Controllers Council recently held an expert practices presentation entitled, Phony Bank Account Change Requests: How Controllers Can Stay One Step Ahead, presented by VendorInfo.
Panelists included Phil Binkow, CEO at VendorInfo, and Mark Brousseau, President at Brousseau & Associates.
Following are key takeaways to this discussion. If you are interested in learning more, view the full presentation archive video here.
Why the Risk of Fraud is Higher These Days
The FBI’s Internet Crime Complaint Center reports that business email compromise (BEC) now has losses exceeding $3 billion a year. That’s coming in at about a 20 % increase year over year. These are staggering numbers. In fact, in the United States, we lose more money each year to business email compromise schemes than to bank robberies. Now, why is it that we’re experiencing more fraud these days?
First and foremost, among it is corporate America’s dependence on email. Nearly 90 % of invoice and payment communications are still flowing through unsecured email channels. And unfortunately, while that might seem convenient, it makes spoofing and interception easier than ever. And then you combine that with those sophisticated cybercriminal tactics (AI, text generation, and deep fakes and globe logos), and now we’ve got these fraudulent messages that appear more. With billions of personal and corporate records exposed each year, it’s no wonder that we have cases where fraudsters can infiltrate even the most hardened systems. We also have weak security measures – when you think about what resides inside those firewalls, it’s really outdated. Those antiquated manual and semi-automated systems in AP, AR and elsewhere. Well, the fact is it makes it too easy for unauthorized users to access our sensitive supplier and customer data. Once they get in and you don’t know how they’ll get in, now they can really have free will. We also have lots of insufficient staff training. And frankly, in AP, what most of us do is what I call a set it and forget it approach to training our staff. We sit down a new employee, we tell them some do’s or don’ts, we pat them on the back, and we send them on their way. The problem is, is that fraud schemes are constantly evolving. And we need to make sure that our teams know what to look for.
The Biggest Fraud Threats in Finance Today
Across industries, we’re seeing five core fraud schemes dominate the controller threat landscape. The first one of course is phishing scams via business email compromise or BEC. Attackers impersonate executives, suppliers, maybe even a customer in some cases. They use lookalike domains or maybe hijacked inboxes, and the goal here is to try and trick your staff into proving fake payment requests or bank change requests. The FBI reports that more than $14 billion have been lost to BEC scams over the past five years. And unfortunately, AP is the top target of these. But it’s not just phishing scams we’re seeing these days. We also see more duplicate and altered invoices. And this is where fraudsters are resubmitting legitimate invoices, but with slight modifications. Maybe they put a new invoice number on it, a change date, or even a different bank account. And what they’re counting on is that AP teams are going to be so overloaded with work that they’re not going to notice these subtle changes. And if you don’t have duplicate detection, well, there’s a good chance you’re going to end up paying that same obligation twice, only the second time to a fraudster.
We also see cases of insider fraud. Most cases this is exploiting our manual processes. And then of course, we’re seeing more cases of AI generated fraud techniques. Things like deep fake voices used in phone calls that are “confirming” urgent changes or approvals. And maybe even in some cases, synthetic invoices, where we’re created with generative AI. And what they’re doing is, is they’re mimicking perfectly the templates used by actual suppliers. And what AI does is really exploit our reliance on trust and our familiarity with day-to-day operations to pull one over on us.
But the fraud scheme we really want to focus on today are phony bank account change requests. And this is where fraudsters pose as legitimate suppliers, often using compromised email accounts. What they do is they ask AP to update their banking details. And if you’re like most companies and you don’t use independent verification, well now payments are likely to be rerouted straight into a criminal’s account. And almost as soon as they hit that account, then they’re swept off into faraway accounts, often in Eastern European or Asian countries, where they’re hard to recover. AFP estimates that this type of scam has increased 43 % over the last two years alone. And the average losses now total six to seven figures. Each of these schemes are insidious, but together they create an environment where our risks have never been higher.
