Surrey Business News
Is Your Organization Fraud-proof?
Staying ahead of payments fraud and other schemes
It’s Friday morning and a controller at a Surrey-based company gets an email from the owner with wire instructions for a payment she authorized. The owner says she will drop by the controller’s office with a copy of the original invoice later in the day, but to go ahead and immediately send the payment. After it’s sent, and the controller follows up for the invoice, he discovers the owner’s email was compromised and was not from her, and now the money is gone.
This hypothetical situation is an example of payment fraud. As more payments become electronic, fraudsters are becoming more sophisticated in the techniques they use to target businesses.
According to the Association of Financial Professionals in its 2018 Payments Fraud and Control Survey, 78 percent of the organizations surveyed were targets of payments fraud in 2017. In addition, 74 percent of organizations experienced some form of cheque fraud.
While these are scary statistics, increased awareness and education is key to curbing this trend according to Surrey-based Bill Cunningham, District Vice President – TD Commercial Banking.
“It’s critical to review your organization’s procedures around payments to address vulnerabilities and assess your employees’ knowledge gaps,” says Cunningham. “Every organization should have policies and controls in place to monitor, detect and prevent payment fraud.”
No payment methods, be it cheques or electronic payments, are immune to fraud and it’s difficult to eliminate. That’s why it’s important to evolve your company’s response and layer fraud-prevention tactics to ensure fraud is made as difficult as possible for criminals.
“Cheque fraud is quite common so care and control is key with this payment method,” says Cunningham.
“Think through your cheque issuing process and determine where your cheques are kept and who has access. Removing the opportunity for fraud will go a long way in preventing it in the first place.”
Another form of fraud is electronic payments fraud, also known as cybercrime. While electronic forms of payment such as credit cards, wires and electronic funds transfers offer opportunities for better control and monitoring of payments, they also open the door to cyber criminals. Fraudsters who engage in cybercrime are tech-savvy and creative and will often use email to target and trick employees to give up sensitive information.
Tammy Rea, a Business Banking Manager at TD works with her clients to help them identify and better protect themselves against electronic payments fraud.
Rea suggests educating all employees, including temporary ones, who have access to online banking, regularly test knowledge, review potential fraud scenarios, perform daily account reconciliations and remind employees that your bank will never send an email asking for account login or token credentials.
“Remember, if in doubt, call your vendor or financial institution to verify the legitimacy of an email and never, under any circumstances provide any login or token credentials, either by phone or email,” says Rea.
She says TD recently introduced a policy of dual authentication that requires two people to authorize applicable electronic funds transfer payments and wire payments. Dual authentication adds a layer of security to help protect against fraud. In educating employees about fraud, it’s important to let them know about the different payment fraud schemes – and variations – out there including: • Phishing/smishing/vishing – An authentic looking email, text message or phone call that appears legitimate and asks the recipient to validate their account, confirm suspicious activity or prevent their account from being suspended. Typically, a link or document is included in the email or text that directs recipients to a fake website where they are asked to provide log in credentials or confidential information. Don’t open attachments or click on links in emails from unknown senders. • Spoofing/ Business Email Compromise – Fraudsters target a business and research who the officers are. They then send a fraudulent email, impersonating the officer or a vendor and try to trick their victim into initiating one or more wire transfers to pay an invoice. They “spoof” or fake a legitimate email addresses, altering one or more characters from the
actual email address.
• Ransomware – A type of malware that infects computers, locks down data and then encrypts it until the victim hands over a payment to restore access to the information. Ransoms may be demanded in bitcoin, a digital payment system that is less traceable than other payment types.
• Malware - Software used to gather sensitive information or access computer systems. It is possible to download malware without knowing it – perhaps in a phishing email, or by clicking an Internet link. If your computer presents pop-ups or unfamiliar screens, disconnect and contact your IT professional.
You can minimize your risk by reviewing and implementing the security features available for your bank’s products, including those that enable separation of duties, dual authentication and enhanced administration and control. Always enter the address of any banking website instead of clicking on links embedded in emails, pop-up windows or search engines and set individual user limits for your payments that are appropriate for each user.
Your financial institution is a good source for information, support and products to help you protect your company against fraud.
This sponsored article is for informational purposes only and is subject to change.