Accounts Payable (AP) departments everywhere, and at every size organization, are under attack. The increased risk of payment fraud is the biggest challenge that AP leaders say they face as their teams work remotely. More than half of AP leaders believe their department’s risk of payment fraud has grown since 2020. Fully one quarter of AP leaders admit that their department’s risk of payment fraud is “significantly” higher compared to two years ago. Almost half of AP departments have experienced “multiple” fraud attacks within the past year.
The business disruption caused by both the prolonged shift to remote working and the growth in the adoption of Automated Clearing House (ACH) payments to suppliers has given rise to increasingly sophisticated cyberattacks that target larger sums of money and can be harder to defend against.
ACH fraud is increasing as fraudsters target accounts payable teams by impersonating suppliers via telephone and email, and tricking AP staff into diverting funds into banking accounts they control.
The shift to remote workforces has resulted in the dramatic growth of electronic payments to suppliers. It’s hard to chase down check approvals and print and mail checks to suppliers when payables staff are working at home. Hybrid environments with a combination of remote and in-office only add to the complication.
Fraudsters will use the insights that they gather to pose as suppliers, trusted coworkers or senior executives. A thief will send a spoofed email message to a buyer’s AP department requesting a change in the bank account details that the buyer has on file for the supplier. It’s not uncommon for these spoofed emails to include a long email thread that includes names, details, and even documentation that the bad actor uncovered during their social engineering.
In some cases, a bad actor takes control of the email account of payables or finance professionals to launch the attack. Otherwise, the fraudulent agent will spoof the email from another mail server. By the time an organization realizes that an ACH payment is fraudulent, the thieves have already moved the money to offshore accounts, leaving little chance that the funds will be recovered.
We are seeing a move from ACH to virtual credit cards, also known at vCards. vCards are single use, secure, one-time credit card numbers that are generated by your bank. These vCard account numbers are for a specific vendor, in the amount of the invoice or invoices. Gone is the risk of having a corporate (or worse yet, personal) credit card number floating around. Vendors receive the money faster than ACH.
To learn more about how about how you can mitigate your risk. Schedule a call with us today.