2021 Payments Fraud and Control Survey Report

2021 AFP® PAYMENTS FRAUD AND CONTROL SURVEY REPORT Comprehensive Results Underwritten by: We are proud to sponsor the AFP Payments Fraud and Control Survey for the 13th consecutive year and share the 2021 report. Results from this survey reflect data for 2020, a year marked by the COVID-19 pandemic and its ensuing global disruption. Many businesses like yours had to adapt quickly and transition employees to remote environments almost overnight. There was a high degree of uncertainty over whether these changes—while necessary to limit the spread of the virus—would leave organizations more vulnerable to payments fraud. One silver lining is that AFP-reported incidents of attempted or actual payments fraud decreased overall last year. However, fraudsters are becoming savvier and more relentless with certain schemes. Business Email Compromise (BEC), for example, increased in 2020, with more than three fourths of companies saying they were targeted. We should not let up on addressing these key areas of fraud through employee education and product innovation. J.P. Morgan continues to invest heavily in fraud prevention technology, solutions and expertise to help protect our clients. We hope this report informs you of the progress organizations have made in the fight against fraud—as well as the challenges that remain. Let’s continue to face them together.

With best regards,

Sue Dean Bob St Jean Jessica Lupovici Winston Fant Hubert JP Jolly Alec Grant Managing Director Managing Director Managing Director Managing Director Managing Director Managing Director J.P. Morgan J.P. Morgan J.P. Morgan J.P. Morgan J.P. Morgan J.P. Morgan

J.P. Morgan is a marketing name for certain businesses segments of JPMorgan Chase & Co. and its subsidiaries worldwide. The material contained herein or in any related presentation or oral briefing do not constitute in any way J.P. Morgan research or a J.P. Morgan report, and should not be treated as such (and may differ from that contained in J.P. Morgan research) and are not intended as an offer or solicitation for the purchase or sale of any financial product or a commitment by J.P. Morgan as to the availability to any person of any such product at any time. All J.P. Morgan products, services, or arrangements are subject to applicable laws and regulations, its policies and procedures and its service terms, and not all such products and services are available in all geographic areas.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 2 TABLE OF CONTENTS

INTRODUCTION...... 4

OVERVIEW OF PAYMENTS FRAUD ACTIVITY AND TRENDS...... 6 — Payments Fraud Trends — Payment Methods Impacted by Fraud — Losses from Payments Fraud Attacks — Detecting Fraud Activity — Primary Source of Attempted/Actual Payments Fraud

BUSINESS EMAIL COMPROMISE (BEC)...... 15 — BEC Trends — Targets of BEC Scams — Financial Impact of BEC — Departments Most Vulnerable to BEC

PAYMENTS FRAUD CONTROLS...... 21 — A. BEC Controls — B. Security Credential Controls — C. Check Fraud Controls — D. ACH Fraud Controls — E. Validating Fraud Controls — F. Fraud policy — G. Alerts from Payment Partners/Vendors — H. Revalidating Transactions — I. Evidencing Security Policies and Controls — J. Challenges of Implementing Fraud Controls

CONCLUSION...... 37

KEY FINDINGS...... 38

DEMOGRAPHICS...... 40

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 3 INTRODUCTION

After reaching record high levels in 2018 and 2019, payments fraud activity declined slightly in 2020. Seventy-four percent of organizations were targets of an attempted or actual payments fraud attack last year, down from 81 percent in 2019. Only time will tell whether this decline is just temporary or the beginning of a sustained decrease in the percentage of companies falling victim to such attacks. Alleviating payments fraud is top-of-mind for business leaders, and organizations are actively implementing controls and measures to restrict the occurrence of such activity. It is possible that the concerted focus by treasury and finance professionals on preventing their organizations from falling or company senior management requesting either validate payment related requests. While financial loss victim to perpetrators of the attacks is paying off. a change in bank account information or a transfer due to payments fraud may not be large, the risk of Additionally, while advances in and widespread use of of funds to a fraudulent account. With employees reputational damage could be far more significant. technology have increased payments efficiency, they working from their homes, the ability to verify an have also provided criminals with more sophisticated The Association for Financial Professionals® (AFP) has email with a colleague was more challenging. This tools to facilitate payments fraud success. conducted its Annual Payments Fraud Survey every may be one reason behind the increase in payments year since 2005. The surveys examine the nature of The global COVID-19 pandemic altered the way fraud via BEC during 2020. The shift from a paper- fraud attacks on business-to-business transactions, organizations and their staff operated for a significant based/in-person process to electronic methods for payment methods impacted and the strategies part of 2020. To stem the spread of the virus, check printing and approvals could also explain some organizations are adopting to protect themselves organizations required employees to work remotely. of the uptick observed in fraud during the last year. against fraudsters. Continuing this research, AFP Many organizations continue to have their staff work Increased fraud during the pandemic could also be conducted the 17th Annual Payments Fraud and “from home.” Pre-pandemic, working away from due to Paycheck Protection Program (PPP) loans and Control Survey in January 2021. The survey generated the office was not a normal practice for treasury other stimulus organizations received. 520 responses from corporate practitioners from departments, primarily due to security issues. For Treasury and finance professionals must be organizations of varying sizes representing a broad employees to socially distance, however, organizations equipped with the appropriate tools, information and range of industries. Results from this survey presented had no choice but to allow their staff to work remotely. resources in order to outsmart fraudsters. With email in this report reflect data for 2020. Even though there was a decline in overall payments increasingly becoming an avenue used by criminals fraud activity in 2020, practitioners do attribute some AFP thanks J.P. Morgan for its long-time and to deceive the organizations they are targeting, of the increase in fraud to the pandemic. continued underwriting support of AFP’s Payments extensive training and education need to be offered Fraud Survey series. Both questionnaire design Business email compromise (BEC) continued to be to company staff. This is not an issue solely for and the final report, along with its content and the primary source of payments fraud activity at payments departments—every employee should be conclusions, are the sole responsibilities of the AFP organizations. In these type of attacks, scam artists trained in how to identify a hoax email or request. Research Department. Information on the survey use emails to dupe accounting departments into Additionally, organizations need to have systems and methodology and respondents’ demographics can be transferring funds to illegitimate accounts. Fraudsters processes in place that will allow for little or no fraud found at the end of this report. spoof URLs and send emails pretending to be vendors activity to occur such as implementing callbacks to

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 4 1 OVERVIEW OF PAYMENTS FRAUD ACTIVITY AND TRENDS

Nearly 75 percent of Organizations Were Targets Percent of Organizations that Experienced Attempted and/or of a Payments Fraud Attack in 2020 Actual Payments Fraud, 2010-2020

There had been a gradual increase in payments fraud activity at organizations from 2013 through 2018. While the increase was incremental but steady, we observed a significant uptick of 11 percentage points between 2014 and 2015. In the previous two years, record levels of payments fraud activity were reported, with over 80 percent of organizations having been victims of payments fraud attacks in 2018 and 2019. In 2020, 74 percent of organizations were targets of payment scams. While that is a smaller share than the percentages reported in 2018 and 2019, it still signals that a significant share of companies continues to be impacted.

