The truth is, all businesses are at risk of being scammed at some point, and just one incident can cost a company millions of Rand. Ryan Mer, CEO, eftsure Africa, a Know Your Payee™ (KYP) platform provider, says that fraudsters are constantly finding new ways to exploit vulnerabilities and attack corporate payment systems, and it’s critical that we all work together and share information to remain one step ahead of scammers.
Accounts payable fraud is one of the most damaging and is common in companies large and small, targeting the department responsible for paying suppliers and other vendors. A report from JP Morgan found that 81% (source) of organisations were hit with payment fraud in 2019, and only a relatively small portion of losses were recovered because the scam worked so well.
Here are some of the top scams to look out for:
- Internal fraud
More often than not, many companies realise fraud is perpetrated from within. According to the Global Economic Crime and Fraud Survey, 41% of economic crimes in South Africa are committed by employees, compared to only 36% by external fraudsters and 21% a collusion between the two.
“Employees have access to internal systems and knowledge of internal processes, and so they know where any vulnerabilities lie in your organisation’s internal controls,” explains Mer.
Some ways they can scam your organisation include:
- Changing the banking details of suppliers, rerouting funds to their own account or an accomplice’s account. This happens especially with ad hoc suppliers.
- Adding fictitious suppliers or employees onto the payroll or colluding with suppliers to issue fake invoices.
- Submitting illegitimate reimbursements for expenses.
- Issuing fake refund payments to customers.
- Social engineering
Social engineering is the attempt to convince a person to perform an action or divulge information against his or her own interests; it forms the basis of many scams. “It is a tool used to manipulate targets by relying on the human impulses of being helpful, avoiding conflict and problem-solving quickly,” says Mer. “By deceiving an employee into revealing confidential information, the way is paved for scammers to initiate fraud against your organisation.”
In an example scenario, a scammer could contact your accounts payable team and pretend to be a supplier trying to update their banking details on your system. The next time you pay the supplier, the funds are sent to a bank account controlled by the scammer.
- Business email compromise (BEC)
These scams are on the increase due to the ease of attack combined with the problem of staff being unable to tell the difference between real and fake emails. The FBI’s Internet Crime Complaint Centre says losses from BEC scams topped $12billion globally in 2018, with 97% of losses attributed to ‘false billing’ scams. One form of BEC is supplier email compromise, which involves fraudsters first infiltrating the email systems of the target companies’ suppliers and then using that access to imitate the supplier company and send the target company fraudulent emails.
Mer says that advances in artificial intelligence are making it easier for fraudsters to use impersonation to their advantage. One of the ways they do this is by creating realistic audio and video impersonations. They feed an audio or video sample of your organisation’s CEO or CFO into a software programme and create a fake recording of that person giving payment instructions to accounts payable staff. This message is then sent to unsuspecting staff, who make the payment, unaware that the message is fake. Social media also plays a role here, particularly LinkedIn, which fraudsters use to create fake profiles and impersonate legitimate business people.
Email is the favoured medium for phishing. Usually, a message is designed to get its reader to download a file or click on a link. By clicking or downloading, the unsuspecting employee unintentionally infects the organisation’s IT systems with malicious software or gives away confidential information.
To inspire action, phishing messages either warn readers of account inactivation or cancellation or threaten financial losses if the message is not acted on, or cause alarm by reporting suspicious account activity.
Payments scams are becoming increasingly sophisticated, requiring extreme vigilance from accounts payable staff. Your organisation’s best defence is to share information on what to look out for, keep up to date on the latest scams and review your company security controls. Making a big difference in many organisations’ security systems is eftsure’s SaaS platform, which digitises and automates key checks and processes that would otherwise be vulnerable to manipulation. “Through our KYP technology, the verification of payees and eft payment data is done on a continuous basis, protecting companies from fraudulently changed or maliciously altered payee information,” says Mer.