After several years of declining attacks, companies have started to see an increase in payment fraud, with fraudsters most commonly targeting checks and ACH debits. According to the 2024 Payments Fraud and Control Survey Report by the Association of Financial Professionals (AFP), the prevalence of attempted and actual payment fraud among organizations jumped to 80% in 2023 from 65% the year before, marking the end of a steady decline from a high of 82% in 2018. Given that 51% of organizations recover less than half of their stolen funds, payment fraud remains a critical risk best addressed in a comprehensive fashion across the organization.
“If there is fraud in one payment channel, there is a good likelihood of fraud in an organization’s other channels,” said Daniel Barta, principal enterprise and financial crimes consultant at data and AI company SAS. Especially in the case of online account takeovers, he added, “now they have the keys to the kingdom.”
Companies are deploying a range of defenses, from highly sophisticated technology to basic fraud deterrence strategies like delivering hardcopy check payments to the post office to reduce instances of mail theft. Despite such measures, fraudsters have recently increased their efforts as well.
Identifying the Targets of Fraud
According to the AFP survey, 65% of companies experienced actual or attempted check fraud, compared to 63% the year before, and 33% reported ACH debit fraud, up from 30%. Fewer than 25% of respondents cited fraud involving wire transfers, corporate and commercial credit cards, ACH credits or other methods subject to fraud attempts, each falling from 2022.
Fraudsters have long targeted checks and, while companies have sought to reduce use of them, 75% of survey respondents continue to do so, and nearly 70% do not plan to discontinue their use over the next two years.
“What we are seeing across the industry over the past few years is that even though the number of checks being written and processed is dropping, the number of check fraud attempts is going up,” Barta said. He added that stolen checks (as opposed to counterfeit checks) are challenging to detect because they have been issued and bear the appropriate signatures and other information typically used for authentication.
The AFP noted that, despite the volume of checks processed by the Federal Reserve falling by 8% over the past five years, FinCEN reported that the number of Suspicious Activity Reports related to checks increased by 40% over the past three years.
Perpetrators will often alter the check’s payee information or create unauthorized ACH debits using the check’s routing numbers. This can lead to unauthorized payments or fraudulent transactions that are difficult to detect immediately, because most companies and financial institutions are currently focused on automated online fraud, said Brady Harrison, director of customer analytics solution delivery at Kount, an Equifax company.
Implementing Fraud Defenses
Since the increase in ACH fraud may be directly tied to an increase in mail theft, Thomas Hunt, director of treasury services and payments at the AFP, said the most direct defense to reduce the incidence of stolen checks is to deposit those mailings in the drop box of a major post office rather than relying on mail carriers to pick them up from a nearby blue box. Accounts payable teams that plan to continue using checks must ensure that check payments are traceable and that appropriate controls are in place.
An important tool for detecting stolen or fraudulently manipulated checks is the Positive Pay service that most banks offer to validate their clients’ checks. “It is a service that banks offer to companies, but many are not savvy enough or their systems do not generate the necessary payment files to send to their banks,” Hunt said. Other measures to reduce fraudulent ACH payments include blocking all ACH debits except for designated accounts with an ACH debit filter and a debit block on all consumer items combined with a debit filter on commercial ACH debits.
Almost two-thirds (65%) of AFP survey respondents reported that payment fraud in their companies stemmed from the actions of outside individuals, such as people forging checks or stealing corporate cards, up from 54% in 2022. However, companies appear to be making progress in controlling business email compromise (BEC) fraud—the second-highest source of actual or attempted payment fraud. In 2023, 38% of respondents experienced BEC fraud, compared to 53% the year before.
The decline in BEC-related fraud suggests that organizations are more thoroughly training employees to identify email phishing attempts and more targeted and potentially damaging BEC attacks. However, according to Harrison, Kount has seen increasingly sophisticated phishing attacks that use artificial intelligence to replicate the voice or video of a target’s family, friends or coworkers in an attempt to deceive employees into revealing sensitive information or inadvertently installing malware.
To defend against such attacks, Kount recommends strong login protocols, including two-factor authentication, encryption, and regular monitoring of account activity to detect unusual behavior, such as rapid changes to account information. In addition, finance departments can incorporate layers of approvals and other oversight mechanisms like regular audits of suppliers and their controls.
Hunt noted that a company’s accounts payable department is most vulnerable to fraud because it may be processing thousands of payments and may not recognize when a fraudster changes the bank account details on a check, ACH or other form of payment until 15 or 30 days later, when the vendor reports never receiving it.
Technology may enable fraudsters, but it also provides companies with increasingly sophisticated defenses. Barta said that companies should check on their bank’s latest fraud-prevention capacities to monitor client accounts for unusual activity. In addition, anti-fraud technology providers can help organizations detect unusual changes in corporate clients’ vendors and vendor payment activity. This can include changes in bank account information and other anomalies, such as when the unit price of a supply item diverges from its market price, and even if the device used to request changes to a vendor’s account has a history of enabling fraud.
Risk managers also must ensure that their company’s insurance policies or self-insurance cover payment fraud losses, Hunt said. Additionally, employees should follow their company’s policies and procedures to guard against fraud, and the organization should regularly test and update those policies. That is particularly important as real-time payments gain traction because, unlike checks in which banks and their clients have at least several hours to scrutinize transactions, the funds are irretrievable once payments are made via real-time payment systems or FedNow.
Those policies and procedures must extend across all payment channels, Barta said. While banks play an important role, companies can still take internal measures, including segregating duties and monitoring their suppliers and who can make bank account changes. “There are a lot of points in the process, both on the bank side and the business side, to manage risk,” he said. “Everybody needs to step up and play their role in managing payment fraud risk.”