Last year was a year like no other. The COVID-19 pandemic spread across the globe requiring severe social distancing measures to be implemented. Many companies mandated that their employees work remotely. Tasks which were Percent of Organizations that Experienced Attempted and/or normally carried out only in offices in a secure setting with stringent processes Actual Payments Fraud in 2020 were now being performed in employees’ home offices. We can argue that this “working from home” environment should have resulted in even higher instances of payments fraud activity than in in the previous two years. But companies— realizing they were more vulnerable—likely heightened security controls and encouraged their staff to be even more vigilant about payment processes to 74% 67% 78% avoid fraud occurrences. Additionally, in their attempts to bolster their liquidity resources and preserve their cash, organizations cut back on spending and reduced their workforce and/or furloughed staff. These actions more than likely translated into a reduction in payment transactions, fewer business-to-business All Annual Revenue Annual Revenue Less Than $1 Billion At Least $1 Billion (B2B) payments and fewer checks being written. A greater share of survey respondents from larger organizations and those with fewer payment accounts—i.e., those with annual revenue of at least $1 billion and with less than 26 payment accounts—report they experienced payments fraud in 2020 compared with the share of respondents from other organizations. Eighty 80% 77% percent of these organizations were victims of payments fraud. Fewer smaller organizations—those with annual revenue less than $1 billion—were targets of payments fraud in 2020 than were larger organizations (with revenue of at least Annual Revenue At Least Annual Revenue At Least $1 billion): 67 percent compared to 78 percent. Fraudsters were more inclined to $1 Billion and Fewer Than $1 Billion and More Than target larger organizations, exposing deficiencies around process controls using 26 Payment Accounts 100 Payment Accounts social engineering.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 6

Increase in Instances of Fraud COVID-19 Pandemic to Blame for Some of this Increase at 30 Percent of Companies Sixty-five percent of respondents believe some of the increase in fraud at their companies was due to Sixty percent of financial professionals report the pandemic, 27 percent are unsure of the pandemic’s role on fraud activity and eight percent do not no change in the incidence of payments fraud in believe the pandemic is to blame for an increase in payments fraud at their organizations. Twenty-eight 2020 compared to 2019, while 30 percent indicate percent of financial professionals report that one to 25 percent of the increase in fraud activity was there had been an increase and 10 percent report likely due to the pandemic while 30 percent attribute 26 to 75 percent of the increased fraud instances a decline. It is encouraging to see a decrease in the to the pandemic; seven percent indicate that over 75 percent of fraud activity observed in the past year share of financial professionals reporting an increase was due to the pandemic. in payments fraud activity—from 34 percent in With social distancing measures put in place because of COVID-19, companies repositioned staff to work 2019 to 30 percent in 2020. A larger percentage remotely, requiring business leaders to dust off their Business Continuity Plans (BCPs). BCPs became of respondents from organizations with annual a primary focus during the pandemic as they assisted in strengthening controls since face-to-face revenue of at least $1 billion and more than 100 communication and signoff approvals were no longer the norm. Fraudsters attempted to expose the payment accounts report increase in payments cracks in these well laid-out BCPs, exploiting deficiencies in communication to extract financial gains via fraud occurrences at their companies since last year BEC and attempt fraudulent bank account changes for vendors. Consequently, BCP plans were shored up, compared to those organizations with annual revenue policies tightened further and processes reestablished to prudently manage fraud related to the pandemic. of at least $1 billion but fewer payment accounts.

Share of Increased Fraud due to Pandemic Change in Incidence of Payments Fraud in 2020 (Percentage Distribution of Organizations) (Percentage Distribution of Organizations) 8% 10% No increase Less 30% 27% More Unsure 28% 1%-25% increase 7% More than 75% increase 60% About 14% 16% the same 51%-75% increase 26%-50% increase

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 7

Checks and Wires Continue to be Most Susceptible to Payments Fraud

In 2020, checks and wire transfers continued to be the payment methods most impacted by fraud activity (66 percent and 39 percent, respectively). The percentage of financial professionals reporting fraud activity via these two payment methods, however, has decreased in the past year, from 74 percent and 40 percent, respectively, in 2019. The 8-percentage-point decrease in check fraud activity is fairly substantial and its incidence is the lowest since 2008 when it was 94 percent. Contributing to the decline in check fraud is the fact that organizations are using fewer checks in their B2B transactions as well as increasing the use of electronic payments as a consequence of staff working remotely. According to the 2019 AFP® Electronic Payments Report, 42 percent of organizations reported using checks for B2B payments in 2019, while in 2004 over 80 percent of companies were using checks for similar transactions. The share of organizations that were victims of fraud attacks via wire transfers has also decreased—from 48 percent in 2017 and 45 percent in 2018 to 40 percent in 2019 and 39 percent in 2020. Companies are more efficient at detecting potential fraud and mitigating it appropriately. Even though results suggest a clear downward trend, wire fraud activity continues to be high, especially considering the share of organizations experiencing such fraud was only in the single digits until 2012.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 8

