Treasury 
Risk Management 
Payments 
Connectivity 
Working Capital 
Accelerate ERP Migrations 
AI in Kyriba 
API Integration 
Cash Forecasting 
Enterprise Security 
Fraud Prevention 
FX Exposure Management 
FX Risk Management 
ISO 20022 Migration 
Liquidity Planning 
Real-time Payments 
Supplier Financing 
Office of the CFO 
Treasury 
Information Technology 
Retail 
Financial Services 
Higher Education 
Healthcare 
Manufacturing 
Mid Sized Companies 
Banks 
Public Sector 
Blog 
eBooks 
Webinars 
Videos 
News 
Fact Sheets 
Success Stories 
Events 
FAQs 
Value Engineering 
Research 
About Us 
Values & ESG 
Recognition 
Leadership 
Careers 
Contact Us 
Kyriba Academy 
KyribaLive 
Blog
Six Tips to Protect Your Organization Against Payments Fraud
As Cybersecurity Awareness Month ends, it’s a good idea for treasury and finance departments to do a quick health check on their infrastructures and ensure that their protections are up to par—particularly when it comes to payments fraud.
One message is clear—if you have strong, consistently executed processes protecting your payment from its initiation all the way to its receipt, you significantly reduce the chances of a successful payments fraud attack.
The Threat of Impersonation
Payments fraud in 2021 was as bad, if not worse, than the year before, according to the 2022 AFP Payments Fraud and Control Survey. But even though business email compromise (BEC) scams dropped substantially last year, many organizations are still falling prey to them and incurring significant losses.
At the heart of BEC scams and more recent developments like deepfake fraud is impersonation. Cybercriminals use social engineering tactics to develop profiles on company employees or routine vendors, which they then impersonate to dupe unsuspecting people into making critical mistakes.
To identify an impersonator, it’s helpful to know the telltale signs. More than likely, the payment request will be urgent and will attempt to exploit unique circumstances, such as a specific time when employees are out of the office. Additionally, if your organization is making a lot of payments to contractors for a project, fraudsters might attempt to exploit that.
For example, Philabundance, a Philadelphia food bank lost about $1 million due to a successful BEC scam. The food bank was in the process of building a $12 million community kitchen. The accounts payment (AP) team received an invoice from what they thought was a construction company supplier and made a payment.
The Government of Carrabus County, N.C., also found itself victimized by a vendor BEC scam. The county intended to send money to a contractor it had been working with for the construction of a new high school. Through a series of emails that began in late 2018, the fraudsters made requests to update bank information. The county didn’t do its due diligence and ultimately sent more than $2.5 million to the fraudulent account. While over $776,000 was ultimately recovered, about $1.7 million remains unaccounted for.
Common Fraud Myths
When it comes to payments fraud, many treasury and finance departments still get lulled into thinking they are more protected than they are. Organizations may assume that their procedures are infallible or that any lost funds will be reimbursed, but they quickly get a wake-up call when a successful attack happens. The following myths are common.
“We have an approval process in place.” Even the companies with the strictest policies in place can still have a breakdown in processes. Employee ID/password combinations can be stolen. Regional treasury/shared service centers may require fewer numbers of approvals due to limited in-country staff. And companies with multiple ERP systems might have different approval processes—a scenario that is ripe for fraud.
“My bank will cover me.” There is no obligation for a bank to cover any client for payments fraud, unless the bank itself has been breached, like in a bank employee scheme. The bank may still reimburse corporate clients on a case-by-case basis, but don’t bet on it.
“We have cyber insurance.” Many companies assume that if they purchase cyber insurance, that they are covered in the event of a loss. However, if an organization can’t prove that it took all the right steps to protect itself, it’s very likely that the insurance policy won’t cover the loss. Many plans don’t cover BEC scams, for example, because they involve an employee making an error. There have been several legal cases where insurance firms have refused payment and the courts sided with the insurers. Furthermore, even if cyber insurance does agree to pay out, you might still have to pay a high deductible. For some plans, that cost can be tens of thousands of dollars.
