If your annual revenues exceed $250,000 a month. Inquire about our custom rates!
The majority of consumers and businesses expect to use their debit cards or credit cards as payment methods. If you don’t accept these in your business, then you are missing opportunities for more revenue because these potential customers or clients will go elsewhere. By adding online credit card processing to your payment methods, you will be more likely to add business and close more leads than just accepting cash and checks. This is especially important if the majority of your transactions are online or you are a freelancer that works in a virtual environment.
Research has shown that invoices get paid up to 11 days faster when you accept credit cards. Customers and clients want to get the task of paying an invoice over with as quickly as possible because they have more important things to do. By using their credit card, they can finish in minutes rather than taking much longer to write a check, fill out an envelope, and mail it. The faster you get paid, the more cash you have available for your business needs.
Most online payment processing companies are increasing their fees while banks are charging more to process checks. You may also find that your transaction costs are higher when you have to account for paper supplies and labor that goes into traditional payment methods. Instead, by switching to a low-cost credit card processing service like Due, you will be able to minimize this expense and, as a result, increase your profitability. The addition of features like chargeback protection also helps keep costs down that are often associated with payment disputes.
Despite more people using their debit and credit cards online the concern over fraudulent or suspicious activity is a continued concern. However, Due uses algorithms and live monitoring to identity as well as encryption to prevent any fraud or data compromise.
Due removes paper, human error, and time from these non-revenue tasks and replaces them with an efficient, streamlined way to bill for your products and services and then quickly receive your payments. In automating the process, there is a significant reduction in the margin for error in what is owed and paid. This leaves you with more time to market your business and take on new projects or process more orders. This is a fiscal recipe for success.
Businesses of any size have to think about solutions. They will have to identify the various problems of the business, analyze them, design a process, research the market, then turn that solution into a product that other people can buy and benefit from. If all goes well — and the product works correctly and is marketed well — every business runs into one problem of their own: how to receive payments for their products or services.
Retail stores that sell directly to customers have it easy. They have cash desks that can receive any manner of payment. Paper and coin, checks, and credit cards, the new credit card chip readers attached to giant corporations that collect the debt and, for a fee, transfer it to the retailer’s bank accounts. But for B2B, businesses selling to other businesses, the payment process has always been much more complicated. Most businesses sell to fewer buyers than the big retail chains. In the B2B arena, the businesses may never even meet their customers, and previously many businesses didn’t have the ability to accept and bank payments in cash. These payments can be steep and neither buyer nor seller wants to pay the credit card fees, if they can avoid them. A business, especially a very small business such as a freelance business – certainly doesn’t have cash desks where their customers can line up with their purchases and their credit cards at the ready.
Instead, businesses that sell to other businesses often have to go through complicated processes of issuing invoices, collecting payments and returning receipts. The paper trail has to be clear enough to ensure that requests can always be tracked, monitored and approved, and that payments can always be reviewed and audited. Nowadays, the “paper trail” may not be actual paper, however the trail has to be a followable trail.
The request for a payment has to travel from one business to another business. From the business seller to the business buyer. The payment has to then be transferred from the business buyer’s bank account to the business seller’s bank account. Then, the product or service has to move in the right direction, and arrive on time as well.
All of the movement of billing, payments, products and services has to happen in a way that’s secure and trustworthy. Customers might stand in line at a retail store with their purses in their hand, but they don’t expect a thief to run past them snatching at their money. The stores are able to check the ID of the customer right there in the store. The store can reasonably assume that the credit card details they collect and submit every day are kept safe by the credit card companies, and the payments from the customer will be delivered to them in full, and not intercepted en route. Even the cash payments which are collected from the retail store and moved to the bank or processing center are taken in moving safes – accompanied by armed security guards.
Over the years, companies have offered businesses all sorts of solutions to the problems of safely collecting and transferring payments between other businesses. Some of the solutions have turned out to be better than others and all companies seem to have advantages and disadvantages. In this guide, we’re going to look at the payment options available to businesses at this time, who sell to other firms.
We’ll start with a brief look at the history of B2B payments, explore the issues that the different systems have to grapple with and we’ll see how these issues have been resolved. We’ll look at the recent advances in technology that have allowed notable progress for online payment solutions, and reveal what measures the systems have put in place that bring security to businesses which operate in environments as complex and as changing as the Internet.
We’ll then look more closely at the various payment methods that are currently being used by most business to business firms. We’ll discuss the main platforms available that allow companies to both invoice for goods and services, and collect payments, and we’ll mention some of the particular companies that offer these services.
In Chapter 3, we’ll talk security. Sometimes measurements of the amount of money stolen in cybercrime has been difficult; not every theft is reported. In 2013, the FBI received reports of losses totaling over $781 million. Nearly one business in five reported a theft of $50,000 or more, and 7 percent of U.S. organizations were robbed electronically of more than a million dollars. McAfee, the computer security firm, says that they believe the annual cost of cyber theft around the world could be in the neighborhood of $400 billion.
Obviously, not all of those losses are a result of B2B payments. But the large transfers that take place between businesses, as well as the considerable deposits from these businesses themselves, are huge targets for thieves, from mafia hotspots in Moscow to geek basements in Arizona. We’ll explain the methods that payment firms use to keep these transfers safe and explain what businesses do to ensure their own security. In the following chapter, we’ll reveal several warning signs that can suggest your payment processes are in danger and who is responsible for watching out for these signs.
B2B payment systems are rarely the most exciting part for a business to deal with. Either end of the process – invoicing or payments – and this includes completing this process for freelancers and entrepreneurs, has to be controlled and monitored. Most chief executives and founders would prefer to spend their hours sitting with their designers and plotting the development of their product with their coders. A business would rather be negotiating deals than figuring out how to receive the payments when those deals are closed.