ACH Fraud Continues to be Payment Methods Subject to Attempted/Actual Payments Fraud (Percent of Organizations) on the Uptick 39% This year’s survey results reveal a slight increase Wire transfers in payments fraud activity via ACH debits— 66% from 33 percent in 2019 to 34 percent in 2020. Checks Fraud activity via ACH credits decreased three percentage points, from 22 percent in 2019 to 19 percent last year. This shift in payments fraud activity from checks and wires to ACH transactions signals that fraud perpetrators are targeting ACH payment methods 6% more frequently than check and wire transfers. As Extortion due ACH transactions are typically considered safer to ransomware and more difficult to compromise, the increased focus on ACH transactions suggests that fraudsters are acquiring more sophisticated techniques when targeting organizations. The share of organizations experiencing corporate/commercial credit card fraud shrank 10 percentage points, from 34 percent in 2019 to 24 percent in 2020. As organizations reduced workforce, furloughed employees and trimmed discretionary spending by restricting travel, the 19% use of corporate/commercial credit cards also ACH credits 34% 24% decreased, resulting in fewer card transactions ACH debits Corporate/commercial and, therefore, less fraud via that payment credit cards method. Only six percent of respondents report that their companies were victims of extortion due Others to ransomware; of those, slightly over half were Virtual Cards 3% aware of the risks of potential sanctions associated 3rd Party Payouts (Venmo, PayPal, et.) with extortion payments. 2% Faster payments 1% Mobile Wallets 1% Cryptocurrency (Bitcoin, Ethereum, etc.) 1%

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 9

Corporate/Commercial Credit/ Percent of Organizations that Experienced Payments Fraud through Corporate/Commercial Credit/ Debit Cards Continue to be Prone to Debit Cards, 2010-2020 Payments Fraud Attacks Although Less Frequently

Twenty-four percent of financial professionals report that their organizations were subject to corporate/ commercial credit/debit card fraud in 2020. Such fraud has declined steadily since 2015 but increased to 34 percent in 2019 before decreasing again to 24 percent in 2020. Several years ago, several high-profile retailers were exposed to significant card fraud activity. That experience encouraged them to move from paper- based payment methods to electronic payments. The use of corporate/commercial cards declined as a result and has not rebounded. The decreased use of cards is one possible reason card fraud has declined. Another development that likely has contributed to this trend is the transition from magnetic stripe cards to smart-chip cards which are much more difficult to counterfeit. Finally, banks’ use of algorithm and “machine learning for spend patterns” technology has also contributed to card fraud being detected at an early stage and so easier to contain. The corporate/commercial cards most prone to fraud in 2020 were Travel & Entertainment Cards (T&E Cards)—cited by 79 percent of respondents—followed by purchasing cards (61 percent). Major concerns surrounding card fraud is that it often occurs when the physical card is not present such as in an online transaction (cited by 71 percent of respondents).

None of the practitioners whose organizations experienced card fraud activity report their companies suffered a financial loss as a result of such fraud.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 10

Financial Losses from Payments Fraud Activity are not Extreme

In the past, actual financial losses from payments fraud attacks have not been damaging, and that continued to be the case in 2020. Fifty-three percent of respondents faced potential financial losses totaling less than $50,000 (or no loss) as a result of fraud activity in 2020. In 2019, 54 percent of respondents reported the same. Twenty-three percent of financial professionals report there were no potential losses at their companies, while nine percent indicate that over $2 million may have been lost. While loss of confidential and personnel information do not directly impact an organization’s bottom-line, extensive effort and resources are required to resolve these situations. Sixty-four percent of financial professionals report that their organizations did not incur a direct financial loss because of payments fraud activity, while 18 percent report a financial loss of less than $25,000. This result is little changed from the 63 percent of practitioners that reported the same in 2019. Costs to manage, defend and/or clean up from payments fraud attacks were relatively low for most organizations that experienced such attacks. Forty-seven percent of companies did not incur any expenses due to a fraud attempt and 33 percent spent less than $25,000 to defend against or clean up the fraud.

POTENTIAL FINANCIAL LOSS from Attempted and/ ACTUAL DIRECT FINANCIAL LOSS from Attempted COSTS TO MANAGE/DEFEND/CLEAN UP from or Actual Payments Fraud in 2020 and/or Actual Payments Fraud in 2020 Attempted and/or Actual Payments Fraud in 2020 (Percentage Distribution of Organizations that (Percentage Distribution of Organizations that (Percentage Distribution of Organizations that Experienced Attempted and/or Actual Payments Fraud) Experienced Payments Actual Payments Fraud) Experienced Attempted and/or Actual Payments Fraud)

TOTAL DOLLAR AMOUNT TOTAL DOLLAR AMOUNT TOTAL DOLLAR AMOUNT

Zero 23% Zero 64% Zero 47% Up to $24,999 22% Up to $24,999 18% Up to $24,999 33% $25,000-49,999 8% $25,000-49,999 6% $25,000-49,999 7% $50,000-99,999 7% $50,000-99,999 4% $50,000-99,999 5% $100,000-249,999 13% $100,000-249,999 4% $100,000-249,999 4% $250,000-499,999 8% $250,000-499,999 2% $250,000-499,999 3% $500,000-999,999 6% $500,000-999,999 1% $500,000-999,999 1% $1,000,000-1,999,999 3% $1,000,000-1,999,999 – $1,000,000-1,999,999 – $2,000,000 or more 9% $2,000,000 or more – $2,000,000 or more 1%

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 11 !

Two-Thirds of Organizations Quick to Detect Fraud Activity

Of those organizations that were victims of fraud attacks in 2020, 35 percent took less than one week to uncover the fraud and 31 percent detected the fraudulent activity within one to two weeks. Thirteen percent took an additional two weeks to realize they had been targets of an attack and 21 percent uncovered the fraud within one to 12 months. Organizations need to be able to stop the fraud in its tracks to minimize losses and any other damage, e.g., loss of confidential information, etc. Treasury and finance practitioners need to ensure their systems can detect fraud occurrences within a few days rather than let the discovery take weeks or months. Detecting fraud quickly and reporting it instantly to authorities is imperative to increase the chances of a recovery.

