Not too long ago, one of my clients was the victim of payment fraud. They had recently hosted their annual event, and a vendor’s invoice was received with a new bank account.
Their finance person immediately recognised the vendor and was expecting an invoice from them. So, updating the bank account details and making a large five-figure payment was no big deal.
It was only later that they realised their huge mistake when the real invoice arrived with the previous bank account details.
This may seem like a unique incident, but according to the Australian Signals Directorate Cyber Threat Report 2022-2023, payment fraud was one of the Top 3 cybercrimes, closely linked with the other two – email compromise and business email compromise fraud.
While this report was more focused on businesses, in my experience Not for Profits are just as frequently targeted by this form of cybercrime.
What is payment fraud?
Payment fraud is when someone illegally obtains funds through digital payment systems, often by pretending to be someone else.
This includes credit card fraud, invoice fraud, and phishing attacks targeting payment processes.
In this case, my client was the victim of invoice fraud. The vendor’s systems were compromised, and the criminal was able to send an email and invoice that appeared to come from them.
How to avoid payment fraud
So, how do you avoid becoming the victim of payment fraud when it’s becoming harder and harder to recognise, especially with advances and efficiencies created through AI?
There are actually some low-cost prevention measures you can implement:
-
Train your staff and board members:
Most research shows that 70%+ of all cybersecurity incidents are caused by staff negligence and mistakes. In the case of payment fraud, I believe this number is closer to 90%+.
Yet too many organisations undervalue what’s considered the number one prevention measure for all cybercrimes – training.
Executives and board members are particularly high-value targets because of their authority and access to accounts and information. So, don’t think your leaders should be exempt when they are at high risk.
-
Implement Multi-factor Authentication on all accounts
Organisations should adopt multi-factor authentication (MFA) to secure access to all systems, particularly email and financial systems. MFA requires users to provide two or more verification factors, making it significantly harder for attackers to gain unauthorised access.
I’m sure this recommendation sounds like a broken record, but I still regularly see accounts without MFA turned on.
-
Adopt Anti-Fraud Technologies:
Today, various systems and even functions within systems can help detect potential fraud. One popular functionality is the ability to confirm bank account details automatically.
Check to see if you can enable this within your current finance system or as a 3rd party add-on.
-
Establish Clear Policies and Procedures:
Develop and enforce clear policies regarding payment processes and cybersecurity.
For example, a simple process to prevent payment fraud is to ensure that two staff members are required to change payment details in the finance system. Furthermore, the vendor should be called to verify whenever a new bank account is established or a bank account changes.
Final thoughts
My client’s unfortunate experience serves as a stark reminder that payment fraud poses a substantial threat to Not for Profits.
However, by implementing these low-cost prevention measures – especially training, organisations can significantly reduce their risk.
I regularly help Not for Profits with cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.