But just as a house is not a comfortable place to live if the plumbing system is blocked and the electricity system has never been connected, so a business can’t survive if it hasn’t chosen the right payment process and kept it secure. Understanding a payment systems, and choosing the right one for your circumstance will make your life easier. You’ll be able to enjoy the benefits of a great system when those payments are made, your product or service is delivered on time, and your fees are collected.
Online companies delivering the B2B experience have not just “appeared” nor happened on their own, and would not have been possible had there not been years of groundwork laid through the financial industries. Just 37 years separate the launch of American Express as a fast mail service in Buffalo, New York in 1850, and the publication of Looking Backward, an early science-fiction novel by Edward Bellamy, a journalist in Chicopee Falls, Massachusetts. Looking Backward, was published in 1887 and is a utopian science fiction novel. It takes the reader to the year 2000 where the government owns the factories, workers retire with full benefits at age 45, and salaries are paid into a kind of debit card that people can use to make their purchases. The book is reported to have been one of the best sellers of its time, outsold only by Uncle Tom’s Cabin and Ben-Hur: A Tale Of The Christ. The New York Times has a great article entitled, “‘Looking Backward’: We have seen the future and it didn’t work.”
American Express was slow to take up the payment system that Bellamy described. In the late 1920s, oil firms and department stores moved first, using charga-plates, rectangular sheets of metal stored in leather or paper pockets and embossed with a customer’s name, city, state and account number. On some cards, the customer was required to sign the back. When a buyer made a purchase, the store would lay inked paper over the card and press or rub another paper over the plate to “print” the details. If that sounds like the way credit cards were used in the days before electronic submissions, it’s pretty close.
Other businesses soon picked up on the idea of collecting bills but wanted the banks to collect the payments on their behalf. The “Charge-It” was America’s first bank card, and was issued by the Flatbush National Bank of Brooklyn. Customers would leave their sales slips in the bank, the bank would bill the customer and the debts would be settled at the end of the month. The cards were also accepted in local stores, and by the 1940s Diners Club was issuing its own cards, initially for use in restaurants. American Express was now quick to offer its own version.
So credit cards have been around for more than half a century, allowing businesses to sell to customers without the use of cash and by using some degree of credit service. In the beginning, some businesses used their cards to make occasional, minor purchases from other businesses, and in particular to cover entertainment expenses racked up their executives, but when it came to making purchases themselves, few businesses were willing to put their own operating costs on their cards. Even by 2011 credit card payments made up just 3 percent of B2B payments. Between 2012 and 2014, use of credit cards for corporate payments ballooned to 10 percent, boosted by perks handed out by the card companies and the difficulties of obtaining business loans from banks. But the costs of using those cards revealed more clearly than ever the main reason businesses had spurned them before. According to a research firm, REL Consulting, a B2B firms spend an average of $2.2 million in credit card processing fees for every billion dollars of revenue they receive.
California was the first to establish a committee to reduce the volume of paper checks flowing through the banking system. They were looking for a way to automate payments between business accounts that produced less paperwork, would help lower fees and have faster speeds. In 1974, the National Automated Clearing House Association (NACHA) was formed to coordinate the activities of ACH associations across the country, and in 1978, all of the local ACHs were linked electronically. By the year 2000, ACHs were processing more than 4.8 billion payments a year at a value of more than $12 trillion through the Federal Reserve System. Most of those transfers are made up of credit card payments but they also include salaries, corporate bill payments, interest and dividends, as well as Social Security and other government entitlement programs. In 2014, those figures reached 22 billion in payments, an increase of 4 percent over the previous year.
A host of options that allow businesses to invoice and make payments over the Internet have multiplied. PayPal, a system that helps small sellers, particularly eBay users, to collect and make payments for online purchases has tried over the years to target business customers as well as garner payments made by retail buyers. The PayPal company has slashed withdrawal times to “next day” payments and in 2014 introduced a group invoicing, a feature that allows companies to send as many as 100 invoices at the same time.
Finance companies have developed a number of other platforms now that offer increased security while still maintaining the paper trail required by accounting departments. In 2000, a meeting in Starbucks between entrepreneurs Michael Praeger and David Miller led to the launch later that year, of a Software-as-a-Service platform that aimed to provide a simple Accounts Payable process “from invoice receipt through vendor payment.” From some of these early ideas, many companies have adopted a similar business model and can now offer this same service of online payments and transfers.
Even as companies now have a multiplicity of different ways of paying their suppliers and service providers, from corporate credit cards to automated transfers and online bank accounts, one method of making and recording payments continues to thrive: paper. In April 2015 Pyments.com reported from an online discussion that checks were usually the only method of payment most financial institutions and businesses ever saw even as late as the 1990s. The first years of the new millennium saw a slow move to ACH payments, but companies still continued to worry about the reviewing processes when they couldn’t pull out a physical copy of the check. It took years to get companies and financial institutions to feel safe without someone having a hard copy of a check on hand right there in front of them.
Even as businesses are beginning to digitize their payments, an overwhelming 50 to 60 percent of businesses continue to use paper to process their B2B payments.
From the first metal “credit cards” kept in stores and rubbed with inked paper – to updated online platforms that can be used in any office and accessed by any customer – the ability to make B2B payments has changed dramatically. There still remains complex accounting needs of businesses—the need for security to ensure that funds are safe, and for records that allow accounting staff to ensure that payments were made and declared. There will continue to be the quest for low fees so that the payment system doesn’t eat into business profits. Many businesses find it difficult to change and shift from tried and trusted methods of making B2B payments. Too many businesses have chosen to remain with what they know best, and what feels familiar – even as better options have developed. Companies are still spending too much money and too much time maintaining and organizing their payment processes.
