When an order looks too good to be true, it often is. In December 2015, XPS Global, a B2B payments service provider, received a desperate call from a long-term client. The company had received an order for $12,000 worth of merchandise. Excited at the large purchase from a new customer, the merchant quickly sent off the goods. But the payment had been made on a credit card and shortly after the goods were dispatched, the merchant received notification from the credit card company of a chargeback. The money was gone.
The credit card number had been stolen, the cardholder had noticed the large charge on their bill and had informed the credit company. The debt was removed from the cardholder… but the poor seller, who had nothing wrong but respond to a good order, was left $12,000 out of pocket and with nowhere to turn for help. The victim of the crime might have been the owner of the credit card, and the credit card company would have been held responsible for their losses. But it was the merchant responding to what looked like a legitimate B2B payment who was left feeling the pain.
Payment security has always been an important issue. It was important when customers needed to carry around large amounts of cash, and it remained an issue as credit cards have replaced notes and coins. Now that anyone can place an order using nothing more than a string of numbers read over the phone or entered on a website form, security for all payments is weaker and more susceptible to abuse than ever before.
Security might once have meant employing men with guns to protect your bags of money. Today’s security environment has become a cat-and-mouse game between opposing teams of computer whizzes. The money game is also a game with a large numbers of players. According to a 2015 study by J.P. Morgan, 62 percent of businesses were targets of payments fraud the previous year, with targeting varying little between large and small firms. Around 56 percent of companies with revenues of less than $1 billion were subjected to attempted and/or actual payments fraud in 2014, compared with 65 percent of firms with revenues over $1 billion. The amounts lost overall are often relatively small but some businesses have been victims of heists as large as bank robberies. Thirty-nine percent of organizations lost less than $25,000 to payments fraud in 2014. But nearly one business in three lost between $25,000 and $249,999, and almost one business in five surveyed by the Association for Financial Professionals in 2015 was defrauded of at least a quarter of a million dollars. Those tended to be larger organizations with more than 100 payment accounts but payments fraud covers every form of payment. Each payment system has its own weakness, and each is susceptible to different fraudulent practice.
It not surprising that not only are checks the most common form of B2B payment, they’re also the form most susceptible to fraud. They’re the easiest payment method to fake, and the frauds perpetrated by checks tend to have the highest value. According to a 2013 Federal Reserve Payments Study, the average value of an unauthorized check transaction for both business and consumer payments was $1,221. A fraud perpetrated with a credit or debit card was usually worth $138 and $105 respectively.
The act of check fraud can take a number of different forms. The simplest occurs when a check is stolen, endorsed then presented for payment at a retail location or a bank using fake personal ID. For businesses, a bigger threat is an employee writing checks without authorization. Ambitious fraudsters may forge their own checks or physically change the payee’s name or the amount payable. More sophisticated criminals deliberately write checks on closed accounts, a process known as “paperhanging” but the most technical act of check fraud though is “check kiting.” Criminals open accounts at two or more banks and use the float time to create fake balances.
In 2010, Jeff Woodard of Harlingen, Texas, used whats known as check kiting to defraud three banks of more than a million dollars. Woodard owned three automotive businesses. He would write a check from one business to another and cover that check by writing another check from his third company. As long as he kept writing checks, the previous check would clear. All the checks were written in whole dollar amounts, were usually sequential, and were deposited each day to create the impression of having money in the account. Woodard would have been able to withdraw that money before the bank realized that the check had bounced.
Most of Woodard’s checks amounted to no more than hundreds of dollars each. He was able to maintain the fraud for so long because check kiting is very difficult to detect. Fraud investigators must examine all of the deposits over a three-month period to identify payments from another account under the account-holder’s control. They then have to be able to prove that the fraud was intentional, usually by showing a pattern of payments that had no purpose other than to inflate bank balances. Finally, prosecutors would have to show that the fraud created a benefit, that the inflated amounts in the account allowed a dying business to continue or the business owner to make additional expenses.
Check kiting is a fraud conducted through B2B payments whose victim is the bank but any business that accepts or makes payments using checks is leaving themselves open to fraud. Together with the difficulty of maintaining the paperwork and the slow speed of the process, it’s another reason that businesses are slowly abandoning this traditional payment method in favor of digital transfers.
Credit Card Fraud
Credit card fraud is second only to check fraud. According to a September 2015 report in The Wall Street Journal, 13 cents of every $100 spent in the US is made as a fraudulent credit card purchase. Merchants may lose as much as $190 billion each year through credit card fraud, with much of the fraudulent activity taking place online. Banks lose about $11 billion and customers are believed to lose almost $5 billion. As is so often the case, it’s small businesses that are hit hardest.
While it’s simple enough for a criminal to steal a credit card and attempt to run up debts before the card is frozen, other forms of fraud include counterfeiting and the use of stolen credit card numbers. In 2014 around 31.8 million US consumers reported that their credit cards had been breached, more than three times the number the previous year. Most retail businesses selling online will have experienced receiving a chargeback on a purchase made with a credit card.
