Figure 1: Change in incidence of payments fraud in 2021 compared with 2020


8% less


29% more


10% less


30% more


thereafter are directed to the fraudster – until flagged by the bank, payer or payee. Many of these techniques are underpinned


2021 2020


by so-called “social engineering”, where a fraudster uses social media channels to gather information on a company and its employees. For instance, a fraudster may learn that someone has taken a new role on a team and chose to capitalise on the vulnerability this creates by contacting them and pretending to be their colleague to build trust. After that trust has been established, the fraudster can ask for payment details to be changed without arousing suspicion.


63%


about the same


60%


about the same


Source: 2022 AFP® Payments Fraud and Control Report


as process failures and human error,” comments Andreas Hauser, Head of Fraud Prevention Management at Deutsche Bank. This has led to techniques such as fake


invoices, where a fraudster will glean as much information as possible on the relationship between a company and a supplier – including the content, the timings and the format of their legitimate invoices – and use this to create a fraudulent invoice. The only noticeable difference between a well-executed fake invoice and a real one will be the payee details, which ensure the money goes to the fraudster instead of to the supplier. As a result of this painstaking


reproduction, fake invoices can be very convincing and difficult to spot – particularly when you consider the number of payments that companies need to process. With many corporates operating large payment factories that pay thousands of invoices


a day, their teams typically don’t have the time and resources to check each payment. Instead, additional checks are put in place for large payments, with the bank authenticating the beneficiary account details. Fraudsters are aware of this and so they send multiple fake invoices of smaller amounts in a bid to slip through undetected. Another popular form of payment fraud is the man-in-the-middle method (see Figure 2), where the fraudster manipulates communication channels. For instance, a fraudster could gain access to a supplier’s genuine email account and use it to contact someone within their target company’s treasury team, asking to update their bank account details. The treasury operative, believing they are speaking to their usual contact, then updates the bank details in their internal ERP system and payments


Figure 2: Man-in-the-middle attack – invoice redirect fraud


Supplier relation


A company regularly engages services of its supplier


Manipulation request


Email received advising


change of bank account details for its supplier


Human mistake


Company updates records with the new account details


Fraudulent payment


Upon next supplier payment


request, large payment is instructed to the new account


Payment processing


Financial institutions as a last resort may detect


fraudulent payments in real time


Source: Deutsche Bank


Preventing payment fraud With fraud ever-present, how can corporates manage the risks? According to Thomas Stosberg, Director of Cash Management Sales Structuring at Deutsche Bank, it’s important for corporates to focus on four key pillars. “We recommend that companies promote awareness of the common risks among their staff, audit their processes to ensure consistency and security, conduct an organisational risk assessment which outlines a clear segregation of duties across branches, and implement innovative technology solutions to help catch any attempts as early as possible.”


Foster awareness Human error is one of the most common entry points for fraudsters. To counteract this, a critical first step is to ensure all employees are up to date with the most popular fraud techniques and well versed in their company’s security protocols. There are several ways to do this, including providing training to all staff as standard, followed by regular refresher sessions on prevailing fraud techniques. These sessions can also look to teach staff


how to check for red flags, such as late changes to payment instructions, spoof email addresses and subtly wrong domain names, and provide scenario planning sessions to coach team members on how to react when a suspicious transaction is flagged.


Audit processes While it may seem like a logical step, auditing a company’s practices with regard to payment processing and fraud prevention can often be overlooked due to the complex and time-consuming nature of this exercise. According to Hauser, “Corporates need to look across their entire operation, which may include different departments, subsidiaries and markets. The first step is to carry out a full audit of each process and protocol which finally triggers a payment


26


Photography: Getty


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88  |  Page 89  |  Page 90  |  Page 91  |  Page 92