Time Taken to Discover Fraud (Percentage Distribution of Organizations) 1%

7% Less than one week 13% 1-2 weeks 35% 3-4 weeks 13% Between 1-2 months 2-5 months 6-12 months 31%

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 12

Business Email Compromise (BEC) Sources of Attempted and/or Actual Payments Fraud in 2020 (Percent of Organizations that Experienced Attempted and/or Actual Payments Fraud) Continues to be the Primary Reason for Attempted/Actual Payments 2020 2019 Fraud Attempts 62% In 2019, BEC emerged as the key source of fraud Business Email Compromise attempts at organizations; 61 percent of companies that (BEC Fraud) experienced attempted or actual payments fraud in 2019 61% did so as a result of BEC. In 2020 as well, BEC continued to be a primary reason for fraud, as 62 percent of practitioners indicate BEC as the primary source of 52% fraud attacks at their organizations. While treasury and Outside individual finance leaders are very aware of how widespread this (e.g., check forged, stolen card) type of fraud has become, they are not able to obstruct 58% it sufficiently. Fraudsters are successfully infiltrating payment activity at organizations by using email to do so. Their success in deceiving organizations encourages 19% them to continue to use BEC. Third-party or outsourcer (e.g., vendor, professional services The second most-often mentioned source of payments provider, business trading partner) 26% fraud in 2020 was an external source or individual (e.g., forged check, stolen card); 52 percent of financial professionals report that payments fraud at their companies was the result of actions by an individual Account takeover 12% outside the organization. This result is six percentage (e.g., hacked system, malicious points lower that the figure reported in 2019. code – spyware or malware from social network) 17% Other sources of payments fraud include third parties or outsourcers such as vendors (experienced by 19 percent of organizations—a seven-percentage-point decrease from 2019). Account takeovers (e.g., hacked system, phishing, spyware or malware) are reported by 12 percent of respondents from companies that experienced attempted/actual payments fraud. Organizations’ payment systems continue to be challenged by perpetrators of these attacks and BEC and external individuals are the most successful sources.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 13 2 BUSINESS EMAIL COMPROMISE Business Email Compromise

Business Email Compromise (BEC)1—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. In a BEC scam, criminals send an email message that appears to come from a known source, thus making it appear to be a legitimate request. Some examples include: — A vendor your company regularly deals with sends an email with updated payment instructions to use for future invoice payments. — A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them right away. — A company executive sends an email requesting an urgent payment and explaining they cannot speak on the phone about it.

How Criminals Carry Out BEC Scams1 A scammer might: — Spoof an email account or website. With slight variations on legitimate addresses or using a similar-looking domain, fraudsters register email domains that look deceptively like the entity they are impersonating. They might use [email protected] (an extra “o” in company) instead of [email protected] to trick victims into thinking their email is legitimate. — Send spear phishing emails. These messages look like they are from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes. According to data sources (KnowBe4),2 91 percent of all data breaches start with a spear phishing attack. — Use a compromised email account. Criminals will sometimes use compromised email accounts to send fraudulent change of payment instructions to potential victims. — Use malware. Malicious software can infiltrate company networks and allow for access to legitimate email threads about billing and invoices. That information is used to time requests or send messages, so accountants or financial officers do not question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

1 Source: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise 2 https://www.knowbe4.com

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 15 Business Email Compromise Most Organizations Experienced Fewer than 25 Instances of BEC Fraud in 2020 (BEC) Sees a Slight Increase A large majority of organizations experiences 25 or fewer instances of BEC fraud activity occur annually. Types of BEC attacks they are falling victim to include: Seventy-six percent of organizations — Emails from third parties requesting bank changes, payments instruction, etc. were targeted by BEC in 2020, only one percentage point higher than reported in — Emails from fraudsters posing as senior executives requesting transfer of funds 2019, and in the ballpark of figures reported — Emails from fraudsters impersonating as vendors. since 2016. Even though there has been an overall decline in payments fraud activity, Few companies are reporting seeing more than 25 instances of BEC fraud annually. from 81 percent in 2019 to 74 percent in 2020, BEC continued to be on the uptick. Most Prevalent Types of Business Email Compromise (BEC) Fraud (Percent of Organizations) Percent of Organizations that Experienced Business Email Compromise (BEC), LESS THAN 25 26-100 101-200 200+ INSTANCES INSTANCES INSTANCES INSTANCES 2015-2020 ANNUALLY ANNUALLY ANNUALLY ANNUALLY

Emails from other third parties requesting changes of bank accounts, payments instructions, etc. 88% 9% 2% 1%

Emails from fraudsters pretending to be senior executives using spoofed email domains directing finance personnel 87% 9% 2% 2% to transfer funds to fraudsters’ accounts

Emails from fraudsters impersonating as vendors (using vendors’ actual but hacked emails addresses) directing 87% 11% 1% 1% transfers based on real invoices to the fraudsters accounts

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 16 Wire Transfers Continue to be Payments Methods Impacted by Business Email Compromise Prime Targets for Business Email (Percent of Organizations) Compromise Scams 2020 2019 43% Forty-three percent of financial professionals report Wire transfers that wire transfers were impacted by BEC, a slight 42% increase from 42 percent in last year’s report. The 2020 figure is still a substantial decrease from the 54 percent and 60 percent reported in 2017 34% and 2016, respectively. Although wire transfers ACH credits remained the most popular payment method for 37% BEC scams, they were followed by incidents of ACH credit fraud: 34 percent of respondents report that 16% criminals received ACH credits using email fraud ACH debits in 2020—a decrease from the 37 percent in last 21% year’s survey. The share of practitioners reporting that ACH debits were impacted by BEC decreased from 21 percent in 2019 to 16 percent in 2020. The Checks 14% percentage of financial professionals reporting 19% that BEC compromised their organizations’ check payments decreased five percentage points—from 19 percent in 2019 to 14 percent in 2020. The shift to Corporate credit cards 9% targeting ACH transactions via BEC is likely because (e.g., purchasing & fleet) ACH is an easier touchpoint for those committing 12% fraud, while checks (as noted earlier) are being used less frequently. Another reason fraudsters target 2% ACH when using BEC is because they are aware Gift cards that businesses pay their bills using ACH. Wires are 3% expensive; therefore, organizations use ACH instead and perpetrators of these attacks are using this information and targeting ACH using emails.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 17 Percentage of Organizations Estimated Total Dollar Loss to Organizations from BEC in 2020 Impacted by Business Email (Percentage Distribution of Organizations) Compromise Decreases ANNUAL REVENUE ANNUAL REVENUE ANNUAL ANNUAL AT LEAST AT LEAST REVENUE REVENUE $1 BILLION AND $1 BILLION AND Organizations have been actively trying to mitigate LESS THAN AT LEAST FEWER THAN 26 MORE THAN 100 the impact of BEC in several ways including ALL $1 BILLION $1 BILLION PAYMENT ACCOUNTS PAYMENT ACCOUNTS employee education and training, implementing company policies on handling changes to existing No Loss 66% 69% 64% 68% 58% bank accounts, and using call-back features or some other verification method to confirm ACH and/or Up to $24,999 14% 15% 14% 10% 19% wire transfer requests. As noted above, however, occurrences of BEC fraud are still elevated, although $25,000-49,999 7% 10% 6% 7% 5% the percentage of financial professionals reporting that their companies suffered a financial loss due to $50,000-99,999 4% 4% 4% 4% 5% BEC has decreased slightly. Thirty-four percent of companies experienced a $100,000-249,999 4% – 6% 6% 6% financial loss as a result of these emails scams in 2020—a slight decrease from the 38 percent in $250,000 - $499,999 2% 1% 2% 1% 3% 2019. This result is likely due to enhanced employee training and stronger controls implemented as $500,000 - $999,999 2% 1% 3% 3% 3% well as a decline in payment transactions due to the pandemic. The current figure is the lowest in $1,000,000 - $1,999,999 – – 1% 1% – recent years: in 2018, over half of the companies (54 percent) were impacted by a financial loss as a result of BEC and 46 percent of organizations Over $2,000,000 – – 1% – 2% experienced a loss due to BEC in 2017. Thirty-one percent of smaller organizations (annual which larger organizations were also more likely to of these crimes are targeting larger organizations in revenue less than $1 billion) incurred losses from have suffered losses due to BEC. order to steal larger amounts of money. BEC—unchanged from 2019—and 36 percent of larger organizations (annual revenue at least $1 The majority of respondents that does report their There are, of course, other “losses” that can result billion) had losses because of BEC, a 5-percentage- companies incurred a loss indicate such loss was less from BEC. If a fraud attack via BEC exposes personal point decrease from the previous year. These results than $50,000. Thirteen percent of organizations with and confidential information, the nonfinancial are consistent those in the 2020 AFP® Payments annual revenue of at least $1 billion suffered a loss of damages—while difficult to quantify—can be severe. Fraud and Control Survey Report (data for 2019) in more than $100,000. This suggests that perpetrators