According to the Association for Financial Professionals, however, the second most frequently targeted payment method for criminals attempting to commit payments fraud is corporate or commercial credit cards. For 32 percent of organizations that experienced card fraud in 2014, that fraud was associated with their own commercial cards. Those cards are primarily intended for purchasing goods but also for travel and entertainment.
Usually when fraud committed through a commercial card strikes, the criminal is someone outside the organization and unknown to the business, and the cards or numbers are used to make retail purchases. In 16 percent of companies, the fraudster is a vendor or a professional services provider, but in a quarter of payments fraud committed with a commercial card, the crook was an employee stealing funds from his or her place of work.
Despite the apparent ease of some of the methods of performing credit card fraud, the practice is declining. The replacement of cards with magnetic strips, with chips, and pin technology has made it harder for small-time thieves to repeatedly use stolen cards; each transaction uses a unique code, unlike the static data contained on the magnetic strip. Credit card companies are now making retailers who continue to accept older cards responsible for any losses caused by fraud. For businesses that accept or make B2B payments by commercial cards however, the risk of fraud by outsiders or crooked employees will remain.
In November 2009, the FBI issued a press release warning of a rise in ACH fraud. The release, issued by the Internet Crime Complaint Center estimated that the cost of a recent surge in fraudulent ACH activity was now more than $100 million. Most of the victims’ accounts were held at local community banks and credit unions, some of which used third-party services to process ACH transactions. “The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions,” the FBI warned.
That surge might just have been the beginning of a new kind of payments fraud. J.P. Morgan now reports that more than 20 percent of deceitful transactions involve ACH payments. According to the Association of Financial Professionals, the typical value of a loss caused by ACH fraud in 2012 was $20,300.
The process by which the fraud takes place usually begins with the theft of a customer’s data. That can happen simply; a check will contain a customer’s signature, account number and branch routing or sort-code. Alternatively, criminals have also been known to use hi-tech malware. An ACH customer might receive an email claiming to be from the Inland Revenue Service, and suggesting a problem with unreported income. As soon as the recipient clicks to open the email, software starts to track keystrokes or persuades the recipient to enter their bank’s login details. In some instances, criminals have simply used an insider to obtain the information they need. Having used that data to access the victim’s bank account, they usually begin by changing the account holder’s email address, phone number and password.
With the account under their control and the account holder locked out, the criminals can begin sending ACH payments to their own accounts. While the banks use fraud detection systems that can identify unusual payments, smart criminals can match the fake payments to the victim’s previous transactions. And if the bank calls the account owner or asks for an email verification, because the criminal has changed the account holder’s details, those requests will be sent to them rather than to the account holder.
From here, things can start to get a little more complex. Stolen funds need to be moved from destination accounts quickly so that the bank can’t claw the money back. One act of ACH fraud reported by American Banker in 2009 showed just how sophisticated that operation can be.
The victim was a non-profit with an account at a community bank. The fraudsters are believed to have used key logging malware to obtain the login details of someone working at the non-profit; they were able to enter the username and password, answer the security question, and enter a unique PIN. On the first day, they looked at account balances, transaction history and changed a pending ACH transaction.
On the next day, they got to work.
The criminals executed an ACH batch file, sending $142,000 in sixteen separate debit transfers. Because each transfer was less than $9,000, the amounts remained undetected. The transfers went to accounts at eight major banks across the U.S. But the owners of those accounts weren’t the criminals. They had been hired over the Internet to perform what they thought were real jobs. One believed he was working for an insurance company in Switzerland. Another thought that she was about to receive a relocation allowance. The “mules” were told that they should use Western Union to send the money they were about to receive to accounts in Texas and Florida. They could keep 5 percent as a deposit.
The criminals had gone so far as to send their mules, who they called “regional clerks” a fake employee manual. The clerks were told that they were under evaluation for two months and their job was to reimburse policy holders through wire transfers.
The community bank managed to identify the fraud and implement an ACH reversal. It was able to block twelve of the sixteen transfers, limiting the loss to $35,000, a sizable sum for a non-profit.
American Banker recommended a couple of security measures that might have prevented the fraud. After noting that three levels of security provided by the login and password, security question and PIN were insufficient, the magazine also said that the geolocation trigger wasn’t affected by domestic access, and that device ID cookies were subverted. Had the account been monitored for suspicious behavior, however, the fraud could have been stopped on the first day.
And new retail accounts created online that suddenly start moving large sums should be flagged up. They’re a fairly reliable sign of illegitimate activity.
In practice, banks now implement a mixture of all those measures, while trying to balance the need for security with customers’ expectation of instantaneous transfers and ease-of-use. In addition to the triple-layer security used by the defrauded community bank, institutions now may also use a token that generates random numbers, a USB device containing login credentials or even capture some unique information about the account owner’s computer. They may also restrict the size and number of payments, check with the account holder if contact details are changed and, of course, monitor behavior for unusual patterns.
Courts have incentivized banks to take greater care. When criminals stole the login, password and security answers used by an employee at Patco Construction Company to access the company’s account at People’s United Banks, they were able to send $588,851 through six ACH transfers. The bank was only able to recover $243,406. The construction company sued, and after years of litigation, the bank agreed to pay Patco for its losses. In another case, Village View Escrow sued Professional Business bank after the company had lost $393,000 through 26 fraudulent transfers. The criminals had used stolen passwords and disabled email notifications. The bank agreed to reimburse the company and pay its legal fees.