In the next chapter, we’re going to look at the current most popular methods of making B2B payments, and we’ll assess their strengths and weaknesses.
The launch of Apple’s contactless payment system in 2014 marked the first significant change in the way people made purchases in stores. It’s still early but increasing numbers of vendors now accept Apple Pay, and in early 2016, one in five iPhone 6 users said that they had used the system at least once.
The most popular method of making retail payments still remains debit and credit cards. Around two-thirds of in-person sales are placed on a card. According to one study, by 2017, cash will be used in less than a quarter of point-of-sale purchases while checks are used to settle just 7 percent of all retail purchases, a figure that continues to decline.
B2B sellers can only dream of such clarity for their own payment options. There are basically five main ways in which businesses invoice and receive payments from other businesses, and each has its own advantages and disadvantages.
Other than cash, checks may be the oldest form of payment still in use. They’ve been used in the United States since the late seventeenth century and they’ve been printed since the mid-eighteenth century. For businesses, they’re a simple and apparently cheap way to authorize the movement of funds from a buyer’s account to a vendor’s account. There are no set up costs or complex systems to operate, and they also provide a relatively long float, the period of time between the payment being acknowledged as accepted and the money being deducted from the buyer. Those funds can continue to earn interest for the buyer even after the seller has accepted payment.
The simplicity, low price and even the value of the float may be deceptive. The NACHA estimates that the actual cost of processing a paper check is about $8, a figure that does not include the price of the check books themselves. The high fees incurred when a check has to be stopped, and the time spent by account staff who have to enter payment details manually into records, file the paperwork, fill the envelopes and mail the checks is daunting. Float time, too, has been reduced over the years. Now that checks are digitally scanned instead of physically mailed, the float has been virtually eliminated. Checks can also be lost or stolen in transit.
But the biggest disadvantage that checks present is the paperwork with limited visibility in approvals. Checks don’t have a reliable reporting capability for analytics, and the waste of time to find supporting documentation for the paper trail also demonstrates checks can be laborious. However, checks are simple to write and easy to create, which is why they’ve survived for so long. But they’re also more expensive than they look and demand a great deal of work from accounting staff.
Automated Clearing House now supports the largest percentage of electronic payments in the U.S. This network claims to be the largest, safest and most reliable payment system in the world. Payments are fast, taking no more than a day or two, so there’s no float; like a wire transfer, the full amount must be available in the account when the payment is made otherwise the buyer will face heavy overdraft charges.
Set-up is complex, and is usually performed through a company that processes ACH payments. Each client that receives or pays money through ACH must complete a form. For merchants, that usually happens online during enrollment. The complexity of the sign-up process usually means that ACH payments are only used by businesses for regular payments, such as payroll and regular supplies. The time required makes ACH unsuitable for paying one-off bills.
The transactions are encrypted; unlike a check the payment details, as well as account number and signature, aren’t available for anyone to see. The payments will also pass through fewer hands than a check, and federal regulations and banking rules supply some protection for electronic payments. However, buyers will need the supplier’s bank account information, which they may not wish to provide. The payments can also be reversed by the seller in the event of a dispute, increasing the risk of losing the funds. If the complexity of sign-up isn’t enough to make a seller think twice about using ACH for a single sale, the risk that the buyer can simply take their money back if they’re not happy with the merchandise is a good second reason.
And the paperwork isn’t great either. The remittance details are not usually detailed enough for automatic processing, shifting more work and costs to accounting staff. ACH can be a good solution for a business that makes regular purchases with other businesses that they know and trust. But it’s a problematic solution for companies with a variable client base or which makes purchases from a changing list of suppliers.
The use of credit cards in B2B payments doubled between 2012 and 2014, boosted in part by the promise of perks for frequent usage but mostly by the attraction of a 30-day float at a time when banks were unwilling to provide credit. The ability to close a payment on one day but only have to transfer the funds a month later has been a big pull for businesses with weak cash flow. For a business that needs a loan quickly and for a very short duration, a credit card can provide easy access to a source of credit.
Credit cards are also convenient, especially for small, one-off purchases. The card is fairly secure and disputes are handled through the credit card company. Buyers can ask for a charge-back but they can’t retrieve their funds in the same way as the ACH transfer user can.
But credit cards are expensive, especially for large purchases. Fees tend to range between 3 and 4 percent of the value of the invoice. Large business transactions can become very expensive indeed.
Wire transfers can seem good a good alternative in certain situations. The transfers can happen immediately so there’s no float, and depending on the amount and the set-up at the bank, they may be simple to execute. Online banking platforms may even demand no more information than the recipient’s email address. For large B2B payments the bank will require details including account number and SWIFT code. The transfer may have to be transacted through a phone call to the bank and they don’t generate the kind of remittance information that allows for easy reconciliation. Nor can any charges be reversed or stopped in the event of a dispute; once the bank has transferred the funds, the wire transfer’s role in the process is finished.
The biggest disadvantage of wire transfers is that they’re expensive. Typically costing between $20 and $35 for each transaction, they’re only worthwhile for very large payments. For small payments a check or credit card may still be the best option.
The move away from checks has largely been driven by the demand for the convenience, speed and efficiency of digital payments. Businesses would like to be able to authorize payments from their offices and receive the kind of remittance information that makes it easy for them to maintain their records.
