Cybersecurity and Fraud Protection
Fraud Prevention: 9 Best Practices for Payments Staff
A company’s payments staff is at the front line of email compromise fraud prevention. Here are best practices that can help protect your company.
In 2019, the FBI Internet Crime Complaint Center received 23,775 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints with losses of over $1.7 billion.1
Sophisticated fraudsters are targeting businesses with elaborate schemes, requesting seemingly legitimate payments that can cause crippling financial loss for the business. These attacks have become so commonplace that in 2018, 82 percent of finance professionals said their companies were targets of payments fraud.2
Payments team employees can stand as defenders against attacks by being aware of fraud trends, using multiple tactics to strengthen the validation processes, reviewing internal systems and accounting controls and implementing new ones where needed. In most cases, the best way to validate a payment request is by making a phone call to a known contact—before ever making the payment.
Below are nine practices to help payments staff defend against fraud, broken down into three categories.
How to Develop an Awareness of Fraud Trends
Although fraudsters are constantly changing their tactics, there are certain actions you can take to be on high alert against common types of BEC.
- Watch out for email impersonators
- Members of your own team
- Executives of familiar companies
- Vendors with whom your organization has a relationship
- Check for lookalike domains
- Confirm email addresses
Impersonators assume the identity of someone with authority, such as a senior employee or executive, to direct the payments staff to act immediately and unquestioningly; or they pose as a vendor and request a low-profile administrative task to update routing and account information. If the fraud succeeds, the payments will be misdirected to an illegitimate account.
No matter who is purporting to send the email, it’s important to check the message for content that raises red flags. Emails containing late or sudden changes in payment instructions, poor grammar or spelling and unusual urgency about sending the payment should prompt you to be on high alert.
BEC fraud schemes often use lookalike email addresses that closely resemble a legitimate address. For example, they may use cornpany.com as a lookalike domain for company.com. Review every email address carefully to ensure the message is actually coming from within your organization or from your known vendor.
In some cases, fraudsters can mask an email address to make it look like the message is coming from within your organization—but on hovering over it or hitting reply, the actual email address appears. You should always validate the sender’s email address by hovering or hitting reply. Then, carefully examine the characters in the email address to ensure they match the exact spelling of the company domain and the individual’s name.
How to Establish Internal Controls
Every company should review their internal controls as they relate to establishing or changing vendor payment information. Additionally, companies should have a known process for the approval of all payments, especially those that are urgent, out-of-pattern or are not tied to a previously approved invoice.
- Control user access (dual payment authority)
- Detect out-of-pattern payments
- Perform daily reconciliation
- Escalate consistently
Setting payment limits at the account and employee levels can help mitigate the damage from fraud. Establish multiple approval levels based on thresholds such as dollar amounts or employee tenure. Another preventive step is to implement dual payment authority, ensuring that two people look at payment instructions before processing; additionally, employees who approve vendor information should be separate from those who actually pay the invoice. Restrict the use of free-form payments by saving all trusted beneficiaries as templates and establish internal controls over the change to template information.
Identify irregularities such as first-time beneficiaries, urgent requests and cross-border payments. Revert these requests to the proper approvers. Set payment limits based on a 12-month history of payment trends. Establish baseline criteria to verify payments even when there is no sign of suspicious activity. Associate all payments with invoices previously approved under internal controls.
Reconcile all payment activity daily to enable immediate identification of suspicious items. The sooner you recognize potentially fraudulent activity, the better your chances of stopping or recovering it.
Establish a clear process to ensure that your business addresses each potential issue in a timely and effective way, and institutionalizes the knowledge to help prevent future fraud.
How to Implement Consistent Validation
Properly verifying all payment requests and changes in instructions can help you recognize and reduce issues from deceptive communications. While preemptive validation takes time, it costs much less than stopping a fraudulent pending payment or recovering one that’s been released.
- Only follow up by phone with a known contact
- Don’t give information to incoming callers
Establish a designated point of contact at the third party or vendor to whom your business makes regular payments; raise all invoice issues and concerns with this person. When you validate, always call the requesting entity at their known telephone number—this includes calling internal executives that appear to be sending payment instructions. Use your company’s files to confirm the phone number, rather than using an external source, such as an email. Never verify via a number provided in an email or pop-up message.
Never give any information on an incoming call when you don’t know the caller or when the request is inconsistent with previous payments for that business relationship. Hang up and make a follow-up call to the legitimate entity at their known phone number.
Validation may be the single most important action in fraud prevention. A validation policy should dictate that the payments department never moves money based solely on unverified email or telephone instructions, even when those appear to come from trusted vendors and associates.
1 The 2019 Federal Bureau of Investigation Internet Crime Report.
2 The 2019 Association for Financial Professionals Payments Fraud and Controls Survey.
Chase, J.P. Morgan, and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (JPMC).1
This document is not JPMC research and is for illustrative purposes only, does not include all issues applicable to you, and is not intended as an offer or solicitation for the purchase or sale of any JPMC product or service, which are subject to our terms. You should always consult your own advisors before changing your business practices or entering into any agreement for JPMC products or services.
JPMorgan Chase Bank, NA. Member, FDIC. © 2020 JPMorgan Chase & Co. All rights reserved.