What Can You Do for Payments Fraud Protection?
Fortunately, there are many ways to protect your payments and your data. The following tips can help.
Embrace the cloud. Organizations should embrace cloud technology to secure payments and systems. IT teams know that payments data and connectivity are more secure when hosted externally. However, not all cloud solutions are alike. Solutions like Kyriba Enterprise Security ensure that treasury, payments, and risk data meet internal security policies and international security requirements while providing 24/7, global support.
Align all departments. Your internal IT department, as well as any key areas that touch payment processing areas such as treasury, accounts payable, shared services, etc. all should be aligned with your security policies. With more and more companies allowing remote work, companies must ensure that all employees are using effective protections such as strong passwords, policy controls, multifactor authentication, IP filtering, single sign-on and data encryption.
Automate payment processes and standardize controls. Automation allows organizations to standardize the payment journey from the initial request to the receipt of the payment. Risk lies in the exceptions to a standardized process, i.e., payments made outside of this typical format that provide fraudsters with opportunities. Again, these are usually one-time, urgent payment requests that can come in for things like mergers and acquisitions, legal settlements, emergency payroll, etc.
Enable real-time screening, alerts, and notifications. The rise of same-day and real-time payment systems has increased the need for real-time responses to fraud attempts. Modern fraud detection software uses artificial intelligence (AI) and machine learning to screen payments against historical payment data, pinpointing any anomalies.
Implement fraud prevention workflows. Modern payments fraud modules support fully automated, end-to-end workflows for the resolution of outstanding suspicious payments. Users can determine how each detected payment should be managed, enforcing the separation of duties between the initiator, approver, and reviewer of a detected payment.
Know your vendors. Vendors can be a major liability for your company. In some cases, vendors are granted access to their customer’s network credentials. If that vendor’s security protocols are lacking, they can become an unknowing backdoor into that customer’s systems. This is what happened in the infamous Target breach in 2013. Therefore, it is imperative to have a detailed information security questionnaire that can provide confidence in the governance and risk programs that a vendor has in place. Additionally, with vendor BEC scams proliferating, organizations need to make sure that requests for payment instruction changes are verified directly with the vendor before any transactions are completed.
Safeguarding Your Payments
To mitigate the risk and safeguard your payments, organizations must have a unified solution that connects ERPs, internal and external systems that allows for a secure, end-to-end payment journey. Furthermore, when exceptions occur, protocols can’t be abandoned no matter how urgent the request. Any departments that touch payments need to understand that one slip up can be catastrophic, not only leading to loss of funds, loss of job and reputational risk for the whole organization.
Kyriba is here to help you protect your organization against payments fraud.
Related Resources
-
Welcome to Liquidity PerformanceToday marks an exciting new chapter for Kyriba as we unveil our new brand identity. This transformation symbolizes far more than just a visual refresh – it represents our vision and approach to elevating...Read more -
Identifying the ROI in a Treasury Transformation ProjectHow do you truly identify the total value of implementing a treasury management system (TMS)? While some aspects of a treasury transformation project may seem black and white, other value components are difficult to...Read more -
10 Things You Need to Know about APIs for TreasuryAPIs continue to be one of the most talked about technologies, as finance leaders look to make their treasury and payments operations more real-time and responsive to market volatility. APIs are critical to the...Read more
Related Resources
-
Payments Fraud Detection in an Escalating Threat EnvironmentModern fraud threats are innovative and constantly evolving. To confront these threats, organizations that want to survive need to deploy the most up‑to-date detection and prevention solutions.Read the eBook -
Kyriba Payments HubInefficient payment processes inhibit supply chains, cash flow and profitability. The need to optimize cash and working capital, combined with the increasing threat of cybercrime and payments fraud, amplifies the need to centralize and standardize corporate payments.Read the fact sheet -
Proactive Threat Defense for Liquidity and PaymentsUp to 90% of CFOs and CIOs report payments and financial fraud attempts, and cyber threats are growing more complex with intelligent technology. That makes proactive fraud detection and response programs a top priority...View Recording