Cyber holiday fraud: Make your process list and check your payments twice

Close up person making an electronic payment using credit card phone and laptop late in the night

Cyber criminals love this season because the holidays and year-end processes create perfect opportunities for fraud to thrive. This holiday season, make sure the payments coming in and out of your business get to the right place, and avoid a growing and potentially devastating method of payment fraud.

Common ACH and wire fraud schemes

Automated Clearing House (ACH) payments and wire transfers are common methods of businesses facilitating payments to and from customers and vendors. Traditionally believed to be a safer form of payment, fraudsters are increasingly using, intercepting and changing ACH payment instructions for a quick payday. In the 2023 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan, 65% of respondents reported being the actual or attempted victim of payment fraud in 2022. Of those who were victims, nearly half (44%) were unable to recoup any of the stolen funds. Importantly, 71% of payment fraud victims in 2022 were the result of a business email compromise (BEC), a common criminal scheme where a bad actor can impersonate or “spoof” a co-worker, customer or vendor to modify or intercept payment information so that money is transferred to the fraudster rather than the intended recipient. According to the FBI in the most recent Internet Crime Report, BEC and related cyber phishing schemes resulted in over $2 billion dollars in losses in 2022.

One common fraud is a bad actor impersonating your accounting department and sending an email to a vendor with “new” ACH or wire instructions that direct the vendor’s payment to the fraudster. Another growing practice is bad actors hacking into email networks and waiting for emails about large transfers of money for deals closing at or near year-end. Then, on the eve of the deal closing, the bad actor will impersonate one of the deal parties and send a fraudulent email containing updated ACH information that causes the funds to be sent to the wrong bank.

Whether stealing a lump sum or recurring payments, ACH and wire fraud can cause a loss of hundreds of thousands of dollars. Furthermore, this loss is often without a clear recourse if the fraud is not caught before the criminal empties the account where money is routed. This is because both companies affected – whether the payor or payee – are victims of fraud, making liability for the misdirected funds difficult to determine.

So, stay cyber-jolly this holiday season and mitigate the risk of payment fraud by using some practical safeguards:

  • Develop or update your payment policy payment and fraud process. Be sure your organization has an updated policy and process. Designate someone in your organization to be the person to whom payment fraud is reported and have that person become familiar with the policies of your key banks and partners. With a policy in place, your business will be better equipped to stop payment with your bank or inform third parties to stop misdirected payments, mitigating the risk of a total loss from fraud.
  • Restrict access to ACH and payment-related information and forms. Do not place ACH or wire payment forms—whether for sign-up or updating account information—on any public-facing website. You should use secure methods to share banking information and consider sending such information only via encrypted emails or share-file systems that require passwords for access.
  • Verify any changes in ACH or payment information with trusted sources. If you receive any calls or emails claiming to change payment information, take extra measures to verify the accuracy of the message, the invoice or request, and do not use contact information from the message itself for authentication. For example, if a vendor tells you their payment information has changed, call the vendor directly using a prior or verified phone number to speak to someone you have interacted with in the past.
  • Educate staff about fraud and phishing. Your first line of defense is your staff that deals directly with third parties and payments. Provide employee training on social engineering and fraud schemes and educate staff on common phishing techniques, such as email accounts with slight spelling inaccuracies, purportedly urgent messages, and last-minute or unusual requests to change banking information. And be sure to utilize multi-factor authentication on email, payroll and payment systems.
  • Educate your vendors and customers about fraud and your process. If you have no immediate plans to change payment information for customers or vendors paying you, consider telling these third parties that any messages claiming to change your payment information should be suspected as fraud and verified using known contact information for your billing or accounting department.

If you have any questions or need an assessment of your processes or training on best practices, please contact one of the Cybersecurity and Privacy Group attorneys at McAfee & Taft.