The Anatomy of B2B Electronic Payments Fraud

by Ashley Poynter

Content Manager

The Anatomy of B2B Electronic Payments Fraud

No one in AP enjoys paying a vendor via check. The inefficiencies and costs are legendary. For modern finance teams, electronic payments have become the backbone of business operations. However, there is a downside. Unfortunately, the move away from the 17th-century payment rail of checks to a 21st-century digital-first transformation has also attracted the attention of sophisticated fraudsters who continuously come up with new ways to exploit vulnerabilities.

In this article, we’ll kick off with a refresher on B2B electronic payments fraud, exploring the most prevalent schemes that keep vendor analysts and AP professionals up at night. We’ll delve into the evolution of fraud tactics, from old-school phishing expeditions to modern deepfake trickery. As we navigate these murky waters, we’ll uncover how automation has emerged as a powerful ally in the fight against fraud.

Finally, we’ll explore how automation in vendor onboarding can ignite a culture change (improvement!) that can block B2B electronic payments fraud, showcasing the features and methods that make these systems indispensable for businesses today. We’ll guide you through the critical steps to safeguard your financial operations and outsmart even the craftiest of fraudsters. Buckle up and get ready to fortify your defenses in the ever-evolving landscape of B2B electronic payments.

Why B2B Electronic Payments Fraud is a Growing Problem

Refresher on B2B Electronic Payments Fraud

Real-Life (Scary!) Stories of Fraud

– Vendor email compromise with social engineering of an employee

– Domain spoofing

How Automation Blocks B2B Electronic Payments Fraud

Get Ready for Vendor Management Appreciation Day 2024

Want Help Aligning Teams to Prevent B2B Electronic Payments Fraud?

Interested in Regular Tips to Prevent B2B Electronic Payments Fraud?

Want Personalized Guidance to Prevent B2B Electronic Payments Fraud?

Why B2B Electronic Payments Fraud is a Growing Problem

We’ll cut to the chase: The 2024 AFP® Payments Fraud and Control Survey Report noted that 80% of organizations were victims of payments fraud attacks or attempts in 2023 – a 15% jump over 2022.

It gets better (or rather, worse): checks are astoundingly vulnerable to fraud. Yes, we know this is a piece about B2B electronic payments fraud, but this is important. In fact, well over half (65%) of respondents to the AFP report said their organizations experienced fraud attacks involving checks. Some of that is likely tied to the uptick in fraud due to interference with the United States Postal Service (USPS), which was up 10% over 2022.

Please stop sending checks in the mail! Don’t want to take my word for it? Then listen to the wise words of Marc Evans, Financial Crimes Detective in Las Vegas and CFEA Certified Fraud Examiner, as he talks about the dangers of mailing checks:

But wait, there’s more. For the first time ever in the history of AFP’s survey, ACH credits surpassed wires as the most vulnerable payment type for business email compromise (BEC) fraud. BEC happens when a fraudster gains access to someone’s email account and sends emails as that person. It’s one of the many methods fraudsters use to pull off B2B payments fraud. Yes, all types of payment methods can fall prey to BEC fraud. However, ACH credits take the cake at 47%, followed by wire transfers (39%), and ACH debits (20%).

Most heartbreaking? Nearly one-third (30%) of those that fell victim to payments fraud in 2023 were not able to recover lost funds.

The bottom line? The problem’s not getting any better; it’s getting worse. Fraudsters are frauding better, and tricksters are trickier than ever. Let’s talk about some of the ways that fraud has evolved – and what you can do to stop it.

Refresher on B2B Electronic Payments Fraud

Ah, the good old days of charming swindlers and the occasional padded invoice. Those quaint scams are history. Welcome to present day, where vendor fraud has become a formidable adversary. Without the right defenses, your business is an easy target. Let’s explore how vendor fraud has evolved and what you need to watch out for today.

Phishing: the modern menace

Phishing scams have undergone a dramatic transformation. Today’s scammers craft entire websites that look just like those of legitimate vendors, complete with chatbots to answer your questions. It’s like fishing with dynamite in a pond teeming with fish. . If you visit that website and dial the phone number found in the footer to confirm the banking change, millions of dollars can disappear.The art of vendor impersonation

Vendor impersonation is an old trick with a new twist. Fraudsters now hijack legitimate vendor email accounts to send you requests for bank account updates or create detailed replicas that fool even the most diligent employees. Your vendor desk, overwhelmed with paperwork, often can’t distinguish the real from the fake.

The art of vendor impersonation

Vendor impersonation is an old trick with a new twist. Fraudsters now hijack legitimate vendor email accounts to request bank account updates or create detailed replicas that fool even the most diligent employees. Your vendor desk, overwhelmed with paperwork, often can’t distinguish the real from the fake.

Deepfakes are a scary new reality

Deepfakes have entered the vendor fraud scene with a bang. Imagine an employee convinced they just had a Zoom call with the CFO, only to realize too late it was a deepfake, and $25 million is gone. The US is particularly vulnerable to this sophisticated fraud. If you thought spotting email scams was hard, try dealing with hyper-realistic deepfakes.

In essence, while the names of vendor fraud might remain the same, the methods are ever-evolving. Hear Marc Evans talk about how these social engineering scams are on the rise:

Your vendor onboarding and management processes need to be rock-solid. Is your organization equipped to handle these threats?