A number of services have arisen over the last decade or so offering those services. Paypal is the platform most commonly used by small businesses in Europe and the United States (Alipay provides a similar service in Asia.) Other platforms include Due, Traxpay, Basware Pay and Apruve. Add in Pencepay, Bluesnap and Tipalti to name just a few, and it quickly becomes clear that online payment platforms targeting B2B transactions has become a thriving industry.
Each platform will have its own criteria, different charges and facilities, and supply remittance information in its own format.
In a post on Paymentsviews.com, Erin McCune, a payments consultant at Glenbrook, a consultancy specializing in B2B payments, predicted three developments in payment systems. “Business payments,” she said, “will be dominated by an ecosystem of interoperable solutions that allow data to flow freely between suppliers and buyers. The process will be transparent so that suppliers always know exactly when they will be paid.” McCune continues with the idea that pricing will change so that fees are based not on the method of transfer but on the many other changing variables.
Those may well be the directions for B2B payments, but until then companies will have to review their transactions and decide which of the options available best suits the way they do business.
When an order looks too good to be true, it often is. In December 2015, XPS Global, a B2B payments service provider, received a desperate call from a long-term client. The company had received an order for $12,000 worth of merchandise. Excited at the large purchase from a new customer, the merchant quickly sent off the goods. But the payment had been made on a credit card and shortly after the goods were dispatched, the merchant received notification from the credit card company of a chargeback. The money was gone.
The credit card number had been stolen, the cardholder had noticed the large charge on their bill and had informed the credit company. The debt was removed from the cardholder… but the poor seller, who had nothing wrong but respond to a good order, was left $12,000 out of pocket and with nowhere to turn for help. The victim of the crime might have been the owner of the credit card, and the credit card company would have been held responsible for their losses. But it was the merchant responding to what looked like a legitimate B2B payment who was left feeling the pain.
Payment security has always been an important issue. It was important when customers needed to carry around large amounts of cash, and it remained an issue as credit cards have replaced notes and coins. Now that anyone can place an order using nothing more than a string of numbers read over the phone or entered on a website form, security for all payments is weaker and more susceptible to abuse than ever before.
Security might once have meant employing men with guns to protect your bags of money. Today’s security environment has become a cat-and-mouse game between opposing teams of computer whizzes. The money game is also a game with a large numbers of players. According to a 2015 study by J.P. Morgan, 62 percent of businesses were targets of payments fraud the previous year, with targeting varying little between large and small firms. Around 56 percent of companies with revenues of less than $1 billion were subjected to attempted and/or actual payments fraud in 2014, compared with 65 percent of firms with revenues over $1 billion. The amounts lost overall are often relatively small but some businesses have been victims of heists as large as bank robberies. Thirty-nine percent of organizations lost less than $25,000 to payments fraud in 2014. But nearly one business in three lost between $25,000 and $249,999, and almost one business in five surveyed by the Association for Financial Professionals in 2015 was defrauded of at least a quarter of a million dollars. Those tended to be larger organizations with more than 100 payment accounts but payments fraud covers every form of payment. Each payment system has its own weakness, and each is susceptible to different fraudulent practice.
It not surprising that not only are checks the most common form of B2B payment, they’re also the form most susceptible to fraud. They’re the easiest payment method to fake, and the frauds perpetrated by checks tend to have the highest value. According to a 2013 Federal Reserve Payments Study, the average value of an unauthorized check transaction for both business and consumer payments was $1,221. A fraud perpetrated with a credit or debit card was usually worth $138 and $105 respectively.
The act of check fraud can take a number of different forms. The simplest occurs when a check is stolen, endorsed then presented for payment at a retail location or a bank using fake personal ID. For businesses, a bigger threat is an employee writing checks without authorization. Ambitious fraudsters may forge their own checks or physically change the payee’s name or the amount payable. More sophisticated criminals deliberately write checks on closed accounts, a process known as “paperhanging” but the most technical act of check fraud though is “check kiting.” Criminals open accounts at two or more banks and use the float time to create fake balances.
In 2010, Jeff Woodard of Harlingen, Texas, used whats known as check kiting to defraud three banks of more than a million dollars. Woodard owned three automotive businesses. He would write a check from one business to another and cover that check by writing another check from his third company. As long as he kept writing checks, the previous check would clear. All the checks were written in whole dollar amounts, were usually sequential, and were deposited each day to create the impression of having money in the account. Woodard would have been able to withdraw that money before the bank realized that the check had bounced.
Most of Woodard’s checks amounted to no more than hundreds of dollars each. He was able to maintain the fraud for so long because check kiting is very difficult to detect. Fraud investigators must examine all of the deposits over a three-month period to identify payments from another account under the account-holder’s control. They then have to be able to prove that the fraud was intentional, usually by showing a pattern of payments that had no purpose other than to inflate bank balances. Finally, prosecutors would have to show that the fraud created a benefit, that the inflated amounts in the account allowed a dying business to continue or the business owner to make additional expenses.
Check kiting is a fraud conducted through B2B payments whose victim is the bank but any business that accepts or makes payments using checks is leaving themselves open to fraud. Together with the difficulty of maintaining the paperwork and the slow speed of the process, it’s another reason that businesses are slowly abandoning this traditional payment method in favor of digital transfers.
Credit card fraud is second only to check fraud. According to a September 2015 report in The Wall Street Journal, 13 cents of every $100 spent in the US is made as a fraudulent credit card purchase. Merchants may lose as much as $190 billion each year through credit card fraud, with much of the fraudulent activity taking place online. Banks lose about $11 billion and customers are believed to lose almost $5 billion. As is so often the case, it’s small businesses that are hit hardest.
