Put up $2, and you can score $100 million. Incoming payments are the new attack vector.
And as nsKnox Chief Operating Officer Nithai Barzam and Ansys Corporate Controller Bob Bonacci told PYMNTS’ Karen Webster, accounts receivable departments are especially vulnerable to financial fraud.
First thing’s first. Payments fraud, of course, runs both ways: Every scheme designed to trick companies into sending outgoing payments to someone who isn’t who they say they are is someone else’s incoming payments fraud problem.
Most employees know by now not to click on the incoming email supposedly from the CEO that looks just a bit off, that request payments go out the door immediately. But as Barzam said, as fraudsters go online and buy some of the most basic details on the dark web — names, addresses, emails and passwords, often for just a few dollars — they’re finding new and novel ways to infiltrate unsuspecting and unprepared enterprises.
As Barzam said, all it takes is a fraudster (a rogue employee or an outsider) to get a hold of an employee’s email — and then they can use that address to send emails to vendors, informing them that banking details have been changed, and the money disappears never to be seen again.
“They don’t even need to use ChatGPT capabilities to start writing emails like you,” Barzam told Webster of the fraudsters’ ploys. “They’ll be familiar with the invoices you’ve received and processed or sent out with a lot of details.” Even an enterprise’s cautious customers — who send requests for verification or additional details — can be duped.
It’s a devastatingly simple but effective ploy, especially when sent to hundreds and even thousands of vendors.
And, noted Barzam and Bonacci, there’s a nebulous gray area about who’s to blame when incoming payments fraud occurs: Is it the company who had their email system breached or the customer who might get some finger-pointing for not checking properly? There are no regulations (yet) governing liability, and the mistrust that’s sown out there in the field might be enough to hamper firms’ ability (or interest in) expanding as globally as they might have envisioned.
Asked by Webster just how big the problem is, both panelists summed up incoming payments fraud simply: It’s a huge problem.
And it’s a silent one.
The FBI stats show that losses tied to business email compromise scams run into the tens of billions of dollars.
And the true scope of incoming payments fraud might be unknowable. The millions of dollars lost can permanently alter a company’s fortunes and operations.
“It’s much less visible than other fraud cases,” Barzam remarked. “The fraudsters will want to keep this as quiet as possible, so that they have as much time as possible to steal as much money as possible.” There are cases of incoming payments fraud that have lasted for years, he said.
In a bit of good news, there’s evidence that chief financial officers and fraud teams are rising to the challenge. PYMNTS data show that 85% of CFOs are shoring up their digital and tech defenses tied to incoming payments and accounts receivable processes.
Bonacci offered a deep dive into how his multinational firm, with more than $2 billion in global sales, has been tackling the issue.
“We’re continuously investing in different platforms in the cybersecurity and fraud space,” said Bonacci, “so that we can always improve the offensive and defensive tools in our toolbox. Incoming payments are certainly on our radar.” And, as he added, “our customers’ outgoing threat is our incoming threat.” In detailing some of his firm’s anti-fraud efforts, he said that Ansys no longer included banking details on invoices that are sent to customers.
Instead, the company instructs its customers to validate banking information through one of nsKnox’s tools and through banking certificates.
“We’ve spent a lot of time with our vendors,” he said of the collaborative efforts, “trying to get them to work with us on procedures — and to help improve control environments.”
There’s the need to conduct internal training and education to ensure that employees know what to look for, Bonacci said, and how to vet and onboard new vendors across several levels of verbal and platform-based digital verification.
“We make sure that we are contacting them from independent data that we already have in our files, and we’re not just responding to an email and we authenticate them by identifying at least two personal pieces of information,” said Bonacci. He added that in the back office, there’s also a “strict segregation of duties” so that entering data in the enterprise resource planning (ERP) system is independent of payables and receivable functions.
Barzam told Webster that the level of attention Ansys pays to incoming payments risk is not as widespread as it should be among other enterprises, especially those that want to expand geographically across the globe. In addition to providers including nsKnox, Barzam said that banks could play a role in helping client firms validate accounts and make sure, for example, the account in China or Germany is the right account. The panelists told Webster that advanced tools could help enterprises monitor whenever data related to customers and bank accounts are changed.
The battle to safeguard AR, they noted, will be an eternal one, involving everyone from the back office all the way up to the CEO – and will foster improved collaboration between enterprises and their counterparties.
“It’s a people issue, a process issue and a systems issue,” said Barzam.
And as Bonacci said: The first step in battling incoming payments fraud “is to realize that it’s not just some abstract threat. It can happen to any company.”