significant financial losses for businesses and individuals alike, with SMBs typically being the preferred target for cyberattacks. Research suggests that employees at companies with fewer than 100 employees will experience three times as many social engineering attacks as those who work at larger companies.

With cyberthreats on the rise, companies need to get proactive about training their employees and creating an organization-wide culture of security that helps prevent fraud. As an accounts receivable professional, you are not very likely to fall victim to payment redirection fraud in your professional life, but your customers could, leaving you and them in a precarious position.

Who is Most Vulnerable to Payment Redirect Fraud?

Mainly finance teams or anyone paying invoices as part of their job because they receive so many payment requests and messages and much of the messaging becomes par for the course. 

Payment redirection fraud has become increasingly common in recent years, particularly with the proliferation of these digital transactions. In one Australian study, false billing was one of the top five fraud tactics reported by businesses in 2021, showing total losses of $221 million.

With incalculable amounts of sensitive client data and financial records at stake, those in finance will need to take strong measures to prevent fraud at every level.

The Pandemic Made Things Worse

The understatement of the century! But here, we’re referring specifically to cybercrime and the risks to businesses that came as a result of pandemic-induced digital transformation.

We all remember the scramble that companies made to go remote with their workforces and shift all in-person processes to digital alternatives. Aside from the administrative headaches that this transition brought on, it exposed businesses to a variety of new threats largely related to cybercriminals exploiting the fear and uncertainty of the pandemic era.

Reports to the FBI’s Internet Crime Complaint Center rose 69% in 2020, claiming a total $4.2 billion in losses (up from $3.5 billion in 2019). The costliest type of attack? Business email compromise, claiming 43% of total losses alone.

Clearly, businesses were unprepared to handle the security challenges of a hastily-assembled remote and hybrid workforce, and unfortunately, though many companies have largely returned to normal business operations, things haven’t improved much from a security standpoint. Business email compromise attacks increased by 81% in 2022 and 175% over the past two years, meaning we still have plenty of work to do as an industry to protect ourselves from attacks.

How Payment Redirection Fraud Is Done

Fraudsters use a variety of tactics to carry out the scam, most often including:

1. Impersonating a trusted contact: Attackers often impersonate a vendor that the victim has previously worked with or has an existing relationship with. They will often use an email address or domain that is very similar to the one the customer knows (ie. using a zero instead of an O).
2. Creating fake invoices: Fraudsters may create a fake invoice scam that appears to be from a legitimate vendor or supplier. The invoice will typically include the fraudulent bank account details that the victim is instructed to transfer the payment to.
3. Hijacking legitimate email accounts: In some cases, attackers may gain access to a legitimate email account and use it to send payment requests or fraudulent invoices to other contacts in the victim’s network.
4. Using malware to gain access: Fraudsters may use malware or phishing attacks to gain access to a victim’s email account or computer system. Once they have access, they can monitor communications and identify payment opportunities to target.

Regardless of the attack vector, the fundamental concept is the same. Payment redirection fraud, in most cases, is done by manipulating unsuspecting employees into giving up sensitive information or sending funds digitally. In other words, the weakest link in a company’s security chain isn’t infrastructure or unpatched software—it’s the people opening emails on unsecured devices, engaging in communications with unverified entities, and maintaining poor password hygiene.

Protect Your Company From Fraud: Strategies

Financial institutions and their clients can take several steps to reduce the risk of payment redirection fraud. Like most strategies to reduce social engineering, employee education is at the forefront, but companies can deploy some technical improvements as well to harden their security profile.

Focus on Employee Education

At its core, social engineering is about people. Companies need to support their employees with dedicated training and policies that inform them of potential threats. As an accounts receivable professional, you can suggest these things to your customers to make sure that they don’t fall victim to payment redirection fraud. There are three primary steps to this:

1. Raise Awareness: Begin by educating your employees, with an emphasis on accounts payment employees about the risks and consequences of social engineering attacks. Explain how attackers use social engineering to gain unauthorized access to systems, steal sensitive information, and commit fraud. Make sure your employees understand that social engineering is a serious threat that affects the entire organization, and provide dedicated training on specific attack vectors, such as how to spot payment fraud before it occurs.
2. Provide Training: Conduct regular training sessions to help employees recognize social engineering tactics. This training should cover topics such as phishing emails, pretexting, baiting, and tailgating. Provide real-world examples of social engineering attacks and train employees on best practices surrounding remote work, bring-your-own-device (BYOD) security, and other systems as necessary.
3. Create Security Policies: Develop clear security policies that outline best practices for protecting sensitive data and systems. These policies should cover password management, data encryption, software updates, and other security measures that employees should follow.

Your goal here isn’t to just train your team on security best practices but to work on creating a culture of security awareness across your organization. By some estimates, only 27% of companies provide this type of training, so companies can make a big impact on their risk profile by making education a priority.

Implement Strict Payment Approval Procedures

Another way to prevent falsified payments is to implement more rigorous standards around how payments are transmitted. This typically involves creating a multi-step approval process that requires verification of payment requests before any funds are transferred. The specific procedures may vary depending on the size and structure of the organization, but some common elements might include:

• Requiring multiple levels of approval for large or unusual payments
• Verifying payment details with vendors or contacts through a separate communication channel, such as a phone call or in-person meeting
• Checking for inconsistencies or irregularities in payment requests, such as unexpected changes in account numbers or payment amounts
• Keeping detailed records of all payment approvals and transactions for future reference and auditing purposes
• Regularly reviewing and updating payment approval procedures to ensure they are up-to-date and effective
• Insisting that you pay vendors via a secure payment portal

You can implement some and not all of these strategies. These strategies are necessary complements to employee education that strengthen a company’s fraud prevention strategy at the policy level. Codify these measures in the company strategy and make them second-nature for all employees handling transactions.

Review Technical Configurations and Systems

While social engineering is more often done through human exploitation, vulnerabilities in company systems can “leave the key in the lock” for threat actors. As such, it’s a best practice to review all technical configurations to ensure complete protection:

• Secure payment systems: Businesses should use secure payment and financial management systems that employ encryption and multi-factor authentication to protect against unauthorized access and reduce the risk of fraud.
• Firewalls and antivirus software: Installing and regularly updating firewall and antivirus software can help prevent malware attacks and protect against phishing emails.
• Email filters: Finance companies can use email filters to detect and block suspicious emails, particularly those with known fraudulent patterns.
• Data encryption: Data encryption can protect against unauthorized access to sensitive information by encrypting all data in transit and at rest.
• Regular system updates: Regularly updating operating systems and software can help to ensure that security patches and fixes are up-to-date and that any vulnerabilities are patched.

Stop Fraud in Its Tracks With Training, Education, and Security

Fraud can occur from a variety of sources, and no company is immune. Smaller businesses may lack the appropriate cybersecurity and controls to prevent fraud, while larger ones may house larger data stores that make them desirable targets. Worse yet, it’s estimated that 60% of all fraud losses to small businesses are never recovered—underscoring just how important it is that businesses of all kinds know how to cut fraud down at its source.

By implementing these strategies and being vigilant against payment redirection fraud, businesses can protect themselves from potentially significant financial losses.

Contact our team at Gaviti to learn how our secure A/R automation systems can improve your company’s risk profile.

See what our clients say about us: