2013 AFP Payments Fraud and Control Survey

The 2013 AFP Payments Fraud and Control Survey has been published and this year’s survey results indicate an overall decrease in the incidence of fraud attempts. This downward trend is due in part to the increasing shift from paper to electronic payments.  With fewer checks in the system, less check fraud occurs although checks still remain the most popular vehicles for criminals committing payments fraud.

87% of survey respondents reported that checks were targeted, compared with 29% for corporate/commercial purchasing cards, 27% for ACH Debits, 11% for wire transfers and 8% for ACH credits.  Nearly three-quarters of organizations that were subject to at least one payments fraud attempt in 2012 did not suffer actual losses from the attempt.  This is largely due to effective fraud detection and controls.

External vs. Internal Threats

Most payments fraud originates outside the victimized organization.  Eighty percent of the organizations surveyed experienced attempted or actual payments fraud as a result of actions taken by an outside individual.  Eighteen percent were a result of organized crime while ten percent were subject to fraud from an internal party.  Generally less than 1% was attributed to a lost or stolen laptop or a compromised mobile device.

Controls

Positive pay, ACH filters and daily reconciliations are among the methods used to identify exception items that may include fraudulent transactions. For most of the respondents, the number of exceptions is relatively small and items can be easily identified. One best practice that organizations can follow is to segregate accounts by payment type (wire, ACH, check, card) and by purpose (taxes, payroll, AP).  This is because separation of accounts allows for more timely and focused review of payment activity.

Social Engineering

Corporate Account Takeover (CAT) typically involves gaining access to a company’s online banking site in order to create fraudulent transactions.  Attacks are often introduced through “social engineering” that relies on human interaction and tricking people into performing actions that can compromise security.  A good example of this is an innocent looking email containing links that when clicked, install malware or keystroke loggers to capture access credentials.  The good news is that the incidence of this is still very low – only 2% of respondents reported being attacked and actually having had credentials compromised or an unauthorized transaction initiated.  One effective way to mitigate CAT is to conduct daily reconciliations of transaction activity and following up on a timely basis when questionable activity is detected. Other effective techniques include separation of duties and dual controls for payment release.

How does this report align with your experience?