.

Fraud Incidents up, with Certain Companies at Higher Risk

It's surely cold comfort to know that many companies are in the same boat, but that is another key finding of our research: A significant number of organizations are under intense assault from perpetrators of fraud. Sixty-two percent of survey respondents said their company had experienced one or more payment fraud attempts over the prior 12 months, and 49 percent of those organizations experienced at least one successful fraud incident.

Perhaps even more telling, the organizations that fall victim to fraud are typically those having to fend off more and more fraud attempts every year. Nearly three-quarters of the companies that fell victim to successful fraud (72%) experienced an increase in the frequency of fraud attempts over the past year, and none experienced a decrease. Among companies that successfully fended off every fraud attack over the prior year, only 42 percent saw those attempts increasing, while 4 percent actually reported a decrease in the frequency of attempted fraud.

We also found that organizations in industry sectors known for tighter technology budgets tend to be less effective at fighting off fraud. In the nonprofit sector, 75 percent of organizations that faced a fraud attempt succumbed to that attack. Respondents in government, retail/wholesale/distribution, and real estate/construction (each 67%) had similar difficulties preventing fraud.

By contrast, among all respondents in financial services businesses, only 18 percent suffered one or more successful fraud incidents in the past year, although more than half experienced fraud attempts. And despite the fact that every insurance company participating in our research was hit with a fraud scheme, not one fell victim. Businesses in the technology/data and services/outsourcing sectors were also quite effective at blocking fraud efforts; in each industry, 67 percent of respondents that faced a fraud attempt fought it off successfully.

.

For a detailed discussion of these—and more—results from our 2024 payment fraud survey, watch the on-demand and free-of-charge Treasury & Risk webcast: View it today!

.

Another key indicator of companies' ability to minimize the impact of attacks is how much emphasis management teams place on fraud prevention. More than half (51%) of all respondents gave fraud prevention the highest possible importance rating—ranking it 5 on a scale of 1 ("not important at all") to 5 ("extremely important; a top priority at the highest levels of the company"). Among respondents whose organizations successfully fought off every payment fraud scheme over the past year, 58 percent rated fraud prevention a 5, whereas only 40 percent of those whose companies did fall victim said that fraud is a top priority.

.

What Payment Fraud Looks Like in 2024

Within companies that experienced one or more fraud attempts in 2024, checks were, by a large margin, the payment method most frequently under attack (65%). ACH debits (39%) and wire transfers (37%) came in second and third, followed by card payments (25%); ACH credits (18%); and faster-payment methods, such as Same-Day ACH, Real-Time Payments (RTP), and FedNow (12%). Only cash (6%) and cryptocurrency (4%) attacks affected fewer than 10 percent of our respondents over the past year.

Interestingly, though, the types of attack that were perpetrated most frequently were not the most likely to be successful. Survey respondents reported that more than two-thirds (69%) of companies experiencing attempted fraud on their card payments fell victim to at least one successful attack. Meanwhile, attacks on checks, ACH debits, and ACH credits were all slightly more likely to succeed than to fail. But companies whose wire transfers were targeted had a 63 percent chance of thwarting the attacks. And our research indicates that faster payments are even less likely to fall victim to fraud: Sixty-seven percent of companies using faster payments were able to block all fraud attempts. (See Figure 1.)

This year, respondents indicated that their organizations are most likely to experience business email compromise (BEC), or impostor, scams, in which the attacker tries to trick an employee into making an illegitimate payment. More than half (55%) of survey respondents who experienced a fraud attempt in the past year faced a BEC attack. But that wasn't the only threat vector our survey revealed. Nearly half (45%) were targeted by attackers who attempted to access legitimate company payments by changing supplier credentials, account, or address information. Remote users also proved to be a point of weakness this year: Although no respondents reported attacks that involved hacking into on-premises systems, 22 percent experienced an attempted account takeover through access to a remote user's login, and 2 percent faced a breach of offsite or cloud-based systems. (See Figure 2.)

Worse news for flexible workplaces: Account takeovers via hacking of remote-user connections was second only to internal fraud perpetrated by employees in its likelihood of success (64% to 67%, respectively). Attacks changing supplier information on payments were a not-distant third most likely to be effective, resulting in success for the fraudsters 57 percent of the time.

Equally alarming, for 54 percent of companies targeted in attacks that change supplier credentials, the frequency of successful attacks has risen over the past year. Likewise, the frequency of success for attacks that hack remote-user connections is increasing for 57 percent of survey respondents whose organization experienced those attacks. Success is growing a bit more modestly (43%) for perpetrators of BEC schemes, and 75 percent of organizations that had checks stolen over the past year said the success rate for those thefts is not growing.