While it’s simple enough for a criminal to steal a credit card and attempt to run up debts before the card is frozen, other forms of fraud include counterfeiting and the use of stolen credit card numbers. In 2014 around 31.8 million US consumers reported that their credit cards had been breached, more than three times the number the previous year. Most retail businesses selling online will have experienced receiving a chargeback on a purchase made with a credit card.
According to the Association for Financial Professionals, however, the second most frequently targeted payment method for criminals attempting to commit payments fraud is corporate or commercial credit cards. For 32 percent of organizations that experienced card fraud in 2014, that fraud was associated with their own commercial cards. Those cards are primarily intended for purchasing goods but also for travel and entertainment.
Usually when fraud committed through a commercial card strikes, the criminal is someone outside the organization and unknown to the business, and the cards or numbers are used to make retail purchases. In 16 percent of companies, the fraudster is a vendor or a professional services provider, but in a quarter of payments fraud committed with a commercial card, the crook was an employee stealing funds from his or her place of work.
Despite the apparent ease of some of the methods of performing credit card fraud, the practice is declining. The replacement of cards with magnetic strips, with chips, and pin technology has made it harder for small-time thieves to repeatedly use stolen cards; each transaction uses a unique code, unlike the static data contained on the magnetic strip. Credit card companies are now making retailers who continue to accept older cards responsible for any losses caused by fraud. For businesses that accept or make B2B payments by commercial cards however, the risk of fraud by outsiders or crooked employees will remain.
In November 2009, the FBI issued a press release warning of a rise in ACH fraud. The release, issued by the Internet Crime Complaint Center estimated that the cost of a recent surge in fraudulent ACH activity was now more than $100 million. Most of the victims’ accounts were held at local community banks and credit unions, some of which used third-party services to process ACH transactions. “The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions,” the FBI warned.
That surge might just have been the beginning of a new kind of payments fraud. J.P. Morgan now reports that more than 20 percent of deceitful transactions involve ACH payments. According to the Association of Financial Professionals, the typical value of a loss caused by ACH fraud in 2012 was $20,300.
The process by which the fraud takes place usually begins with the theft of a customer’s data. That can happen simply; a check will contain a customer’s signature, account number and branch routing or sort-code. Alternatively, criminals have also been known to use hi-tech malware. An ACH customer might receive an email claiming to be from the Inland Revenue Service, and suggesting a problem with unreported income. As soon as the recipient clicks to open the email, software starts to track keystrokes or persuades the recipient to enter their bank’s login details. In some instances, criminals have simply used an insider to obtain the information they need. Having used that data to access the victim’s bank account, they usually begin by changing the account holder’s email address, phone number and password.
With the account under their control and the account holder locked out, the criminals can begin sending ACH payments to their own accounts. While the banks use fraud detection systems that can identify unusual payments, smart criminals can match the fake payments to the victim’s previous transactions. And if the bank calls the account owner or asks for an email verification, because the criminal has changed the account holder’s details, those requests will be sent to them rather than to the account holder.
From here, things can start to get a little more complex. Stolen funds need to be moved from destination accounts quickly so that the bank can’t claw the money back. One act of ACH fraud reported by American Banker in 2009 showed just how sophisticated that operation can be.
The victim was a non-profit with an account at a community bank. The fraudsters are believed to have used key logging malware to obtain the login details of someone working at the non-profit; they were able to enter the username and password, answer the security question, and enter a unique PIN. On the first day, they looked at account balances, transaction history and changed a pending ACH transaction.
On the next day, they got to work.
The criminals executed an ACH batch file, sending $142,000 in sixteen separate debit transfers. Because each transfer was less than $9,000, the amounts remained undetected. The transfers went to accounts at eight major banks across the U.S. But the owners of those accounts weren’t the criminals. They had been hired over the Internet to perform what they thought were real jobs. One believed he was working for an insurance company in Switzerland. Another thought that she was about to receive a relocation allowance. The “mules” were told that they should use Western Union to send the money they were about to receive to accounts in Texas and Florida. They could keep 5 percent as a deposit.
The criminals had gone so far as to send their mules, who they called “regional clerks” a fake employee manual. The clerks were told that they were under evaluation for two months and their job was to reimburse policy holders through wire transfers.
The community bank managed to identify the fraud and implement an ACH reversal. It was able to block twelve of the sixteen transfers, limiting the loss to $35,000, a sizable sum for a non-profit.
American Banker recommended a couple of security measures that might have prevented the fraud. After noting that three levels of security provided by the login and password, security question and PIN were insufficient, the magazine also said that the geolocation trigger wasn’t affected by domestic access, and that device ID cookies were subverted. Had the account been monitored for suspicious behavior, however, the fraud could have been stopped on the first day.
And new retail accounts created online that suddenly start moving large sums should be flagged up. They’re a fairly reliable sign of illegitimate activity.
In practice, banks now implement a mixture of all those measures, while trying to balance the need for security with customers’ expectation of instantaneous transfers and ease-of-use. In addition to the triple-layer security used by the defrauded community bank, institutions now may also use a token that generates random numbers, a USB device containing login credentials or even capture some unique information about the account owner’s computer. They may also restrict the size and number of payments, check with the account holder if contact details are changed and, of course, monitor behavior for unusual patterns.
Courts have incentivized banks to take greater care. When criminals stole the login, password and security answers used by an employee at Patco Construction Company to access the company’s account at People’s United Banks, they were able to send $588,851 through six ACH transfers. The bank was only able to recover $243,406. The construction company sued, and after years of litigation, the bank agreed to pay Patco for its losses. In another case, Village View Escrow sued Professional Business bank after the company had lost $393,000 through 26 fraudulent transfers. The criminals had used stolen passwords and disabled email notifications. The bank agreed to reimburse the company and pay its legal fees.