As use of ACH continues to grow, it will look increasingly attractive to fraudsters. As banks find themselves liable for losses, they will invest in greater security. And criminals, in response, will become even smarter.
The expense of making business payments by wire transfer and the lack of protection in the event of fraud have made wire transfers one of the least common ways in which businesses pay each other. Nonetheless according to J.P. Morgan’s 2015 AFP Payments Fraud And Control Survey, incidents of wire fraud almost doubled between 2013 and 2015, rising from 14 percent of payment fraud to as much as 27 percent.
Similar to ACH fraud, a criminal first needs to be able to access the victim’s bank account. The dark Web, a part of the Internet where illegal items are traded, offers databases of account details but more common ways in which criminals acquire the information they need to access accounts are malware, phishing emails, and voicemail fishing. The fraudster might call a victim, claiming to represent the bank or credit card company, and request that the victim confirm personal information over the phone.
In recent years, the system has evolved into “SMishing.” Instead of calling the victim, the criminal sends an SMS with a link that downloads malware or a phone number to call back. Anyone who does call back is put through to an automated voice response system that asks them for financial information.
While credit card fraud is usually a crime committed by consumers against retailers, wire fraud tends to target small and medium-sized business, the organizations most likely to make occasional commercial payments by wire transfer. One method that has come back into fashion, and which is hitting the B2B sector particularly severely, is an invoice scam.
The criminal sends a professional-looking email to a business claiming to come from one of the firm’s suppliers. That email might include a fake invoice or it could inform the buyer that the company’s banking details have changed and ask for future payments to be made to a different account. To send those emails, fraudsters have been known to hack corporate email systems so that they can edit a legitimate email.
The method of sending businesses fake invoices has been around for some time but digitization has given it a boost. In January 2014, the FBI warned businesses that incidents were rising. Between October 2013 and December 2014, losses caused by invoice scams totaled $215 million. By June 2015, that number had reached $1 billion worldwide, says the FBI.
In one simple scam reported by the Bureau, the accountant of a U.S. company received an email apparently from her chief executive requesting a wire transfer to pay for a time-sensitive acquisition. The payment had to be made by the end of the day. The CEO said that a lawyer would contact the accountant with details of the payment.
The CEO was out of the country at the time but the accountant then received an email containing a letter of authorization bearing the CEO’s signature over the company’s seal and instructions regarding the wire transfer. “It was not unusual for me to receive emails requesting a transfer of funds,” the account later said, and she sent $737,000 to a bank in China.
It wasn’t until the real CEO happened to call the following day and the accountant mentioned that she had sent the funds, that the fraud was discovered.
Digital Platform Fraud
Checks, credit cards, ACH transfers and wire transfers have all existed long enough for criminals to have figured out ways to steal payments from businesses. Those methods could be as simple as stealing a checkbook or a credit card and as complex as delivering malware to an executive with access to an online account in order to read keystrokes and obtain security details. The ease with which those payments can now be made over the Internet has created new challenges for fraudsters, but it has also given them new tools with which to overcome those challenges and persuade companies and banks to misdirect payments.
The rise of digital payment platforms, though, has been new. Like online banking, they offer easy access to funds. The security layers in the form of logins, passwords and questions are similar. But the safeguards may be not be as complete as those that have long been in place for ACH transfers and credit cards. The number of small businesses that use many of the platforms to take payments make them rich pickings for criminals. Spam filters often spot emails with headlines like “Your PayPal account is about to be suspended,”or, “You have been paid too much,” or even “You have been paid.” Business owners will be asked to click a link that leads to a malware-infested website, or ship a product that hasn’t been paid for, or make a refund for an excessive payment that was never made.
The frauds themselves are rarely sophisticated and most of the phishing emails are caught by spam filters but with 179 million accounts on PayPal, the number of potential victims is large enough for criminals to make the effort.
Users of B2C payment platforms may be no more sophisticated than the hackers attempting to steal their passwords but users of B2B payment platforms should be more wary. The non-sophistication of the criminal doesn’t stop the criminal from using many of the same approaches used in the past. A 2014 survey found that almost one inquiry in five received online by B2B merchants are attempts at fraud; more than half of those are attempts at payment fraud. A purchaser might ask a series of questions about a product but later will either ask the seller to send the equipment before making the purchase or they’ll use a check or credit card fraud to cheat the seller out of their payment.
Fraud perpetrated specifically on a digital payment platform is much rarer. The market is currently very diversified, with businesses using dozens of different platforms, making it harder for criminals to know which platforms are being used by which businesses. These digital payments have been less popular and well known than ACH payments or commercial cards, making them a smaller target. As their popularity increases though (29 percent organizations said that they were planning to increase their network-enabled payments in volume in 2016 according to one market research study), we can expect fraudsters to pay them more attention. Look out for phishing emails, and make sure that funds can be recouped in the event of a hack or fraudulent request.