Phony Bank Account Changes = Real Fraud Losses
What we’re seeing is that these types of scams can really translate into big fraud losses. This is where the risk becomes painfully real for controllers. Accounts Payable, after all, is the number one target for payment fraud. Fraudsters know that AP sits on very sensitive data and that they control the payments flow. It only takes one unverified change to redirect an entire supplier’s payment stream. We’ve seen cases where companies lose six and seven figure subs from just one fraudulent update. And that problem is compounded when you do business globally. Many of you are doing business with international suppliers across multiple banking systems, each with different formats and different regulations. And unfortunately, not all of them provide real-time verification options. What that means is, is AP teams are often relying on things like email confirmations and manual callbacks that can be easily spoofed or intercepted. Fact is, is that traditional ways of verifying bank account change requests simply aren’t fast enough or accurate enough for the types of schemes that we’re encountering today.
Let’s look at how these schemes work step by step. The first is a fraudster will submit, a fraudster will spoof or hijack a supplier’s email. This is especially common when you’ve got long-term supplier relationships. Perhaps this is somebody you’ve been doing this business with for years and you really have this level of trust established. These are the folks that the fraudsters are really targeting. And what they’ll do is they’ll try and hack their emails. And then they monitor legitimate email threads, and they try to jump in at just the right time, often just before a payment is scheduled. How do they know this? Well, because they’re looking in at the email string. They see the invoice dates. They see when you’ve received remittance details via email. And what they’ll do is they’ll submit a fake bank account change request. It might come through an email that looks exactly like it’s from your supplier contact. And typically, it comes with the correct signature and invoice references. Remember, they have access to the email. Maybe they even have access to the systems that your user at the supplier is using. And they might even use a compromised supplier’s inbox the actual inbox that your contact is using. And everything is going to appear legitimate. And once they do this, well, now the fake account details are routed through AP’s normal workflow. And payments, if they’re not caught, are going to be sent to the wrong account because the fraud looks like a standard update. And in many cases, it’s not caught until days or weeks later when the legitimate supplier calls up saying, hey, where’s my payment? The FBI estimates that the average losses per incident from a phony bank account change request exceed $125,000. And what’s scary is that the recovery rates remain below 20%. So, we’re looking at a lot of money being lost in just this case.
And one of the biggest misperceptions about phony bank account change requests and payment fraud in general is that it’s an IT issue. And it’s not. It’s an AP problem too. Most of these schemes, after all, don’t start with malware or malicious code embedded in an email. They start with social engineering. Fraudsters are using psychology, not technology, to pull one over on us in many cases. They’re exploiting trust and authority and urgency. They’re posing as suppliers under deadline pressure, or maybe even your CFO rushing to approve a time-sensitive payment that if it’s not made will bring our supply chain to its knees.
Best Practices
Beyond dollars and cents, we’re going to have this operational disruption and then it’s going to weigh on the shoulders of our AP and finance teams. There’s going to be a morale cost. Employees are going to feel responsible for this. So, this is why we’ve got to find ways to be proactive in preventing fraud. And there’s four best practices that I want you to be mindful of:
- Standardize Your Bank Change Process: Require specific documentation from suppliers and use a formal submissions process
- Verify Bank Account Ownership Independently: Never rely solely on supplier-provided info and use third-party sources or automated tools
- Flag High-Risk Changes: Changes involving international banks, high dollar/high frequency suppliers, or submitted outside standard protocol
- Automate the verification process
- Benefits: real-time, accurate verification of bank account details, consistency with less chance of error, and integration to ensure that every payment is verified automatically
To learn more about secure verification, view the complete webcast here.
ABOUT OUR SPONSOR:
VendorInfo, part of Financial Operations Networks (FON), provides specialized self-service vendor portals that bring focused, comprehensive and timely tools and support for collecting, verifying and managing vendor information. VendorInfo meets the changing internal and external requirements for security, controls, compliance, efficiency and scalability. FON was founded by the leadership team behind PayTECH and The Accounts Payable Network and has been instrumental in helping thousands of senior financial professionals keep their operations ahead of the risk, efficiency and cost-avoidance curves since 2001. Learn more at www.vendorinfo.com