As use of ACH continues to grow, it will look increasingly attractive to fraudsters. As banks find themselves liable for losses, they will invest in greater security. And criminals, in response, will become even smarter.
The expense of making business payments by wire transfer and the lack of protection in the event of fraud have made wire transfers one of the least common ways in which businesses pay each other. Nonetheless according to J.P. Morgan’s 2015 AFP Payments Fraud And Control Survey, incidents of wire fraud almost doubled between 2013 and 2015, rising from 14 percent of payment fraud to as much as 27 percent.
Similar to ACH fraud, a criminal first needs to be able to access the victim’s bank account. The dark Web, a part of the Internet where illegal items are traded, offers databases of account details but more common ways in which criminals acquire the information they need to access accounts are malware, phishing emails, and voicemail fishing. The fraudster might call a victim, claiming to represent the bank or credit card company, and request that the victim confirm personal information over the phone.
In recent years, the system has evolved into “SMishing.” Instead of calling the victim, the criminal sends an SMS with a link that downloads malware or a phone number to call back. Anyone who does call back is put through to an automated voice response system that asks them for financial information.
While credit card fraud is usually a crime committed by consumers against retailers, wire fraud tends to target small and medium-sized business, the organizations most likely to make occasional commercial payments by wire transfer. One method that has come back into fashion, and which is hitting the B2B sector particularly severely, is an invoice scam.
The criminal sends a professional-looking email to a business claiming to come from one of the firm’s suppliers. That email might include a fake invoice or it could inform the buyer that the company’s banking details have changed and ask for future payments to be made to a different account. To send those emails, fraudsters have been known to hack corporate email systems so that they can edit a legitimate email.
The method of sending businesses fake invoices has been around for some time but digitization has given it a boost. In January 2014, the FBI warned businesses that incidents were rising. Between October 2013 and December 2014, losses caused by invoice scams totaled $215 million. By June 2015, that number had reached $1 billion worldwide, says the FBI.
In one simple scam reported by the Bureau, the accountant of a U.S. company received an email apparently from her chief executive requesting a wire transfer to pay for a time-sensitive acquisition. The payment had to be made by the end of the day. The CEO said that a lawyer would contact the accountant with details of the payment.
The CEO was out of the country at the time but the accountant then received an email containing a letter of authorization bearing the CEO’s signature over the company’s seal and instructions regarding the wire transfer. “It was not unusual for me to receive emails requesting a transfer of funds,” the account later said, and she sent $737,000 to a bank in China.
It wasn’t until the real CEO happened to call the following day and the accountant mentioned that she had sent the funds, that the fraud was discovered.
Checks, credit cards, ACH transfers and wire transfers have all existed long enough for criminals to have figured out ways to steal payments from businesses. Those methods could be as simple as stealing a checkbook or a credit card and as complex as delivering malware to an executive with access to an online account in order to read keystrokes and obtain security details. The ease with which those payments can now be made over the Internet has created new challenges for fraudsters, but it has also given them new tools with which to overcome those challenges and persuade companies and banks to misdirect payments.
The rise of digital payment platforms, though, has been new. Like online banking, they offer easy access to funds. The security layers in the form of logins, passwords and questions are similar. But the safeguards may be not be as complete as those that have long been in place for ACH transfers and credit cards. The number of small businesses that use many of the platforms to take payments make them rich pickings for criminals. Spam filters often spot emails with headlines like “Your PayPal account is about to be suspended,”or, “You have been paid too much,” or even “You have been paid.” Business owners will be asked to click a link that leads to a malware-infested website, or ship a product that hasn’t been paid for, or make a refund for an excessive payment that was never made.
The frauds themselves are rarely sophisticated and most of the phishing emails are caught by spam filters but with 179 million accounts on PayPal, the number of potential victims is large enough for criminals to make the effort.
Users of B2C payment platforms may be no more sophisticated than the hackers attempting to steal their passwords but users of B2B payment platforms should be more wary. The non-sophistication of the criminal doesn’t stop the criminal from using many of the same approaches used in the past. A 2014 survey found that almost one inquiry in five received online by B2B merchants are attempts at fraud; more than half of those are attempts at payment fraud. A purchaser might ask a series of questions about a product but later will either ask the seller to send the equipment before making the purchase or they’ll use a check or credit card fraud to cheat the seller out of their payment.
Fraud perpetrated specifically on a digital payment platform is much rarer. The market is currently very diversified, with businesses using dozens of different platforms, making it harder for criminals to know which platforms are being used by which businesses. These digital payments have been less popular and well known than ACH payments or commercial cards, making them a smaller target. As their popularity increases though (29 percent organizations said that they were planning to increase their network-enabled payments in volume in 2016 according to one market research study), we can expect fraudsters to pay them more attention. Look out for phishing emails, and make sure that funds can be recouped in the event of a hack or fraudulent request.
In June 2014, America’s Federal Trade Commission charged Oni Nathifa Julien and a number of her companies with sending fraudulent invoices to small businesses. Julien and her colleagues would bill organizations $479.95 or more for a listing in the Yellow Pages business directory. The invoice even included the Yellow Pages’ walking fingers logo. If the businesses disputed the bill, Julien would play faked audio recordings to suggest that an employee had authorized the order.
Julien received a fine amounting to more than $3 million, which fine was suspended by the courts because of her inability to pay. But she wasn’t the only scammer using fake directory listings to demand fraudulent payments from businesses. The FTC sued a number of Canada-based fraudsters who had sent similar invoices. Some of them had followed up with collection warnings demanding $2,000 to businesses that had ignored them and a few had even masqueraded as debt collectors. The criminals were banned from the directory business and were fined more than $1.2 million.
