Authored by Fiona Brown,
Customer Success Director at AccessPay
Fraud and error are twin threats – dramatically different but with the same impact on you: financial loss. Fraud is criminal, an intentional act with the purpose to deceive you and take your money, and usually takes the form of a transaction that you didn’t know about or authorise. Error, on the other hand, is a mistake, but that doesn’t necessarily mean that it’s blameless.
As a Customer Success Director, I hear from customers all the time about the prevalent threat of fraud and the drastic consequences it can have for businesses. Often, it’s actually just a result of poor process. In fact, both fraud and error is almost 100% preventable. I’ve decided to write this article to address these threats head on. Why is fraud dangerous for businesses? What type of fraud do you need to look out for? And how can you combat it with the right technology?
I’ve spent 30 years working in traditional banking at some of the UK’s top banks, looking after corporate and global customers. I’ve seen many real-life fraud incidents, and even been targeted myself. It’s more common than you think.
If you aren’t taking action to prevent it, you should.
Just how dangerous is fraud to me?
The financial impact of fraud per annum, across the globe, is £130bn. The majority of that is targeted at businesses, and almost half (and rising) is internal fraud. As a business owner or financial decision maker, that’s a particularly scary statistic, because internal fraud is much more difficult to detect and carries a much higher risk profile – due to the nature of an internal fraudster knowing your processes.
Of course, there are many different types and they present themselves in a range of ways. So, let’s explore them.
I’ve seen lots of invoice fraud – which usually takes the form of your customer or supplier being impersonated via a copied invoice with a new account number or sort code. When the invoice is convincing enough, many businesses won’t ask further questions and end up approving the transaction.
The first you’ll know about it is normally when you receive a real invoice from your customer or supplier, and wonder why you’re being asked to pay twice. By then, it’s too late.
You don’t have to look far in the news to find some examples of this in real, recent life. Amazon lost £19m to invoice fraud in 2020, and another well-known business lost £600k when a fraudster copied a customer’s email address with just one almost imperceptible change.
So how do you prevent invoice fraud?
The solution is not technical, although there are plenty of technological defences that make you much safer. The solution is diligence – check any changes that are requested to payment details, use common sense and familiarity to examine whether the amounts you’re being asked to pay are suspiciously out of character, or the payment frequency has changed for no apparent reason. Layered sign-off and approval processes, with minimal manual interjections, will raise your security against invoice fraud significantly.
Impersonator and Authorise Push Payment (APP) fraud
Impersonator fraud is similar to invoice fraud, but a little more sophisticated and often a lot more difficult to spot. Whilst it usually also involves invoice fraud, there is another element – somebody playing an active role and pretending to be somebody else. If they play their role well, you are even less likely to notice the telltale signs of a fraudulent invoice.
In a previous role of mine, I worked at a leading UK Bank. I was personally targeted by impersonator fraud. Why? As somebody authorised to sign off payments up to tens of millions of pounds, I was an attractive target.
I received an email from an internal email address, which looked fine and genuine. I was only suspicious because of the wording on the email, which was quite formal and polite, and the person sending the email didn’t usually use that tone. I checked further and the internal email address had one slight difference (an added full stop.) Thankfully, I caught the fraud before any payments were made. The scary thing was that the impersonator knew the internal process of our bank (who to impersonate, who to seek authority from, and what to say in the email.)
BBC Radio 4 reported recently on how a business had £1.6m stolen, because the financial controller had unwittingly given access to the company bank account. The controller thought he was dealing with his own bank, telling him his funds were under threat, and they withdrew £1.6m in around 20 mins, which is now gone forever.
So how do you prevent impersonator and APP fraud?
Your best defence against this type of fraud is a robust identity verification system (asking the customer/supplier to confirm details not readily available or unique to your relationship) and a dual control system for payments, where two people must approve payments or changes to payment information.
Internal fraud is when an existing employee uses their knowledge and position of your financial processes to commit fraud inside your company. This may have been how I was targeted, because they knew the processes, but it could also have been an outside impersonator with inside knowledge.
Internal fraud is growing year on year, and, out of the three main types of fraud, can be the most damaging. With internal fraud, you face the same risk of financial loss – but it also involves staff costs, disciplinaries, recruitment, absences, reputational risk, and loss of staff morale.
This type of fraud looks very different for different companies, depending on what you do. It can be simple and straightforward, or extremely complex.
A good example of this is the high-profile case with Appl where a former employee orchestrated a staggering $17 million fraud scheme over several years. As the employee was part of the operations across Apple’s global service supply chain, the employee colluded with external vendors to manipulate invoices, inflate costs, and divert parts, leading to significant losses for the tech giant. This was complex and hard to detect given the sheer size of Apple’s operations. For smaller companies, cases like this may be hard to recover from.
So how do you prevent internal fraud?
Consistency and attention-to-detail are your best defence against internal fraud, because all the checks in the world won’t help if the internal fraudster is a decision maker. Behaviour is usually the flag for internal fraud, so monitoring the patterns and payments of your finance team to spot any irregularities or changes in process is often what leads to suspicion. Dual approvals are also an excellent defence – think about those films where missile launches require the keys from two generals. One can’t do it without the other.
Invoice, Impersonator, or Internal – no fraud is ever victimless
Whichever the type of fraud, there is human, reputational, business, and financial impact.
And whilst invoice, impersonator, and internal fraud all have their own unique markers to look out for – if you put these three defences in place, you will be much safer and much more unattractive to fraudsters. You’ll also be far less likely to suffer at the hands of error, too.
- Anti-Money laundering (AML): Know your customer, screen your customer, screen your supplier. By checking sanctions lists, you can also identify any parties with shady histories.
- Transaction monitoring and Payment Screening: Does the payment, amount, or behaviour look suspicious? Is anything out of the ordinary? Does this need another pair of eyes?
- Confirmation of Payee: Double and triple check, via traditional or technological methods. Am I sending the funds to who I think I’m sending them to? Have we confirmed these are the correct details?
All of these defences, and more, are tools available in AccessPay’s Fraud & Error Prevention Suite.
Watch our recent Fraud & Error webinar here.
To find out more about our Fraud & Error Prevention Suite, check out our dedicated page here.
Authored by Fiona Brown,
Customer Success Director at AccessPay