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 18 Organizations’ Accounts Payable Departments Most Vulnerable to Being Targeted by BEC Fraud Departments Most Vulnerable to (Percentage Distribution of Organizations) Being Targeted by BEC Fraud 3% 3% Business Email Compromise scams continue to take various Accounts Receivable forms and change as criminals get more creative. While Other these scam artists might target an entire organization, 4% they generally are more focused on the Accounts Payable Human Resources/Payroll Dept department as that is where payments originate. Sixty-one 8% percent of respondents indicate that their Accounts Payable CEO, COO, CFO or other C-Suite Executive department was the most vulnerable business unit targeted. This is very similar to the 62 percent reported in the 2020 8% AFP® Payments Fraud and Control Report. The other 61% Procurement/Sourcing department most susceptible to BEC fraud was the Treasury Accounts Payable department (13 percent). Seventeen percent of respondents from larger 13% organizations—those with annual revenue of at least $1 Treasury billion and more than 100 payment accounts—indicate that their procurement/sourcing department was most vulnerable to fraud, and only two percent report that the CEO, COO, CFO or other C-Suite executives were the most targeted group. But the results shift for smaller organizations with annual revenue of less than $1 billion: 14 percent of respondents from those companies note that their organization’s CEO, COO, CFO or other C-Suite executives were the most vulnerable, while five percent report that the department most impacted by fraud was procurement/sourcing. Other departments within organizations reported to be vulnerable include: — Operations — Customer Support — Accounting — Vendor management

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 19 3 PAYMENTS FRAUD CONTROLS A: Business Email Compromise Controls

Internal Control Methods Implemented by Respondents to Prevent BEC Fraud (Percent of Organizations) Myriad of Controls Used to Curtail BEC 2020 2019 Fraudsters are increasingly using email to con organizations’ employees into believing they are legitimate vendors, staff, senior management, et Confirm requests for al., and compromising organizations’ payment systems. Employees and Implemented company transfer of funds by payments staff at these companies may believe these fake emails are policies for providing executing a call back to an legitimate and transfer funds to these criminals. Not only can some of End-user education appropriate verification authorized contact at the and training on the of any changes to payee organization using these attacks result in organizations being adversely impacted financially, BEC threat and how existing invoices, bank a phone number from but inadvertently organizations’ confidential information may also be to identify spear deposit information and a system of record (not compromised. As companies implemented Business Continuity Plans in phishing attempts contact information numbers listed in an email) response to staff working remotely, ensuring existing processes were in place to mitigate fraud was increasingly important. Seventy-seven percent of financial professionals believe that educating 77% 80% 70% 70% 67% 65% employees on the threat of BEC and training them to identify spear phishing attempts are important components in controlling BEC. This is critical if employees are working remotely and so have minimal in-person interaction. Stronger internal Adopt at least a two- Other controls being implemented to prevent and contain BEC include: controls prohibiting Require authorized factor authentication payments initiation signoff of senior or other added layers — Implementing company policies for providing appropriate based on emails or management for of security for access to other less secure transactions over a company network and verification of any changes to existing invoices, bank deposit messaging systems certain threshold* payments initiation information and contact information (cited by 70 percent of respondents) — Confirming requests for any transfer of funds by executing a call back 66% 61% 58% 57% 59% to an authorized contact at the payee organization using a phone number from a system of record (not numbers listed in an email) (67 percent) Intrusion detecting — Instituting strong internal controls that prohibit payments initiation system that flags emails based on emails or other less secure messaging systems with extensions that are Prohibit, or at least flag (66 percent) Color-coded emails similar to company email emails where the “reply” with red banners etc. (example: where “rn” email address is different — Requiring authorized signoff from senior management for indicating they could be in the place than the “from” email transactions over a certain threshold are external of an “m” etc.) address shown (58 percent) — Adopting at least a two-factor authentication or other added layers of security for access to company network and payments initiation 39% 34% 28% 27% 21% 17% (57 percent) *was not included in last year’s survey

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 21 B: Security Credential Controls

Daily Reconciliations Often Used to Safeguard Against Attacks on Security Credentials Seventy percent of organizations perform daily reconciliations to protect their security credentials against attacks. A majority of respondents reports that their organizations keep internal processes the same for all types of payments—paper-based, electronic and virtual (58 percent)—and ensure disaster recovery plans include the ability to continue with strong controls (54 percent). Note that even though a large majority (70 percent) performs daily reconciliations, 65 percent of companies detect fraud activity only after a week (see page 12)

