Fraud prevention: 8 best practices for payments staff

In 2021, business email compromise (BEC) and email account compromise (EAC) complaints resulted in losses of over $2.4 billion, according to the FBI Internet Crime Complaint Center.¹ That’s up from $1.8 billion in 2020, and part of the $6.9 billion in fraud losses observed in 2021.

Fraudsters are targeting businesses with increasingly elaborate schemes, often requesting legitimate payment requests that can cause potentially devastating financial losses for the victimized business. These attacks have become so commonplace that in 2021, 71% of finance professionals said their companies were targets of payments fraud.²

These trends in fraud underscore the importance of robust payment controls. Using multiple tactics to strengthen callback validation processes and employee training is crucial to ensuring that billing, accounting and treasury teams can do their part in protecting your organization.

Below are eight best practices to help improve payment fraud management and ensure your payments and accounting staff is prepared.

Developing an awareness of payment fraud trends and prevention

Fraudsters are constantly changing their tactics, but there are certain actions you can take to be on high alert against common types of BEC.

1. Watch out for email impersonators who attempt to pose as:

• Members of your own team
• Leaders in your company
• Existing vendors or suppliers

Impersonators might assume the identity of someone with internal authority—such as a senior employee or executive—to make urgent payment requests that they hope will receive little pushback. Or, they may pose as a vendor and request a low-profile administrative task to update routing and account information. If the fraud attempt is successful, any future payments will be misdirected to an account controlled by the criminals.

No matter who is purporting to send the email, it’s important to check the message for content that raises red flags.

2. Check for look-alike domains

BEC fraud schemes often use look-alike email addresses that closely resemble a legitimate address. For example, they may use XYZcornpany.com as a look-alike domain for XYZcompany.com. Review every email address carefully to ensure the message is actually coming from within your organization or known vendor. Also be on the lookout for fraudsters who may try to spoof the name of suppliers and vendors.

One way to combat these phishing attacks is to have alerts in your email software that flag any email sent from outside your company. Most business email providers offer such tools that can help you tighten controls and more easily identify fraud attempts.

Establishing internal payment controls

Every company should review their internal controls to address payment fraud risks, particularly when it comes to vendor payment information. Companies should have documented and established processes for the approval of all payments, especially those that are urgent, out-of-pattern or are not tied to a previously approved invoice.

3. Control user access (dual payment authority)

Setting payment limits at the account and employee levels can help fortify payment processing fraud prevention controls. Consider implementing multiple approval levels based on thresholds such as dollar amounts or employee tenure. Another preventive step is to use dual payment authority, which requires that two people review payment instructions before processing. Additionally, employees who approve vendor information should be separate from those who actually pay the invoice. Restrict the use of free-form payments by saving all trusted beneficiaries as templates and establish internal controls that govern how changes are made to account information.

4. Detect out-of-pattern payments

Treat irregularities such as first-time beneficiaries, urgent requests and cross-border payments with extra caution. For example, you may want to set payment limits based on a 12-month history and establish baseline criteria to verify payments even when there is no sign of suspicious activity. Associate all payments with invoices previously approved under established internal payment controls.

5. Perform daily reconciliation

Reconcile all payment activity daily to enable immediate identification of suspicious items. The sooner you recognize potential fraud, the better your chances are of stopping it or recovering losses.

6. Escalate consistently

Have clear payment fraud management procedures for addressing each potential issue in a timely and effective way. Furthermore, you can use the knowledge gained from each escalation to inform and modify procedures.

Implementing consistent validation

Properly verifying all payment requests and changes in instructions can help you recognize and reduce issues related to deceptive communications. While preemptive validation takes time, it costs much less than stopping a fraudulent pending payment or recovering one that’s been released.

7. Only follow up by phone with a known contact

Establish a designated point of contact with any established third party or vendor to whom your business makes regular payments. If you receive a change in payment or banking instructions, immediately raise concerns with this person. Always call the requesting entity at a known telephone number—this includes calling internal executives that appear to be sending payment instructions. Use a company phone directory to confirm the phone number, and never use email or contact information included in an email signature. 

8. Don’t give information to incoming callers

Refrain from disclosing any information on an incoming call when you don’t know the caller or when the request is inconsistent with previous payments for that business relationship. These outreach attempts may be a smishing or vishing scheme—i.e., when a fraudster uses text (SMS), phone calls or voice mails.

Hang up and make a follow-up call to the legitimate entity at their known phone number.

Validation may be the single most important action in fraud prevention. A validation policy should dictate that the payments department never moves money based solely on unverified email or telephone instructions, even when those appear to come from trusted vendors and associates.

What JPMorgan Chase is doing to prevent fraud

The importance of callback and validations processes cannot be stressed enough. Clients have experienced millions in losses due to the lack of a proper callback; once a payment has been released, you are obligated to pay it and there are no guarantees that funds will ever be recovered.

So, if JPMorgan Chase reaches out to you about an unusual transaction—make sure to take all appropriate actions to investigate and validate the payment instructions before fraud can occur.

We’re continually investing in our capabilities to fight fraud directed against our firm and the clients we do business with. If you want to learn more about the fraud prevention solutions, tools and technology we have in place, you can:

• Access our BEC playbook
• Visit the Fraud Solutions page to access more insights and tools

Contact your banking relationship team if you have further questions.

¹ The 2021 Federal Bureau of Investigation Internet Crime Report

² The 2022 Association for Financial Professionals Payments Fraud and Controls Survey

_{© 2022 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.}