4 tips to prevent ACH credit fraud
By Jérémie Bennett.
Forced to work from home during COVID-19, accounts payable departments have accelerated their plans to move away from paper checks and pay their suppliers more through ACH. This, in turn, has accelerated another trend: fraud. Through social engineering, fraudulent attacks on ACH credits are more commonly referred to as business email compromises or BECs.
According to AFP 2020 Payments and Anti-Fraud Investigation Report, For the first time, in 2019, BEC programs were the most common type of fraud attack, with 75% of organizations experiencing an attack and 54% of those reporting financial loss. ACH credits (Buyer to Supplier Outbound Payments) were targeted in 37% of BEC programs.
The problem has only worsened in 2020. In the September edition of their Fraud as a result of the COVID-19 benchmarking report, ACFE reports that 90 percent of those surveyed saw an increase in the frequency of computer fraud from July to August. This included the BECs.
Three-quarters of those polled said preventing and detecting fraud has become more difficult in today’s environment, and more than 90% expect attacks to increase. Organizations are under siege and nearly a third have not received any guidance from banking partners on ACH credit risk mitigation.
What can organizations do?
Defeating BECs requires a multi-pronged approach. Ongoing anti-fraud training is important as these emails get more convincing every day. Scammers have become experts in user data and A / B testing, reducing the elements that alert their victims to illegitimate changes to their accounts. Strong internal controls are also important and network security, which prevents parties from gaining access to internal systems.
Here are four ways to reduce your risk of ACH credit fraud.
1. Handle with care
Thwarting ACH Credit Fraud involves securely processing vendor bank details, which payables must have on hand to pass their payment records to the bank. This data is often stored in the ERP system, or sometimes on an Excel spreadsheet, where AP personnel were recorded during supplier onboarding. Sometimes it is stored when a supplier updates their information. Fraudulent change requests are one of the most common avenues of attack.
Let’s say you have a new person in Accounts Payable who is not yet fully trained. This person receives an email from a vendor, asking them to update their bank account information.
Your new recruit, eager to please, responds to the request, entering a new routing number and a new bank account, unaware that a million dollar payment to that vendor will be made the next day. No one realizes what happened until two weeks later, when the real supplier calls, asking for payment.
By then, it is too late to collect ACH payments. You can call the FBI and the bank. They can try to help you out, but if the thieves are sophisticated enough, they’ve already transferred the money to offshore accounts, and it’s gone.
2. Secure information
You should never use unsecured email for banking information updates, although a surprising number of businesses still do. It is too easy for a hacker to intercept any of these emails and use the information it contains for their own purposes. If they get contact or bank account information, they can masquerade as legitimate vendors and bypass internal controls. Some companies even keep information in spreadsheets or their ERPs, but systems like these are not designed to store data securely.
Some companies allow suppliers to update their own information in supplier portals. This could work, provided that the companies manage the secure access to the portal and check for all updates. However, if vendors can log in and update information, it is likely that hackers can access the same information with very little resistance.
The most sophisticated approach I have seen so far includes a trained procurement team, which checks and validates any changes that occur.
There are a few drawbacks to this approach. It’s a big IT investment with a lot of manpower. Even then, it is still prone to internal fraud. In the end, even the best systems will always have their risks. The goal is to minimize them.
3. Look at the fees
Companies often try to transfer the risk and burden of time to others, with some success. For example, they can choose to pay their suppliers by card, which puts the risk on the credit card networks. In the case of card fraud, it is more likely that payments can be canceled or refunded.
Virtual cards offer even more security because they provide unique numbers, which can only be used by a specified provider for a specified amount. The big downside is that not all providers accept cards — there are fees to consider.
One organization that I know of pays a lot of its vendors with PayPal. Their supplier, mostly small businesses, is located around the world. AP has neither the time nor the staff to verify payment information, validate bank accounts, and handle ongoing updates. As an intermediary, PayPal handles all of this and ensures that the funds go to the right place. But, again, providers pay a hefty fee, in the order of three percent.
4. Shift the risk
There really isn’t a perfect system in place, which is why we are seeing ACH credit fraud increase along with the increase in ACH payments. But there’s an ideal way to shift risk to businesses designed to withstand the loads of verification and validation. Today’s payment automation vendors manage vendor information so individual businesses no longer have to spend valuable time on it. This amounts to handing over the reins to IT and purchasing departments to lock down the database and set up controls. The difference is that working with a supplier takes away the time investment and the liability.
Think of payment automation providers as a way to outsource risk. Their sole purpose is to ensure secure and on-time payments to your suppliers without incurring costly overheads. They’ve perfected the systems and processes of hundreds of thousands of AP departments across the United States, and in ways businesses would be hard-pressed to replicate.
Businesses were primarily concerned with check fraud. Although they still have to pay attention to this aspect, it has become a low-tech form of fraud that is easy to understand and plan. As businesses turn to electronic payment methods, they increasingly face sophisticated cyber attacks, which target much larger sums and are more difficult to defend. With the increase in these attacks, companies may find that outsourcing professionals is the best defense.
Jeremiah Bennett is the Chief Information Security Officer for Business, a FLEETCOR company that helps businesses of all sizes simplify the way they pay their suppliers, facilitate cash payments, and reduce risk.