Fewer companies were the targets of payment fraud in 2012: in fact, the fewest number since 2004. But one kind of fraud is proving resistant to eradication and others are growing, despite the efforts of finance departments, banks, and service providers to stop them.
According to the Association for Financial Professionals’s Payments Fraud and Control Survey, released last week, 61% of organizations experienced attempted or actual payments fraud in 2012, down from 66% in 2011. The AFP survey was sent to 5,700 corporate treasury practitioners and yielded 625 responses.
One of the oldest forms of payment fraud is still the most prevalent: check fraud. It continued to be the dominant form of payments trickery, with 87% of the cash managers, analysts, and directors saying their companies were targeted in this area in 2012. Fifty percent of organizations reported between 1 and 5 instances, 15% reported between 6 and 10 events, and 22% had at least 20 check-fraud cases.
A majority of the instances — 63% — involved counterfeit checks, in which a scammer got hold of a check from a corporate bank account and created a fake check using the account and routing numbers. In many instances, the fraudster then bought goods online from merchants that offer electronic debit or e-check payment options. But perpetrators also have simpler tactics, such as altering the payee name (49%) or dollar amount (28%) of the check.
The one bright spot: few of the companies (16%) targeted by check fraud actually suffered financial losses. An important reason for that is the fraud detection and control procedures surrounding checks. While many fraud attempts are made, fewer possibly succeed. A common prevention tool, for example, is “positive pay,” in which the company’s bank pays only the checks the company’s finance department preauthorizes.
When AFP survey respondents did incur losses from check fraud, a good number said it was because they did not use some form of positive pay, or because account reconciliation or positive pay reviews were not timely.
One way companies can end paper-check fraud, of course, is by moving to electronic or card payments. Fully 84% of the treasury staffers surveyed by the AFP said they decreased paper payments and increased electronic payments last year. So it’s possible that the migration is just “shifting the focus of criminals to cards and other products.”
Indeed, in the case of corporate cards and Automated Clearing House debits, fraud actually rose last year. Fraud involving corporate and commercial purchasing cards was the second-most-cited kind of payments trickery companies experienced in 2012. Twenty-nine percent of the treasury department respondents to the AFP survey said their firm had been targeted in this area, up from 20% in 2011.
That’s a disconcerting trend, because companies that are victims of corporate card fraud more often have some financial loss: 26% of them in 2012, compared with the aforementioned 16% for check fraud. In addition, almost half the respondents said the card-issuing bank lost money, and 23% said the merchant had a loss.
Fraud attempts most often happened with the target company’s corporate card, the survey found. Unknown external parties perpetrated the fraud that 74% of organizations experienced. But in 26% of cases, the fraud involved an employee.
How do employees commit card scams? In one example provided by fraud and forensics consultancy StoneBridge Business Partners, an employee does a “double dip”: uses the organization’s credit card to make a purchase and then submits the documentation for the expenditure for reimbursement.
The major card networks are working on a solution to at least some kinds of payment-card fraud. For example, in the United States card acquirers (banks that handle credit and debit payments) and processors are being mandated to follow the EMV (Europay, MasterCard, and Visa) global standard. EMV cards use algorithms from an embedded chip for additional authentication.
Near Field Communications devices may also cut down on card-payment fraud. These devices — smartphones and tablets, for example — will have radio frequency identification capability installed in a SIM card and will allow for securer, contactless transactions.
Card groups are pushing EMV by mandating a shift in the liability for card fraud. With EMV, for example, the party (card issuer or merchant) that has invested in EMV deployment is protected from financial liability for card-present counterfeit fraud losses. That part of the standard takes effect in October 2015.