A scam based on a false invoice should be relatively easy to spot. The accounting department should be able to track orders and purchases to make sure that they match the bills coming in. However, not all attempts at fraud are that simple to identify but most will set off red lights that should make a business wary. Below are some of the warning signs that tell you that your business has been targeted by a criminal.
Business owners might dream of big purchasers suddenly turning up on their doorstep with a big bag of money and an order list as long as their arm – but in practice, purchases rarely happen that way. Sales staff usually have to track down buyers, make their pitches, build a relationship and negotiate the sale. B2B purchases are typically expected and predictable so when a big order comes out of nowhere from a customer with no purchase history, the red light should go on.
That doesn’t mean the order is necessarily fraudulent. It just means the seller should be wary. Escrow accounts can make sure that funds really are transferred before the goods leave the warehouse, and contacting the buying firm directly to make sure that someone isn’t using their identity can help to allay any fears.
Buyers of big purchases won’t just be known to the seller, they also come with plenty of questions… and they often want to negotiate. They might expect a discount for bulk, a particular payment plan or some of the optional extras included at a lower rate. Business sales are much more flexible and varied than retail sales, and both sides usually expect some degree of negotiations.
When buyers just take whatever’s on offer, it’s usually because they never had any intention of paying. Ask questions to find out how much they really know about what they’re buying.
Landing the attention of a new customer on the other side of the world can be a thrill. The business isn’t just doing well in its own market, it’s also competing internationally. But legitimate foreign buyers will usually look for local suppliers before being prepared to pay for the extra cost of shipping and the difficulty of long distance servicing.
There are only two reasons a foreign buyer will look overseas for a supplier: the seller is offering a product or a quality that can’t be bought locally; or because it’s much harder for a defrauded company to chase a criminal in a country far away that has weak courts. If you land a large order from China, from Russia, from some countries in Africa or from any country with a record of phishing scams and cybercrime, act with caution, and do your research.
Businesses will often encounter buyers who suddenly discover an urgent need for their product. Those buyers will choose something off the shelf, provide minimal guidance and skip the negotiations. They know what they want and they want it right now. In fact, as far as the buyer is concerned, the speed of the delivery is more important than any other factor in the purchase.
The fact that orders like these are so rare is a strong indicator that they could be trouble. Criminals want their purchases fast for the same reason that burglars like to get in and out of a home or shop quickly: they want to grab the goods and be gone before the victim knows they’ve been robbed.
Like most red lights, though, an urgent order can be legitimate. Companies can discover that they have a shortage. They too might have received an urgent order and need to grab some raw materials quickly in order to please their own customer. Hold up the order while you conduct your checks, and you could lose it.
The best solution is to prepare everything while running security checks but don’t arrange the delivery until you know you’re satisfied.
Reliable buyers usually know how they want to pay and they’re familiar with the various B2B payment methods available. They won’t blanch when you suggest sending the payment through an ACH transfer, they may be savvy with digital payments, but if they’d prefer to use the company’s commercial card, they’re ready with their card details too.
Fraudulent buyers are more likely to prefer to settle up by credit card or check so that they can use the float time to make their getaway. And that credit card doesn’t always work. If the buyer is using stolen numbers, the card might have been blocked before they were able to make their purchase, and they’d need to scramble around for another one.
When a first payment attempt doesn’t work, pay attention to the red light. Check the identity of the credit card owner and call the credit company to verify ownership.
B2B payment fraud can vary considerably in the methods used, and that fraud doesn’t have to take place only in the order process. Invoice fraud is also common and thefts an take place within companies by employees or people they know. Nor do red lights always indicate that a business has to shut down an order immediately. The challenge is to use those warning signs as a reason to operate with caution and check for possible fraud without putting off legitimate purchases. False positives cost businesses money too. Businesses vulnerable to B2B payment fraud have to be able to safeguard their security while still being able to take orders from new customers and operate their payment systems.
In its fourth quarter report for 2015, Ubiquiti Networks, a technology company serving enterprises and service providers, included one standout line. Beneath the usual profit and loss results, and announcement of new products, the company said:
As disclosed in the Form 8-K filed on August 6, 2015, we lost $39.1 million in connection with a business e-mail compromise (“BEC”) fraud involving employee impersonation.
A report on Pymnts.com, based on the firm’s SEC filing, explained that a member of their own staff in a Hong Kong subsidiary had received an official-looking email that appeared to come from someone in the company’s finance department. As a result of that request, Ubiquiti sent a total of $46.7 million to another company in Hong Kong and to a number of other accounts held overseas. Ubiquiti quickly managed to recover $8.1 million and expected to recoup an additional $6.8 million but the hunt was still on for the remaining $39.1 million.
The company conducted a review of its operations, and found no evidence that its systems or company data had been compromised. However, “the Company, its Audit Committee and advisors have concluded that the Company’s internal control over financial reporting is ineffective due to one or more material weaknesses. The Company has implemented enhanced internal controls over financial reporting since June 5, 2015 and is in the process of implementing additional procedures and controls pursuant to recommendations from the investigation.”
Ubiquiti didn’t explain in its SEC report what steps, if any, the employee had taken to confirm the identity of the fraudsters. It didn’t describe the weaknesses in its internal controls nor the procedures that its investigation had uncovered. Understandably, it also didn’t detail the “additional procedures and controls” it was then implementing.
Few businesses suffer B2B payment frauds on the scale of the theft that hit Ubiquiti. The kind of business email (BEC) scam to which Ubiquiti fell victim takes on average about $6,000. But every company is vulnerable to that fraud—and every company can and must take steps that reduce the chances that they and their clients will become victims.
