When it comes to payments fraud, every organization—regardless of size, geography, industry, or sophistication—is a target, and none are naturally immune to its potential effects. Payment fraud is a type of financial fraud that involves using stolen or false payment information to obtain money or goods. Healthcare organizations are common targets due to the highly sensitive nature of the personal data they collect, making the industry particularly vulnerable. The question isn’t whether your organization will face these threats. Instead, it’s when and to what effect with respect to potential or actual financial harm.
According to a 2024 survey conducted by the Association for Financial Professionals, 80% of organizations surveyed reported they were targets of either an actual or attempted payments fraud attack in 2023. In the same survey, 63% of organizations reported exposure to email compromise scams whereby a fraudster uses a spoofed or hacked email account to trick their target to divulge sensitive information or make a fraudulent payment.1
Underpinning these findings are quantitative metrics pertaining to actual losses due to payments fraud. In 2023, the FBI Internet Crime Complaint Center received 21,489 email compromise complaints, amounting to adjusted losses of over $2.9 billion. These numbers only account for events and losses reported to the FBI. The actual numbers stand to be substantially higher.2
With the frequency and severity of payments fraud threats trending upward, protecting your organization is more important than ever. Financial losses attributed to these types of attacks continue to soar. Moreover, it’s not uncommon for the costs to overcome a fraud event to exceed the amount of the loss itself. This also includes non-financial impacts like reputational risk associated with high-profile fraud events, such as those affecting the targeted organization’s customers.
To that end, here are some ideas to help your organization protect itself from these costly dangers of payments fraud. We call them the “Five E’s”:
1 . ESTABLISH policies and procedures for payment and vendor management.
Do not use email to verify payment instruction change requests. Also, do not use the telephone number provided in a payment or instruction change request email to verify the request. Verification should be done in person, via direct contact with a known individual at a known telephone number or video call. Require independent verification with the requestor and secondary approval for payment requests and instructions changes.
2. ENFORCE the standards that you’ve established.
Establish effective controls to make sure the policies and procedures are followed. Make sure that your organization executives support and agree to follow and help champion these standards across all levels of the organization. Periodically review and test activities to ensure that your organization’s supporting processes and controls are operating as expected, and work to quickly remediate control gaps.
3. EDUCATE your employees to recognize the warning signs.
While details surrounding a fraud event may vary, many of the blueprints are tried and true. Make sure that employees understand and follow fraud and cyber best practices, plus utilize smart social media usage habits. Also, employees should be aware of current fraud trends and how to identify them. In a controlled training capacity, test their ability to recognize payments fraud-related activities, such as phishing, smishing and vishing.
4. EMPOWER your employees to raise red flags.
In this context, the adage “see something, say something” is critical to fostering an environment where employees are incentivized to proactively look for and report what they perceive to be red flags and anomalies relative to established protocols and norms. Allow employees to question emails or payment requests, even—and, perhaps, especially—if they appear to come from company executives, without fear of professional or personal repercussion.
5. EVOLVE and ENHANCE your risk controls to meet ever-changing threats.
The threat landscape is ever-evolving and fraudsters are constantly looking for ways to circumvent controls established and enforced to help prevent fraudulent payments. Simply put, the measures you take today may not scale to cover you in the future due to the unfortunate fact that fraudsters tend to maintain a lead against their targets. Stay informed as to emerging threats and trends.
These five steps provide a valuable roadmap to minimize risks of payment fraud. As a PNC corporate client, you enjoy convenient access to a variety of effective and reliable fraud prevention solutions and tools that can help organizations protect themselves from the harmful effects of payments fraud.
Our product and solution professionals can work with you to understand your organization’s needs and recommend specific services and optional service features to help your organization enhance its fraud prevention posture. For more information, reach out to your PNC Relationship Manager, or contact us.
Sources
- 2024 AFP® Payments Fraud and Control Survey Report
- 2023 Internet Crime Reports (FBI Internet Crime Complaint Center)
