PYMNTS-MonitorEdge-May-2024

As Application Fraudsters Set Sights on B2Bs, A Growing Threat Looms

The Paycheck Protection Program (PPP) loans are gone. The various tranches of government aid have been exhausted, and trillions of dollars in economic aid are in the rear-view mirror.

Brandon Spear, CEO of TreviPay, told Karen Webster that fraudsters, looking for new avenues of attack, are targeting B2B channels to ply their schemes, to steal money and data. They can do so by leveraging the weaknesses inherent in buyer/supplier interactions that are anything but efficient — and give bad actors plenty of opportunities to cover their tracks.

The risks accrue as B2B businesses have to grapple with their desire to expand in the face of security challenges. By and large, the fraudsters — if they’re not stealing money outright — are looking to exploit B2B interactions to get goods in hand that are easy to resell, such as electronics or other consumer goods.

Spear said that industrial products are generally less attractive — but all verticals need to be educated about the looming threats and the need for robust ID verification protocols. It’s a widespread problem, as research shows that 98% of businesses experienced financial losses as a result of successful fraud attacks, as measured through the past year.

See also: 19% of Merchants Rely on Multiple Verification Methods to Vet New Business Partners 

Fraud Prevention Efforts

Seventy-one percent of organizations plan to implement new digital solutions to prevent fraud, and 49% say finding a better digital solution for fraud prevention is their primary fraud prevention plan. Thus, fraud and business identity theft challenges are top of mind for the executives that were queried by PYMNTS and TreviPay — yet 68% of the businesses surveyed said that they’re not very happy with the solutions they have in place today.

“Unless you are in it and kind of living it every day, you might not necessarily know about these challenges,” he said, as these firms are boosting card acceptance and making the leap even further into eCommerce.

Spear added that when thinking about fraud, it should be considered within two contexts. Most people are familiar with transactional fraud, but there is also application fraud, which is when someone tries to impersonate a business during the initial onboarding activities.

“Application fraud is more like identity theft,” he continued. As B2B businesses try to identify and authenticate business customers and partners, as part of the onboarding process, time is of the essence.

And the applications themselves — well, they take time, and they are rife with friction. Along the way, as Spear said, the firms girding against fraud are not necessarily relying on real-time data to help them form an opinion about whether the applicant is a valid business or not.

Read more: Payment Card Verification Remains Leader Among Anti-Fraud Measures

Often, the triggers that something is not exactly on the up and up come only after fraud has been committed, when, 30 days or 90 days after funds have been sent to an unwitting victim, payments are “reversed” or payments have been sent to an account that looks legit but disappears.

In other words, the money is gone — and there’s no guarantee anything will be recovered. As such, the best way to catch underhanded schemes is to do so at the beginning, upon that first interaction online. To get an accurate read on someone’s veracity (whether a consumer or a business) as they apply for a new line of credit — or for services or as they order a product — it’s imperative to have it all done online.

“If you do it through a paper-based process, or through offline channels, the less data there is that you can gather,” he said. Spear added that “tells” and “cues” can be gathered online that can raise red flags, such as an entity that says it is domiciled in the U.S. but has an IP address in a different country.

The Google Data Points 

Along the way, it’s important to note that the good guys (the firms doing the onboarding) and the bad guys (the ones trying to trick those companies) have access to the same data points.

After all, Google offers a wealth of information, and the more sophisticated fraudsters will not try to concoct a completely “new” and fake business. They will instead leverage the existing information about real companies that can be gleaned from search engines, registrations and other documents — which are, of course, available online.

Thus, 90% of the data submitted by the fraudsters looks real, he said. For example, an email address, may have an extra letter in it, barely noticeable on a quick read during the application process.

All of that data is reusable. When the bad actors find that a ruse works, as they impersonate legitimate companies, they’ll do so over and over again. Theoretically, at least, it’s not impossible to defraud hundreds of companies through the use of a single, fraudulent persona.

In that case, he said, “If you are relying solely on transaction monitoring, you’ve missed important steps.”

To help enhance the fraud-fighting toolkit, so to speak, Spear noted that roughly 20% of firms are using at least some form of identity verification as part of a multifactor strategy. However, he cautioned that it’s imperative for firms to choose the right partners (TreviPay among them) to deploy the right tools, lest they fall victim to offering up friction-filled, clunky consumer experiences.

The need to deploy advanced technologies in the bid to smooth and secure the B2B onboarding relationship has become more urgent in the age of the pandemic, Spear said. Parsing IP addresses against the geolocation of the person applying for credit can help — and so can building at least some lines of defense in-house, with help from those outside providers.

More firms than ever are selling across the globe, up and down supply chains that may no longer include direct relationships where suppliers and vendors have intimate knowledge of one another.

“If you’re changing your market model, and shifting to digital channels, it’s dangerous if you don’t have ID verification as part of your strategy,” he told Webster.

PYMNTS-MonitorEdge-May-2024