Overall, nearly half (48%) of all respondents who experienced a successful attack within the past year are seeing their organization fall victim with an increasing frequency. The same proportion said the rate of successful attacks is staying about the same, but only 4 percent of respondents said their organization was able over the prior 12 months to reduce how frequently it is victimized.

.

Consequences of Payment Fraud

The results of these attacks can be quite painful. The vast majority of all companies represented in our survey—80 percent—lost less than $100,000 per fraud incident. But 14 percent of organizations that experienced BEC scams lost more than $1 million in each attack (7% lost more than $5 million). Half of these companies also experienced issues with suppliers, and 29 percent saw damage to their reputation with customers.

Worse, among all respondents that fell victim to a successful fraud scheme, 32 percent recovered none of the lost funds. That said, the same proportion (32%) recovered 100 percent of their lost funds. And a significant group achieved a more nuanced result: Eighteen percent recovered more than half, but less than all, of the funds they lost, while 19 percent recovered some funds but less than half of their losses.

.

How Companies Are Fighting Back

Echoing the results of our 2023 fraud survey, this year's research found that the companies which put treasury and finance in charge of fraud prevention are most likely to thwart attacks. Fifty-two percent of businesses that gave treasury a critical role in fraud prevention defeated every payment fraud attack that came their way. And that proportion rose to 58 percent for organizations in which finance plays a key role.

Even more impressive, two-thirds of companies in which internal audit or legal is key to fraud prevention were able to stop all attacks over the prior year, and 100 percent of those with compliance in charge. By contrast, 69 percent of companies with procurement in charge, and 64 percent of those in which the risk management team plays a critical role, experienced at least one successful attack over the past year.

Having treasury or finance at the helm also reduces the chances that a company's fraud losses will continue growing. Only 20 percent of businesses with finance in charge of fraud prevention, and 43 percent of those with treasury in charge, are seeing the frequency of successful fraud against their organization increase. Meanwhile, nearly two-thirds (64%) of companies in which procurement is leading fraud prevention efforts are experiencing rising rates of successful fraud.

Our research also indicates that moving as many payments as possible from checks to wire transfers is a smart fraud prevention method. While 72 percent of victims of successful payment fraud experienced check fraud, only 28 percent experienced attacks on their wires. And nearly half of companies that were able to fend off every attack experienced at least one attempt against their wire transfers.

Faster payments, too, seem good for security. Although some contributors to Treasury & Risk have expressed concern that fraud in FedNow and similar payment systems may be impossible to stop once it starts, we found that only 8 percent of companies which fell victim to successful attacks were targeted through a faster-payment method, while 15 percent of companies that blocked every fraud attempt faced faster-payment attacks.

Most companies in our survey are taking action to minimize their risk. Within the past year, 46 percent have added a manual review for every requested change to payment instructions, and 34 percent have reduced their usage of paper checks. Twenty-nine percent changed internal payment initiation and/or approval processes, and 27 percent eliminated any payments that bypass the standard process, such as urgent payments or one-off payments requested by senior executives.

Most of these efforts have paid off. Among companies that reduced their usage of paper checks, 78 percent were able to thwart all fraud attempts, as were three-quarters (75%) of those that began requiring multifactor authentication (MFA) to log into payment systems. Further, only 38 percent of companies that eliminated all payments which bypass the standard process suffered a successful fraud incident, as did 41 percent of organizations that changed internal payment initiation and approval processes and 46 percent of those that changed the authentication process for supplier profile updates—all lower than the 49 percent of all companies that experienced successful fraud.

It has been clear since the early days of the Internet that there is no easy means of completely eliminating payment fraud. Companies may be highly motivated to minimize their risk, but fraudsters can be equally motivated by the thought of an easy payday. Payment fraud is a vexing challenge for everyone tasked with running a company or overseeing its financials.

Nevertheless, there are ways to reduce the likelihood that a fraud attempt will be successful. None is 100 percent effective, but each can help protect corporate finances, supplier relationships, and the organization's reputation. To get started, companies need to put finance and treasury in charge of fraud prevention and provide the resources necessary to unlock potential solutions to this messy problem.

.

See also:

• The Rising Tide of B2B Payments Fraud: Techniques, Trends, & Prevention Strategies
• Businesses Need Multi-Dimensional Approach to Fraud Detection and Prevention
• Exclusive T&R Research: How Treasury Teams Are Fighting Payment Fraud

.