We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Treasury and Payments

Improve your working capital, reduce fraud and minimize the impact of unexpected disruptions with our treasury solutions—from digital portals to integrated payables and receivables—all designed to make your operations smoother and more efficient.

Learn more about our treasury solutions:

Credit and Financing

Prepare for future growth with customized loan services, succession planning and capital for business equipment or technology.

Learn more about our credit and financing solutions:

Commercial Real Estate

Get the strategic support to be successful throughout market and real estate cycles with insights, hands-on service, comprehensive financial solutions and unrivaled certainty of execution.

Learn more about our commercial real estate solutions:

International Banking

Global opportunities mean global challenges. But real success means understanding the local markets you serve—which is why we bring the business solutions, insights and market perspective you need. 

Learn more about our international banking solutions:

Cybersecurity and Fraud Protection

Fraud prevention: 8 best practices for payments staff

Preventing business email compromise requires a comprehensive and organization-wide commitment to strong payment controls.


Preventing business email compromise requires a comprehensive and organization-wide commitment to strong payment controls.

In 2021, business email compromise (BEC) and email account compromise (EAC) complaints resulted in losses of over $2.4 billion, according to the FBI Internet Crime Complaint Center.1 That’s up from $1.8 billion in 2020, and part of the $6.9 billion in fraud losses observed in 2021.

Fraudsters are targeting businesses with increasingly elaborate schemes, often requesting legitimate payment requests that can cause potentially devastating financial losses for the victimized business. These attacks have become so commonplace that in 2021, 71% of finance professionals said their companies were targets of payments fraud.2

These trends in fraud underscore the importance of robust payment controls. Using multiple tactics to strengthen callback validation processes and employee training is crucial to ensuring that billing, accounting and treasury teams can do their part in protecting your organization.

Below are eight best practices to help improve payment fraud management and ensure your payments and accounting staff is prepared.

 

Developing an awareness of payment fraud trends and prevention

Fraudsters are constantly changing their tactics, but there are certain actions you can take to be on high alert against common types of BEC.

1. Watch out for email impersonators who attempt to pose as:

  • Members of your own team
  • Leaders in your company
  • Existing vendors or suppliers

Impersonators might assume the identity of someone with internal authority—such as a senior employee or executive—to make urgent payment requests that they hope will receive little pushback. Or, they may pose as a vendor and request a low-profile administrative task to update routing and account information. If the fraud attempt is successful, any future payments will be misdirected to an account controlled by the criminals.

No matter who is purporting to send the email, it’s important to check the message for content that raises red flags.

Emails containing late or sudden changes in payment instructions, poor grammar or spelling and unusual urgency about sending the payment should immediately raise your suspicions.

2. Check for look-alike domains

BEC fraud schemes often use look-alike email addresses that closely resemble a legitimate address. For example, they may use XYZcornpany.com as a look-alike domain for XYZcompany.com. Review every email address carefully to ensure the message is actually coming from within your organization or known vendor. Also be on the lookout for fraudsters who may try to spoof the name of suppliers and vendors.

One way to combat these phishing attacks is to have alerts in your email software that flag any email sent from outside your company. Most business email providers offer such tools that can help you tighten controls and more easily identify fraud attempts.

 

Establishing internal payment controls

Every company should review their internal controls to address payment fraud risks, particularly when it comes to vendor payment information. Companies should have documented and established processes for the approval of all payments, especially those that are urgent, out-of-pattern or are not tied to a previously approved invoice.

3. Control user access (dual payment authority)

Setting payment limits at the account and employee levels can help fortify payment processing fraud prevention controls. Consider implementing multiple approval levels based on thresholds such as dollar amounts or employee tenure. Another preventive step is to use dual payment authority, which requires that two people review payment instructions before processing. Additionally, employees who approve vendor information should be separate from those who actually pay the invoice. Restrict the use of free-form payments by saving all trusted beneficiaries as templates and establish internal controls that govern how changes are made to account information.

4. Detect out-of-pattern payments

Treat irregularities such as first-time beneficiaries, urgent requests and cross-border payments with extra caution. For example, you may want to set payment limits based on a 12-month history and establish baseline criteria to verify payments even when there is no sign of suspicious activity. Associate all payments with invoices previously approved under established internal payment controls.

5. Perform daily reconciliation

Reconcile all payment activity daily to enable immediate identification of suspicious items. The sooner you recognize potential fraud, the better your chances are of stopping it or recovering losses.

6. Escalate consistently

Have clear payment fraud management procedures for addressing each potential issue in a timely and effective way. Furthermore, you can use the knowledge gained from each escalation to inform and modify procedures.

 

Implementing consistent validation

Properly verifying all payment requests and changes in instructions can help you recognize and reduce issues related to deceptive communications. While preemptive validation takes time, it costs much less than stopping a fraudulent pending payment or recovering one that’s been released.

7. Only follow up by phone with a known contact

Establish a designated point of contact with any established third party or vendor to whom your business makes regular payments. If you receive a change in payment or banking instructions, immediately raise concerns with this person. Always call the requesting entity at a known telephone number—this includes calling internal executives that appear to be sending payment instructions. Use a company phone directory to confirm the phone number, and never use email or contact information included in an email signature. 

Never verify via a number provided in an email or pop-up message.

8. Don’t give information to incoming callers

Refrain from disclosing any information on an incoming call when you don’t know the caller or when the request is inconsistent with previous payments for that business relationship. These outreach attempts may be a smishing or vishing scheme—i.e., when a fraudster uses text (SMS), phone calls or voice mails.

Hang up and make a follow-up call to the legitimate entity at their known phone number.

Validation may be the single most important action in fraud prevention. A validation policy should dictate that the payments department never moves money based solely on unverified email or telephone instructions, even when those appear to come from trusted vendors and associates.

 

What JPMorgan Chase is doing to prevent fraud

The importance of callback and validations processes cannot be stressed enough. Clients have experienced millions in losses due to the lack of a proper callback; once a payment has been released, you are obligated to pay it and there are no guarantees that funds will ever be recovered.

So, if JPMorgan Chase reaches out to you about an unusual transaction—make sure to take all appropriate actions to investigate and validate the payment instructions before fraud can occur.

We’re continually investing in our capabilities to fight fraud directed against our firm and the clients we do business with. If you want to learn more about the fraud prevention solutions, tools and technology we have in place, you can:

 

Contact your banking relationship team if you have further questions.

1 The 2021 Federal Bureau of Investigation Internet Crime Report

2 The 2022 Association for Financial Professionals Payments Fraud and Controls Survey

© 2022 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.

Higher Education Multinational Corporations Government Cybersecurity and Fraud Protection Phishing

Get in Touch

Prefer to talk directly to one of our experts?