If your business uses Electronic Funds Transfers (EFT) to pay suppliers, you feel safe in the knowledge that the payment has arrived safely. You have avoided the cheque is “lost in the post” scenario and the ensuing calls from irate suppliers seeking clarity on the status of their payments. You also avoid many cheque fraud schemes, like forgery. Unfortunately, however, EFT payment fraud is also prevalent with very few companies taking steps to counteract it.
There is a widespread misconception that EFT payment fraud is committed at the retail bank level with few safety controls in place to prevent the fraud by corrupt employees and syndicates. Management needs to realise that banking payment systems simply capture data that has been loaded into them by staff entrusted to pay suppliers and payments that appear legitimate may not be. In many countries, the beneficiary name is not critical for completing a transaction through the banking system with reliance solely on account numbers to remit funds. For large corporates which make regular payments to suppliers, millions can be lost due to misappropriation when, for example, devious staff members transfer funds to themselves under the guise of paying legitimate suppliers. In 2014, the Central Bank of Ireland tasked with safeguarding the Irish banking system was itself the victim of an elaborate money transfer scam. Believing the payment to be a standard invoice payable to Danske Bank, €1.4m was unwittingly transferred to a bogus online account based in Galway.
What appears to be a legitimate transaction on a bank’s security system can often be the work of cyber-criminals who have taken remote control of a victim’s computer system. There are, however, some basic steps any business can take in order to mitigate the risk of EFT payment fraud:
1. Do not share passwords for online payment systems
Within an organisation, only a small number of finance staff are generally authorised to set up and execute EFT payments to vendors. Sometimes this function is split with only senior staff authorised to make the final payment. When passwords are shared between staff, the anti-fraud control and segregation of duty become void and the process is left open to fraudulent practice. Once a determined fraudster knows the log-on passwords of their colleague, supplier bank details can be easily amended to channel funds to a bogus account. Staff should always be educated about password abuse and associated risks and passwords should have regular, system-generated changes.
2. Beware of supplier change of account details
Ensure your staff are aware of the proposed threat of the email phishing scam. These scams which impersonate legitimate suppliers are becoming increasingly common. Many fraudsters pose as legitimate suppliers to inform the unsuspecting buyer of a change of bank details. Funds transferred to this ‘new’ account are usually collected before the scam has been noticed or legitimate suppliers call to enquire on the status of their payment. Equally, businesses need to monitor any change of account details carried out by staff members.
3. Maintain a strict policy on EFT payments
Maintaining up-to-date records of staff authorised to initiate Electronic Funds Transfers is critically important, as is making sure that the payment system in place validates the authorised users. Payment systems should also specify the transfer amount/limit staff members are authorised to complete. For example, an accounts assistant may have the authorisation to transfer €2,000 while the Finance Director may issue payment in excess of €200,000. Never allow a sole employee to have full authority over Electronic Funds Transfers and limit the number of computers that provide access to company funds.
4. Prevent duplicate payments
Built-in controls to the accounting system to block duplicate payments of identical amounts should be considered to prevent EFT payment fraud. Duplicate payment issues may not always be fraud-related but continue to be a headache for Accounts Payable and are both preventable and recoverable. Consult your software service provider or payments provider about a solution if an automated system for duplicate payment prevention is not in place.
5. Upgrade computer security
As the threat of cyber-crime continues to increase globally, organisations need to update anti-virus software and make sure adequate company firewalls are in place. This will defend against malware attacks and deter intruders from accessing your computers. At a time when computers are easily hacked and remotely controlled by criminals, effective anti-virus software will detect and quarantine dangerous files and programs.
Fraud prevention capabilities
Businesses large and small need to be extra vigilant about EFT payment fraud, whether internal or external. The migration of financial transactions to the online space has brought with it a whole new set of liabilities. As Electronic Funds Transfers can involve very large transactions, the consequences of fraudulent activity can be devastating to the fiscal health of any organisation. All business managers need to ensure that established fraud prevention procedures are adhered to and controls are in place to protect the organisation from exposure. Many businesses are also enlisting the help of payment solutions companies to assist with their payments function. As a result, they benefit from the compliance procedures in place and online payment platforms with in-built fraud prevention capabilities.
Fexco uses major partner banks to distribute international payments safely and securely. Our online solution uses secure encryption and system users have authorisation restrictions that keep their information and funds protected. For a more secure & efficient payments experience for your business, call us today (Ireland: 1800 246 800 UK: 0800 840 2887) or register online without an obligation to trade.