Payments fraud is as old as the first payment. From stagecoach robberies in the 1800s to the near doubling of reports in check fraud over the last year, thieves will always creatively test the integrity of payment systems.
The advent of digital disbursements and real-time funding have only upped the stakes in the fight against fraudsters because funds cannot easily be clawed back, shifting more of the liability to the senders of funds rather than recipients. And the growth in embedded instant payments is bringing a new breed of company with limited payments experience into the payments fold, an unfamiliarity that can unwittingly expose internal vulnerabilities that increase fraud risk.
Since the world is fast moving towards an instant payments future, and there is no slowing the deployment of embedded instant services across countries and industries, here are three of the most common types of internal vulnerabilities. Companies should shore up their internal defenses and be better prepared to maximize the benefits of instant payments.
Eliminate Universal Oversight and Access
To the uninitiated, “Span of Control” and “Roles Based Access Control (RBAC)” might sound like terminology from a spy movie. But these are common strategies for avoiding giving someone unilateral control over a payment. If someone has the power to both initiate a payment and manipulate recipient data, then it’s easy to begin paying money to themselves by adopting the name or details of legitimate customers.
These controls are commonplace because this type of fraud is common. When a company falls victim to this type of fraud, it is often easily evident after the fact that they had lax controls around unilateral access, controls that may have seemed unnecessary before they began offering digital disbursements. It doesn’t take long for and employee or contractor to identify this weakness and begin exploiting it.
Companies considering digital disbursements should first conduct an internal audit to ensure that there are distinct employees with ownership of these two functions, with layers of oversight above them. Any change affecting a payment should be visible to others and require approval for the payment to proceed. These basic protections are often enough to eliminate the potential for this type of fraud.
Enact Rigorous Know Your Business (KYB) Standards
For many technology companies, acquiring as many new customers as possible is a recipe for success. Business benefits aside, this strategy has limited risk for the actual bank account of most companies because invalid customer accounts have little downside for day-to-day operations. But once that same company begins issuing payments to its customers, lax customer onboarding becomes a much bigger problem.
This scenario is a common concern for a B2B business that adds payouts to a core business service offering. A customer signup process that allows anyone to create an account without confirming details like a proper Tax ID or even business address can become an opening for fraudsters. It presents an opportunity for bad actors to insert legitimate bank account and routing data they pull off their paycheck into the system and begin paying themselves extra money funded from the company bank account.
Any provider handling or issuing payments on behalf of another business must ensure it has rigorous Know Your Business (KYB) controls in place. These can be as simple as authenticating against basic information like company address, registration documentation or identities of directors and owners. There are also third-party services that can help with KYB and customer onboarding. Regardless of method, verifying critical details of a business can help prevent payments fraud.
Close System Vulnerabilities to Hackers
External hackers are a reality that every business must confront. But some have special relevance for payment functions.
A company recently found that a vulnerability in its password reset functionality was allowing hackers to reset customer credentials and take receipt of funds. As businesses begin to issue payments, they must re-evaluate their prioritization of system vulnerabilities.
Peace of Mind in Payments
Embedded instant payments help businesses improve operations, differentiate themselves and earn loyal customers, but an important first step is to review and tune-up internal fraud controls.
All three of these vulnerabilities might normally be insignificant. But the introduction of digital payments can create new risks that have the potential to give bad actors access to company funds. By exerting better control over internal processes, you can avoid these risks.
For Ingo clients, just ask! We’ll help you identify vulnerabilities unique to your industry and company.