Payment redirection scams are on the front page of our newspapers and front of mind for thousands of Australian business leaders. It feels like they’re everywhere – and that’s because they are.
The ACCC reported an 80% increase in payment redirection scams last year, which approximated a total cost to Australian businesses and individuals of $277 million. The year before that, it was a 100% increase.
These scams (and their impact) are only growing in magnitude and complexity over time.
Like with all scams, payment redirection is easier to fight when you know how it works and which vulnerable processes it targets. We recently held a webinar to help build understanding around (and ultimately, protection from) these scams. Here, we’ll recap the discussion that explored how these scams work, businesses’ biggest risks, and some of the available (and emerging) solutions.
Payment redirection scams come in many forms (and continue to evolve)
One of the reasons payment redirection scams are so tricky, difficult to stop, and damaging to Australian businesses is that they can occur in multiple ways. External, internal, malicious or accidental – there are multiple avenues businesses need to be aware of.
Some of the most common include:
- Business email compromise
- Phishing attacks
- Redirection via internal fraud
- Conflict of interest between employees and suppliers
- Human error
It doesn’t matter where payment redirection originates or whether it was malicious or not – the impact is the same. For small businesses, particularly, the consequences can be very serious – one wrong payment can be too much to recover from.
As the scam grows, we’re seeing new trends and risks emerge. For example, recently, we’ve seen the real estate sector increasingly targeted, with scammers impersonating agents and redirecting tenant and buyer payments.
There has also been at least one story about deep fake videos being used to acquire fraudulent money transfers. While it is not common, it’s easy to imagine that, as AI technology continues to advance, these tactics will become more frequent.
The sad reality is no one is exempt from the risk of payment redirection scams.
Vendor onboarding & payment: Where your biggest risks lie
The typical process the businesses go through to onboard new vendors or update existing vendor information provides multiple opportunities for fraud, scams or errors to occur.
Onboard a new vendor or supplier or update existing vendor
When you receive new or updated bank account information from a vendor or supplier there is (or should be) a verification process in place. There are three common processes:
- No verification – bank details are put straight into the payment system/ERP
- Document-based verification (eg. bank statements, business details, ABN)
- Electronic verification (check against name, bank account and account activity)
Obviously, the lower level of verification carried out leads to the highest amount of risk.
Enter bank account information into ERP
Sometimes, there is integration between the onboarding system and the ERP which reduces the risk of human error. However, in most businesses, this is still a manual process, which again increases risk.
Generate ABA payment file
Again, some businesses have automatic integration, but many rely on risky manual processes.
Understanding where these gaps exist and what processes you have (or don’t have in place) to mitigate risks can help businesses understand how vulnerable they might be to payment redirection. Some examples of this include:
Webinar attendees were asked about what risks they were most concerned about. No surprises, business email compromise ranked highest, followed by phishing.
Interestingly, though, most respondents named multiple scam types, showing that many businesses aren’t just concerned about the latest trend but a wide variety of scam and fraud risks.
It’s good to be aware of external risks and guard against them. But it’s also important not to forget the impact of non-malicious human errors. Just because erroneous payments are less publicised, doesn’t mean they don’t play a significant role in financial losses.
Solutions – OK2Pay
The good news is that many businesses currently have some sort of internal process for verifying vendor details. The bad news is that the sophistication of these processes range from very basic to very controlled.
The Australian government is putting pressure on banks to offer solutions that protect businesses and individuals, and there are also some independent providers offering outsourced verification services.
There’s one solution that combines the best of these together, and that’s OK2Pay, which provides electronic bank verification for vendors and suppliers that eliminates vulnerabilities during the onboarding, updating and payment process.
Here’s how it works.
- When onboarding a new vendor or updating the details of an existing vendor, OK2Pay facilitates electronic verification of payee details using verified data sources. OK2Pay is connected to both the Commonwealth Bank (CBA) NameCheck technology as well as the government data source of ABNs and business names.
- Approximately 90% of details can be verified electronically – which are then approved to be entered into the ERP
- Once completed, it is sent back to the OK2Pay platform, where details that can’t be electronically verified are moved to a more enhanced verification process whereby OK2Pay emails a link to a webform to the vendor who can input their bank details into the form including supporting documentation. The form can be customised to include any additional information required. The team at OK2Pay will then review supporting documentation received from the supplier, independently source business phone numbers, and conduct outbound calls to receive verbal verification of bank details.
- When it’s time for payment, ABA files are compared against information in the vendor master file to ensure files haven’t been tampered with.
OK2Pay is the only bank account verification solution that currently has access to CBA’s NameCheck technology, which was developed in response to increasing payment scams. Other banks are looking to implement similar technology, but CBA is well ahead of the curve.
CBA processes over 40% of all domestic payments (regardless of what bank they originate from), and this data, plus 7 years of transaction history, is available through NameCheck. This is equal to approximately 8 billion transactions and 67 million bank accounts. This access allows OK2Pay to access not only bank account names but also other details like account activity, age of account, and any previous suspicious activity on the account.
Keeping safe – do good by business and suppliers
Having a strong verification process has become non-negotiable in the face of payment redirection scams. Electronic verification is quickly becoming the preferred method for not only businesses but suppliers as well.
Not only does electronic verification protect against both scams and human error, but it also improves the vendor onboarding process, as vendors (usually) won’t have to jump through hoops or provide verbal verification of their details.
OK2Pay is the only solution with access to a Big4 database. Partnerships with banks outside CBA are currently being explored, and eventually, verification for international payments will also be provided.
If you are looking to improve your bank verification processes or are concerned about vulnerabilities in your vendor onboarding and payment processes, you can learn more about OK2Pay here or speak to the Satori team.