Only 38% of businesses are using document and identity authentication tools, leaving most organizations vulnerable to fraud attacks linked to incoming payments. In this month’s “B2B Payments Fraud Tracker®,” Candler Eve, director of enterprise fraud at MidFirst Bank, highlights three key ways to avoid invoice fraud.
PYMNTS interviews Candler Eve, vice president and director of enterprise fraud at MidFirst Bank, about the problem of invoice fraud and why authentication is key to its prevention.
—
In an increasingly online world, fraudsters have more opportunities to commit fraud and more tools with which to do so than ever before. Their overall strategy, however, is unchanged: Go after the vulnerabilities. A lot of businesses are not accustomed to having strong authentication and bank account validation procedures and are generally unfamiliar with the best practices for fraud prevention. Lacking effective authentication, these businesses are prime targets for invoice fraud on both the accounts receivable (AR) and the accounts payable (AP) side — and criminals are looking to capitalize quickly.
“We see invoice fraud with some frequency,” said Eve. “I can tell you that across the country, it is rising.”
Much of the invoice fraud Eve encounters falls under the umbrella of email compromises. He explained that a criminal posing as someone at a company — such as the CFO, for example — will email department employees asking for money or account information, often in the form of a fraudulent invoice. This crime is aided by the fact that many companies have a simple invoicing process, frequently requiring only a basic form. All a fraudster needs is to get ahold of one such form, which is easy enough, according to Eve. The fraudster can then doctor the document by changing the bank account number before sending it to the victim.
This can be very effective, Eve observed, because the person receiving the fake invoice is unlikely to do additional due diligence, having been deceived into thinking it is a legitimate form. Too often, no actual authentication occurs. The fraud is not detected, and financial costs and reputational harm ensue.
“A good point [to note] here is that the fraudster is going to try to use the company’s own process against them, especially if that process is lacking any sort of authentication,” he said.
Given the threat of invoice fraud, MidFirst Bank takes authentication very seriously — and other companies should too. MidFirst Bank ensures that all invoices and requests are, in fact, made by the proper person through a lengthy process of authentication and verification. To avoid helping fraudsters target MidFirst Bank, Eve declined to get into the specifics, but he did say that rather than solely relying on email, the bank will call the person on an authenticated phone number to confirm the details.
“It’s amazing the amount of fraud you can prevent with a simple phone call,” he said.
Eve said he advises companies to ensure that they are authenticating all requests and invoices, especially when they originate from third parties. Similarly, companies should always authenticate when establishing a new relationship or changing an existing one. The Companies To Watch section that follows describes some platform solutions that can assist in validating and confirming the accounts to which money is transferred.