The nature of the defense structures a business should use will depend on the nature of the attack to which it’s most vulnerable. Against BEC scams, the FBI makes a number of security recommendations:
Many of those recommendations could be summed up as “be cautious and use common sense.” When something feels suspicious—when one of those red lights starts flashing—slow down and make sure that all of those doubts are dealt with before a payment is made or a product is delivered.
But BEC fraud should be relatively easy to spot and with the right amount of caution, easy to stop too. Other kinds of fraud are more complex and more demanding. Attempted frauds that focus on B2B account payable payments, especially those that are perpetrated not by email but through payment platforms, require tougher safeguards. Matthew Dragiff, Vice President of Product Management for AvantGard Payment Services, recommends using a single, centralized, accounts payable system for all outgoings. When all payments, whether they’re made by check, ACH, wire, card, or digital are paid through the same platform, the company has more transparency, a common workflow, simplified auditing and compliance, and a reduction in bank connectivity requirements. The system should integrate multiple levels of approval and segregation of duties, allow for stock inventory management and provide payment analysis.
That single system should also incorporate an approval workflow for every payment. One member of staff could be allowed to submit a payment request but the payment cannot be made until another member of staff has reviewed and approved the request. Dragiff notes that some companies already use their bank’s Web portal for multi-level approval but argues that the process is difficult when the company has more than one banking relationship.
A centralized system would also continue the switch away from check payments, reducing the opportunities for employees to steal or alter outgoing checks, take blank company checks or misuse obsolete check stock.
And one payment system would also create accessible and complete payment data. The firm’s accounts staff would be able to see not just past payments and match them to orders, but also look for patterns, such as rounded amounts, payments to apparent shell companies or repeated payments below the approval threshold.
It has also been recommended that a single payment platform be used for all of a company’s accounts payable. This type system will make scams and fraudulent efforts easier to spot.
Citibank offers a different solution. In a paper called “Stop, Thief! Best Practices In Fighting Payment Fraud,” Cheryl Gurtz, Citi’s North American Payments Market Manager, Global Transaction Services, describes briefly the different kinds of check and electronics fraud that can hit corporate payments then lays out a solution.
“Beyond familiarizing yourself with your legal responsibilities and potential liabilities, one of the most powerful and proven effective ways to combat payment fraud is by partnering with a financial institution with the expertise, controls and auditing tools to combat it with you.”
The bank, she says, automatically tests for fraudulent checks, reconciles accounts, secures check stocks and offers check issuance data structuring such as using a secure name font on checks. A Universal Identification Code prevents the divulging of confidential banking information during electronic transfers. ACH Positive Pay flags up ACH transfers that fail to meet selected criteria.
Many systems can and due offer some degree of protection against B2B payment fraud but all methods require the right degree of caution, and no system is perfect. The more complex a payment process system, the more vulnerable it may be to fraud, and ultimately, payment systems are operated by people… and people make mistakes. Consider finding a simple system for your business invoicing and payments.
For entrepreneurs, their companies’ B2B payment systems are likely to the least interesting aspect of their business. They’re the plumbing in the building, the arteries under the skin. Without them the business can’t operate but no one starts a business because they want to operate a B2B payment system… unless they’re creating a company that makes B2B payment platforms.
Increasing numbers of companies though, are now doing just that. The market is filled with businesses offering companies different ways to receive orders, send invoices, and make payments. All of those platforms promise security, a clear approval process and the ability to keep records that are easy to review and simple to reconcile.
The services have arisen because all other forms of making and receiving B2B payments have come up short. Paper checks, still the most popular way in which businesses settle their bills between themselves, are easy and convenient but also slow and more expensive than they look. They also leave a paper trail that has to be ordered and organized, and they can easily be stolen and altered. What they gain in simplicity, they lose in a number of other ways.
ACH transfers are cheap and fast but they’re fiddly for businesses to set up and inappropriate for the one-off purchases that often make up a business’s order book. While any firm will look to build a base of regular buyers, companies will also want to keep new customers coming in and make sales to businesses with single needs. They’re not a complete solution and fraud prevention is only as strong as the account security access.
Wire transfers might be easier to set up and perform but at more than $30 each, they’re also expensive and only cost-effective for single, large orders. Those are also the kinds of orders that are most likely to raise warning signs. Like ACH transfers Wire transfers can be defrauded by illegitimate account access and they’re also a common demand of invoice fraudsters. While ACH transfers can be reversed and checks can be blocked, once a wire transfer has been made it can be very difficult to recover the money.
So the growth of payment platforms has taken place to try to plug any security weaknesses while providing ease-of-use, creating payment records that are accessible, and adding an approval process that possess reliable checks and balances into the steps between the invoice and the payment.
Companies then have some difficult choices to make. They have to balance ease against security, up-front costs against administration expenses, speed of payments against approval systems, and the ability to take one-off (one-time) orders against an organized system for regular customers. While the best approach might be to use different systems for different kinds of clients, the accountants in an accounting department would blanch at the disorganization requiring different B2B payments systems in one firm.
The only solution for a business is first to review the different payment systems. As checks are fading away, they should look at the options available from the payment platforms, comparing features, costs, complexity, security and volume. Whatever decision any business makes, they must train staff to be wary of suspicious-looking orders and payment requests.
Payment systems might not be the most exciting part of any business, but receiving a new order from a new customer is always a thrill. Providing a product or service that is loved by your customers is a thrill. Businesses need to be certain that the thrill to their customers and clients, and those B2B’s they do business with can be enjoyed without turning into an expensive disappointment. This enjoyment is best found in the security of a company’s invoicing and payment system.