Real-Life (Scary!) Stories of Fraud

While the fraud types above may just seem like words on a page, they can have very real consequences for organizations that aren’t prepared. Here are some reasons this fraud plays out:

Weak vendor onboarding process: if you don’t have a documented process that dots the i’s and crosses the t’s, you’re a prime target for fraud
Manual processes: manual processes are rife with opportunities for fraud. All it takes is one misread email or a verification email sent to the wrong address for money to evaporate into thin air. Listen to Hannah Kanouff, Vendor Management Coordinator for the Office of Central Procurement at Penn State University, speak to just how hard it is to do it right when you try to manually verify every vendor banking change:

Culture: maybe you have a really thoughtful, completely documented process. The problem is, if nobody follows it – or if higher-ups are constantly asking for exceptions to it – you don’t really have a process. You have a target on your back.

To illustrate what can go wrong, we’ve pulled together a few examples so you can see the anatomy of fraud in concrete terms.

Customer: A major research hospital

Fraud Type: Vendor Email Compromise with Social Engineering of an employee

How PaymentWorks Caught It: The entity Tax ID did not match the Tax ID on the bank account

Amount Saved: approximately $455K

The Story

An employee at the hospital received an email she believed was her vendor asking to change bank account information for an upcoming payment. The employee contacted AP and asked them to change the bank account.

She was instructed to send an invitation from the hospital’s automated vendor onboarding system (that would be us! PaymentWorks) to facilitate the change. While she did this, the ‘vendor’ (fraudster!) began to pressure the employee about timing, threatening that ‘work would be delayed if the payment isn’t received in this new account.’ The employee tried to circumvent the established process by opening a support ticket and asking them to change the bank account (support held firm to the established process!).

When the fraudster attempted to update the banking by responding to the PaymentWorks invitation, the first red flag emerged when the real vendor’s tax ID did not match the tax ID on the bank account. This flag initiated a series of automated checks on the other submitted data, and a review by a fraud analyst, who subsequently uncovered that the real vendor’s email had been hacked. employee at the hospital had no way of knowing she was dealing with a fraudster.

Multi-campus college vs. domain spoofing

Customer: A midwestern college with multiple campuses

Fraud Type: Domain Spoofing

How PaymentWorks Caught It: The email address did not match the company domain.

Amount Saved: $935K payment

The Story

During a major construction project, the main contact at the college received an email from what appeared to be their construction vendor requesting to update their ACH information on file. The vendor had been working with the college for years and had always had the same bank account on file.

The employee who received the email followed their internal process and responded to the email that they would need to register with PaymentWorks in order to make any changes to their bank information. The initiator then sent an invitation to the email address from this most recent exchange.

The fraudster then registered with PaymentWorks.

During the regular review, our process caught that there was an extra letter in the email domain that did not match the company website domain. After further review of the registration our analyst uncovered that the domain with the extra letter had been registered just days before, created for the intent of defrauding customers of this construction company.

How Automation Blocks B2B Electronic Payments Fraud

In sum, fraudsters are more cunning and creative than ever before. Thankfully, automation has stepped in as a superhero, offering robust solutions to fend off these sly criminals. Let’s dive into how automation keeps B2B electronic payments safe from fraud.

Mandatory process compliance

Most automated platforms require all changes to be submitted through their secure system before entering the ERP. This ensures that no changes can slip through the cracks or be made outside the proper channels.

Automated verification checks

Automated platforms automatically verify critical details like tax IDs and bank account information using third-party services. This automated vetting process ensures that the details match and are legitimate, preventing fraudulent information from being entered.

Analyst reviews with extra muscle

By utilizing additional third-party data and internal network information, automated systems empower your vendor analysts to detect and confirm fraud attempts more accurately. This extra layer of scrutiny helps catch fraudsters who might otherwise slip through.

Prevention of unauthorized changes

Automated systems reject any submissions that attempt to bypass the standard process. This prevents unauthorized personnel from inputting fraudulent information into the ERP, ensuring only legitimate changes are made.

Proactive vendor communication

Upon detecting suspicious activity, automated systems promptly communicate with the real vendors to alert them about potential fraud. This proactive approach helps vendors recover their accounts quickly and prevents further fraudulent activities.

Domain and email mismatch detection

Some automated platforms (like PaymentWorks!) have proprietary processes that flag any mismatches between company domains and email addresses. This early detection mechanism helps identify potential phishing attempts and stops them in their tracks.

Focus on core responsibilities

With automation handling the heavy lifting of fraud detection, your staff can focus on their actual jobs instead of playing detective. This not only improves efficiency but also ensures that your team is not overwhelmed by the constant threat of fraud.

Stopping fraud in its tracks

When fraud is detected, automated systems act quickly to reject the submission, preventing any fraudulent payments from being processed. This immediate response is crucial in minimizing the impact of attempted fraud.

Integrating automation into your B2B electronic payments process can significantly reduce the risk of fraud and ensure a secure, efficient operation. Automation doesn’t just block fraud; it transforms how your organization handles security, making it an indispensable tool in the fight against digital deception.

Get Ready For Vendor Management Appreciation 2024

Will you be partying with us for Vendor Management Appreciation Day (VMAD) 2024? We highly encourage you to join us!

Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.

Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for the 2024 celebration, and we want you to be a part of it!

VMAD is a new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.

Moreover, we’ve released gifts each month to help you supercharge your vendor management efforts. Additionally, we’re planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.

In the meantime, learn more here, and grab some free vendor management goodies.