Measures Taken by Organizations to Defend Against Attacks on Security Credentials (Percent of Organizations) 2020 2019

Perform daily reconciliations 70% 72%

Keep internal processes the same for all types of payments-paper based, electronic and virtual 58% 55%

Ensure disaster recovery plans include the ability to continue with strong controls 54% 48%

Restrict company network access for payments to only company-issued devices (laptop, tablets, phones) 41% 38%

Dedicate a PC for payment origination (with no links to e-mail/web browsing/ social networks) 7% 5%

Other 3% 4%

“Other” includes: — Implemented early warning system for account change requests — Implemented stricter controls for payment approvals and documentation of bank account changes — ACH debit blocks on all bank accounts — Tightened requirements on passwords — Used authorization procedure that involve multiple approvals — Implemented a very new detailed vendor set-up and vendor payment policy — Policy to conduct business only via secure environment (Citrix or VPN)

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 22 B: Security Credential Controls continued

Revisions Implemented/are being Implemented to Defend Against Attacks on Security Credentials (Percentage Distribution of Organizations)

Implemented In process of implementing Other revisions organizations have implemented or are considering implementing: — Training and learning for employees on internet fraud and avoiding phishing emails 14% 15% — Implementing a payment request database, stopped allowing payment requests to be emailed — Implementing a third-party account ownership authentication tool — Mandating call-back that varies from the source that 86% requested the change 85% — Working more closely with IT department, email tests sent out via IT dept. — Validating business websites/domains names used in emails Call backs to those parties applying for open credit and/or validating with internal personnel working Implement additional Add additional with those parties blocks on accounts segregation of duties — Implementing a TMS with built-in review and control over funds transfers — Looking to implement a supplier portal whereby suppliers can enter their banking details into a secured web portal. This would eliminate suppliers having to request us to 17% 22% update their banking details

83% 78%

Conduct more Enhance all available frequent reconciliations protective measures

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 23 C: Check Fraud Controls

Positive Pay Continues to be Most Popular Method to Control Check Fraud As in past years, a large majority of organizations (85 percent) uses positive pay to protect against check fraud. Other methods often used include daily reconciliation and other internal processes (cited by 62 percent of respondents), payee positive pay (59 percent) and segregation of accounts (54 percent). Because a significant number of employees were working remotely, organizations altered their check issuance process, reduced the use of checks, outsourced to an external party/bank and transitioned to more electronic payments via ACH.

Fraud Control Procedures and Services used to Protect Against Check Fraud (Percent of Organizations) VOID Feature on Checks considered Most Effective Positive pay 85% in Restricting Check Fraud The VOID feature visible on checks if the Daily reconciliation and check has been reproduced illegally is other internal processes 62% considered to be effective in mitigating check fraud according to 77 percent of respondents. Sixty-four percent of practitioners also Payee positive pay 59% believe that using security/safety paper for checks helps combat check fraud. Segregation of accounts 54% Security Features on Checks Most Effective in Preventing Check Fraud (Percent of Respondents)

“Post no checks” restriction ALL on depository accounts 41% VOID Feature 77%

Tamper resistance features Security/Safety Paper 64% on checks 41% Dual-tone True Watermark 48% Outsourced Check Printing/ Blank Check Stock 45% Processing to Third Party/ 32% Bank/Payment Vendor Micro Print 43% Heat-reactive Ink 33% Other 4%

“Other” includes: Minimize handling of check from office to postal location and reduce number of checks issued

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 24 D: ACH Fraud Controls

To control ACH fraud, a majority of organizations reconciles accounts daily to identify and return unauthorized ACH debits (60 percent) and blocks ACH debits except on a single account set up with ACH debit filter (58 percent). Approximately one-third of companies blocks ACH debits on all accounts (34 percent). As mentioned earlier in this report, 70 percent of companies conduct daily reconciliations; therefore, the 60 percent that conduct them for ACH is inconsistent across this payment type. ACH payments are often processed in batches and the underlying detail can be quite significant, so daily reconciliations are not as prevalent as one might think.

Fraud Control Procedures or Services used to Prevent ACH Debit Fraud (Percent of Organizations) 2020 2019

Reconcile accounts daily to identify and return unauthorized ACH debits 60% 77%

Block all ACH debits except on a single account set up with ACH debit filter/ ACH positive pay 58% 69%

Block ACH debits on all accounts 34% 44%

Create separate account for electronic debits initiated by the third party (e.g., taxing authority) 21% 25%

Debit block on all consumer items with debit filter on commercial ACH debits 21% 29%

Minimal use of ACH at my organization 10% –

Unsure 2% –

Other 5% –

“Other” includes: — ACH positive pay on most accounts — Use of ACH debit filters on payment accounts — ACH debits for permitted vendors and approved amounts only — Review debits against invoices/expected amount and authorized company ID list before approving

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 25 D: ACH Fraud Controls continued

As Faster Payment Options Enter the Organizations’ Preparedness to Mitigate Potential Additional Risks with Same-Day ACH Operational for Market, Some Organizations Planning Both Credit and Debit Transactions (Percentage Distribution of Organizations) to Implement Measures to Minimize Additional Risks 1% With Same-Day ACH operational for both credit Other and debit transactions, 26 percent of organizations 26% have implemented plans to mitigate potential Implemented various plans to additional risks. This figure is higher than the 20 mitigate potential percent reported in the 2020 AFP® Payments Fraud 30% additional risks and Control Survey Report. Additionally, 20 percent Unsure, bank has not extended of organizations are in the process of implementing any advice on this issue plans to safeguard against additional risks. Twenty- three percent of organizations are not taking 20% any steps to prepare for and mitigate potential Currently have not implemented additional risks that might occur, or they are unsure 23% any plans to mitigate potential because their banks have not provided any advice additional risks but are in the Not planning to on the issue (30 percent). process of doing so make any revisions Most companies’ forays into Faster Payments incorporates Same Day ACH or Real Time Payment (RTP) via The Clearinghouse to some extent. As Note: Those who selected “other” explain that their companies are not opting into faster payments. RTP applications become more desirable from a business’s perspective—as well as increasingly mainstream while at the same time outside of payroll activity for most—ACH Same Day limits are increasing. More focus on controls and policies around Same Day ACH internally will be reviewed and implemented. Only 58 percent of companies keep internal processes the same for all types of payments—paper-based, electronic and virtual— therefore, a greater focus on daily if not more recurring reconciliations will need to occur.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 26 E: Validating Fraud Controls

