Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here
What We Do
Since 1989, Bottomline has been modernizing global business payments with connected solutions for more than 800,000 financial institutions and businesses in 92 countries.
AP Automation AP Automation For Real Estate Payments Hub
Payouts Automation Payments Processing Receivables Automation Payments Hub
Paymode Pay Vendors Receive Payments Partner With Us
Connectivity Services Message Transformation & Enrichment Message Vault Risk Solutions
Connectivity Services Message Transformation & Enrichment Message Vault Payments Verification Payments Verification for Businesses
Global Cash Management Hub Digital Banking
Global Cash Management Hub
Who We Serve
Our Company
By Richard Ransom, Head of Corporate Solutions, Bottomline
Payment fraud attacks range from exceptionally sophisticated to ridiculously simplistic. They are also ubiquitous: the Association for Financial Professionals (AFP) reports that 80% of organizations were victims of payment fraud attacks and attempts in 2023.1 For accounts payable (AP) departments, such a statistic (which is only one of many such sobering stats) underscores the critical need to adopt comprehensive fraud prevention measures to protect their businesses’ financial integrity. AP leaders must address these three crucial areas: payee verification, exception management, and vendor master file integrity.
A finance employee at a European manufacturing firm noticed that a certain vendor had not worked with the firm in months. He swapped his own bank account and sort code for that of the vendor, then created an invoice. He carefully kept the invoice total under the value requiring exception processing. That invoice was paid without question… as were the 58 invoices that followed it. It wasn’t until three years later that an auditor realized approximately £6,000,000 had been siphoned from the company into the employee’s pocket.
This real-world example shows how simple fraud can be. It also demonstrates how simple it can be to stop. Millions of pounds would have been saved if the manufacturing firm had a process in place to ensure that payments made only ever go to legitimate entities. A single phone call to the vendor to confirm banking details would have revealed the deception.
That said, a combination of controls is the wisest course of action since there are many ways to solve fraud. For instance:
Employ Multi-Factor Authentication (MFA): One primary way to enhance security in payee verification is to adopt MFA for any changes in vendor banking details. This extra layer of security can significantly reduce the risk of unauthorized access and fraudulent activities.
Use the Confirmation of Payee Service: This service verifies that the name on a bank account matches the name provided. It is increasingly popular in the UK and is gaining traction globally. By confirming the payee’s details before completing a transaction, businesses can prevent funds from being transferred to fraudulent accounts.
Implement Automated Verification Tools: Leveraging automated verification tools can streamline the process and reduce human error. These tools cross-check vendor information against known databases and flag discrepancies for further review.
AP leaders should note that manual—and partially automated— processes will always represent a risk because even the best process is only as good as the people implementing it. If a company has a thorough manual process for vetting payees but one of the people responsible for that vetting skips a step, fraudsters have an open door. For that reason, incorporating a technological solution into your payee verification process is an important safety measure.
Fraudsters regularly use our behavioural tendencies against us. For instance, they pressure AP personnel to process exceptions by taking advantage of authority bias. That is when they send an email ostensibly from someone in the C-suite requesting that a payment be made outside normal process controls. This scam frequently gets coupled with a sense of urgency, where the demand does not allow enough time to follow standard procedures. The request might arrive during a period of stress, such as at the end of the month or during a busy financial activity. The net effect is to push AP personnel to skip vital controls and miss clues that the request is fraudulent.
To counter natural human tendencies:
Automate Exception Handling: AP automation tools can effectively manage exceptions by flagging anomalies for review. Automated systems reduce the risk of human error and ensure that suspicious transactions get scrutinized promptly.
Conduct Ongoing Training: It is crucial to ensure that your team is well-trained in managing exceptions and identifying fraud. Emphasize that exceptions, escalations, and urgent requests will require prioritization and speed, but that does not mean controls and procedures are nullified.
Schedule Regular Audits: Periodic audits of AP processes can help identify vulnerabilities and areas for improvement, ensuring that your fraud prevention measures remain effective and up to date.
Let AP teams know that, as a general rule of thumb, the more urgent and unusual a payment request is, the greater the care and scrutiny that should be applied to it – not the other way around.
A robust vendor master file is your primary safeguard that only legitimate and verified vendors are involved in transactions. To that end, enforce a least privilege access policy within your accounting system or ERP. That means granting employees only the access necessary to perform their specific roles. Limiting access reduces the risk of internal fraud and accidental data breaches since only authorized personnel can change critical vendor information.
Within the least privilege access environment, consider these critical steps to ensure the integrity of your vendor master file:
Implement Strict Onboarding Procedures: Establish rigorous procedures for onboarding new vendors, with thorough verification of vendor information.
Use Secure Vendor Portals: Utilize secure portals for vendors to submit and update their information. These portals provide a controlled environment for managing vendor data, significantly reducing opportunities for unauthorized changes.
Validate Vendor Data: If possible, revalidate vendors monthly. Ensure their information is current, including tax IDs, addresses, and banking details. (Such validation also helps ensure compliance with sanctions lists and other regulatory requirements.) Additionally, vendors with no activity over a specified period, such as 15-24 months, should be deactivated.
The truth bears repeating: regular maintenance and validation are crucial in safeguarding your company's financial integrity and compliance. An ounce of prevention is now, as always, worth a pound of cure.
With payment fraud both rampant and evolving, AP departments must stay proactive in their approach to fraud prevention. Strengthening payee verification, enhancing exception management, and ensuring vendor master file integrity are vital strategies that, when implemented effectively, can shield your organization from significant financial losses. By combining technological solutions with rigorous manual processes and regular audits, businesses can create a robust defence against fraudsters. Prioritizing these areas fortifies your organization's reputation and operational efficiency, boosting your business’s financial health.