Validating fraud controls include the following: Validating Fraud Controls to Mitigate BEC Fraud — Annual review, and management approval, of organization’s fraud policy A majority of organizations (60 percent) validates fraud controls to mitigate BEC fraud. This is more prevalent in those organizations with annual revenue — Verification of processes and/or procedures in an organization’s fraud policy of at least $1 billion than in smaller organizations with annual revenue less — Testing, to the extent appropriate, the fraud policy procedures through a than $1 billion. practical exercise Those who do validate fraud controls use the following methods: If organizations made it a regular practice to validate their fraud controls, they — Phishing tests/awareness training would be able to identify any faults in the process and rectify them sooner. Additionally, by validating fraud controls, they are committing to controlling fraud. — Internal audit team tests Validating fraud controls also reinforces with vendors and employees that the — IT department manages testing company is serious about minimizing fraud. Costs and resources involved in validating fraud controls often prevent Percentage of Organizations that Validate Fraud Controls Implemented organizations from undertaking the practice. Senior management at some to Mitigate BEC Fraud organizations do not believe the process of validating fraud controls is necessary (Percentage Distribution of Organizations) and so do not make such validation a high priority. A majority of organizations currently validates their fraud controls. Larger organizations with annual revenue of at least $1 billion are more likely to validate fraud controls than are their smaller counterparts. 40% 60% No Yes

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 27 E: Validating Fraud Controls continued

Validate Fraud Controls Implemented to Mitigate Check Fraud Validate Fraud Controls Implemented to Mitigate ACH Fraud A majority of respondents (61 percent) confirms their organizations validate Two-thirds of organizations validate fraud controls to mitigate ACH fraud. The fraud controls to mitigate check fraud. Methods used to validate check fraud methods used to validate fraud control include: controls include: — Positive pay and ACH filters — Positive pay reviewed frequently — Verifying bank accounts and confirming bank changes with vendor — Daily reconciliations — Review attempted debits daily — Dual authorization required for Positive Pay exceptions — All changes in bank information are validated separately — Internal audit review, annual review of fraud controls, quarterly internal — Positive pay alerts controls testing — Audits are performed periodically — Dedicated person that validates possible fraud transactions — Review attempted fraud and confirm validation Percentage of Organizations that Validate Fraud Controls Implemented — Partner with one vendor for checks and restrict check issuing to treasury. to Mitigate ACH Fraud — Daily account reconciliation (Percentage Distribution of Organizations) — Fraud controls on accounts — Accounting initiates but Treasury processes all payments — Checks over a certain amount are reviewed by Treasury before releasing 34% 66% — Ensure the checks that clear are issued by organization No Yes

Percentage of Organizations that Validate Fraud Controls Implemented to Mitigate Check Fraud (Percentage Distribution of Organizations)

26% Unsure 61% Yes

13% No

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 28 F: Fraud Policy

A formal fraud policy statement3 indicates that the fight against fraud is endorsed and supported at the most senior level within a company. Organizations may wish to ensure all employees are aware of a zero-tolerance attitude toward criminal breaches of business practices which may be reported to the police. The fraud policy statement should be communicated to all employees, contractors and suppliers. A fraud policy statement should be simple, focused and easily understood. The content may vary from business to business, but companies should consider including the business’s determination to: — Take appropriate measures to deter fraud — Introduce/maintain necessary procedures to detect fraud — Investigate all instances of suspected fraud — Report all suspected fraud to the appropriate authorities — Assist the police in the investigation and prosecution of suspected fraudsters — Recover wrongfully obtained assets from fraudsters — Encourage employees to report any suspicion of fraud. — The allocation of responsibilities for the overall management of fraud — Procedures to be followed if a fraud is suspected

A fraud policy statement should make clear that all employees have a responsibility for fraud prevention and detection. It is important the statement be actively and regularly promoted throughout the organization to all employees, irrespective of grade, position or length of service.3 The Association for Financial Professionals has a number of resources to help organizations and their treasury and finance professionals develop and implement fraud mitigation policies. They include:

Sample template (PDF format) for a written fraud policy

Payments Fraud Training (for AFP Members-only)

3Source: The Fraud Advisory Panel: https://www.fraudadvisorypanel.org/ Sample Fraud Policy Statements

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 29 F: Fraud Policy continued

Majority of Organizations Has a Fraud Policy Sixty percent of organizations have a fraud policy, similar to the 59 percent that reported the same last year. A greater percentage of large organizations with annual revenue greater than $1 billion are more likely to have a fraud policy in place than are smaller organizations.

Percentage of Organizations That Have a Fraud Policy (Percentage Distribution of Organizations)

40% 43% 38% 40% 36% No 60% No 57% No 62% No 60% No 64% Yes Yes Yes Yes Yes

All Annual Revenue Annual Revenue Annual Revenue At Least Annual Revenue At Least Less Than $1 Billion At Least $1 Billion $1 Billion and Fewer Than 26 $1 Billion and More Than 100 Payment Accounts Payment Accounts

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 30 F: Fraud Policy continued

Treasury Primarily Has Ownership of Departments that Own The Fraud Policy Within the Organization Fraud Policy (Percentage Distribution of Organizations) Nearly half (48 percent) of the survey respondents 2020 2019 reports that the treasury function at their organizations owns the fraud policy. This was more 48% likely to be the case in organizations with annual 47% revenue greater than $1 billion and more than 100 payment accounts. Other departments that own the fraud policy are Risk (cited by 39 percent of 39% respondents) and Accounts Payable and Accounts Receivable (20 percent). Fraud policies are not just 36% for the largest companies—the difference between small and large companies is not substantial and proves that fighting fraud must transcend across departments to actively mitigate the risk. 26% Departments other than those mentioned above that have ownership of the organization’s fraud policy are: 20% 21% 21% — Audit — IT/Information Security — Legal 10% — Multiple departments have different fraud controls 8% 8% 7% — Compliance

Treasury Risk Accounts Procurement HR Other Payable/ Accounts Receivable

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 31 F: Fraud Policy continued

Majority of Companies Testing Fraud Policy Annually Over 50 percent of companies test their fraud policy at least once a year. Smaller organizations with annual revenue less than $1 billion (64 percent) are more likely to test their fraud policy annually than are larger organizations with annual revenue of at least $1 billion (48 percent). Twenty-three percent test their policy quarterly, with a greater share of larger organizations testing their fraud policy quarterly compared to smaller organizations (24 percent compared to 19 percent).

Frequency of Fraud Policy Being Tested (Percentage Distribution of Organizations)

Annually 53% 64% 49% 49% 48%

Bi-annually 11% 8% 13% 15% 10%

Quarterly 23% 19% 24% 25% 24%

Other 13% 9% 14% 11% 17%

Almost all those included in “other” category indicated they were unsure as to how frequently their policies were being tested.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 32 G: Alerts from Payment Partners/Vendors Regarding Potential Fraud

Over 40 percent of organizations have received a call from their payment partners/vendors alerting them to a potential fraud occurrence. This share increases to 50 percent for organizations with annual revenue of at least $1 billion and more than 100 payment accounts. Of those organizations that have received a call alerting them to a potential fraud occurrence, a vast majority (94 percent) acted on the advice provided by their payment partners/vendors which prevented the fraud from occurring. The remaining companies did not act when alerted about potential fraud regarding specific payments but fortunately did not experience any fraud related to the transaction. Organizations very much appreciate a “heads-up” phone call alerting them about potential fraud. It is interesting that only 42 percent of organizations report receiving these calls. More often than not, bank scorecards capture the insight that the provider shares and this, in turn leads to a longer, more trusted relationship.

Percentage of Organizations That Have Received a Call from a Payment Partner/Vendor Alerting to Potential Fraud in Past 12 Months Actions Taken Once Receiving a Call Alerting (Percentage Distribution of Organizations) the Organization to Potential Fraud Occurrence (Percentage Distribution of Organizations) Yes, received a call from our payment partner/vendor alerting us to a potential fraud occurrence No, have not received such a call 94% acted on the advice provided by payment partner/vendor and prevented the fraud

6% did not act on the advice and the 38% payment did not result in fraud 58% 42% Yes 53% No 62% 47% Yes No Yes No

All Annual Revenue Annual Revenue Less Than $1 Billion At Least $1 Billion

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 33 H: Revalidating Transactions Banks Identify as Irregular/Suspicious

Over 80 percent of organizations have established Presence of Established Protocols to Re-validate Transactions Your Bank Identifies as Irregular/Suspicious protocols to revalidate transactions that they identify as (Percentage Distribution of Organizations) irregular/suspicious. Implementing this process will assist in preventing instances of fraud. Even though in some ANNUAL REVENUE ANNUAL REVENUE ANNUAL ANNUAL AT LEAST AT LEAST cases the transaction may prove to be legitimate, the REVENUE REVENUE $1 BILLION AND $1 BILLION AND process can still be worthwhile if any fraud is stopped LESS THAN AT LEAST FEWER THAN 26 MORE THAN 100 before causing any damage. Larger organizations with ALL $1 BILLION $1 BILLION PAYMENT ACCOUNTS PAYMENT ACCOUNTS annual revenue of at least $1 billion are more likely to Yes 81% 77% 83% 86% 81% revalidate transactions than are smaller companies with annual revenue less than $1 billion. No 19% 23% 17% 14% 19%

I: Evidencing Security Policies and Controls

Less than Half of Payment Partners/ Require Payment Partners/Vendors to Evidence Security Policies and Controls as part of Regular Due Diligence Vendors Evidence Security Policies and (Percentage Distribution of Organizations) Controls as Part of Regular Diligence Evidencing security policies includes providing a compliance certificate or some other written 40% evidence. It is a good practice as it confirms 54% 46% Yes 48% employees, vendors and suppliers are aware No 60% 52% Yes No Yes of a company’s fraud policy. Additionally, it No acknowledges the policy is undergoing some type of regular validation and highlights a company’s low tolerance for fraud. Financial professionals are extremely aware of the All Annual Revenue Annual Revenue Less Than $1 Billion At Least $1 Billion frequency of instances of payments fraud and are proactively implementing policies and controls to minimize the instances of fraud attacks in order to be considered proprietary or intellectual property, or organizations with annual revenue of at least $1 billion able to detect early warning signs. Still, less than half perhaps the provider does not want to share that and those with more than 100 payment accounts of them report that their payment partners/vendors information. Larger companies have better success are more actively evidencing security policies and are evidencing security policies and controls as part at achieving evidence of their payment partners controls than are those of smaller organizations with of due diligence. Much of this information could be security policies. Payment partners/vendors of larger annual revenue less than $1 billion.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 34 J: Fraud Controls and Challenges to Implement

It is imperative that organizations have controls in place adequate to safeguard various payment methods from fraud attacks. Implementing fraud controls requires substantial investment in financial resources as well as people resources. Controls need to be able to efficiently prevent occurrences of fraud. Fifty-five percent of respondents believe that the implementation of fraud controls to contain BEC is challenging, with 14 percent indicating it is very challenging to implement. Nearly one-fourth of respondents (24 percent) reports that implementing controls to prevent card fraud is challenging. Less challenging to implement are ACH fraud controls and check fraud controls.

Level of Challenge to Implement Fraud Controls (Percentage Distribution of Organizations)

Business email compromise 14% 31% 29% 17% 9%

Card fraud controls 6% 18% 36% 21% 18%

Wire fraud controls 3% 12% 28% 28% 30%

Check fraud controls 2% 10% 26% 15% 46%

ACH fraud controls 2% 10% 25% 23% 40%

Very challenging to Implement (5) (4) Less Challenging to Implement (3) (2) Not at all Challenging to Implement (1)

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 35 K: Over 70 percent of Organizations Have Contingency Plans if IT Systems are Down

Payment systems are closely linked to technology Presence of Contingency Plans to Issue Critical Payments Manually if IT Systems are Down and extremely dependent on IT systems. If (Percentage Distribution of Organizations) organizations’ IT systems are inoperative, their payments process will be interrupted unless the 10% payments department has a back-up plan that will Unsure allow it to function even when IT systems are down. Over 70 percent of organizations are able to issue critical payments manually even if their IT systems 18% are not working. Over half of survey respondents Do not have the ability to issue 52% indicate that their organizations can issue critical payments manually Can do it manually through a payments manually through a separate network/ separate network/system system and another 20 percent of organizations have the capability to issue critical payments via an alternative financial institution. Having these 20% systems in place will allow for organizations to Can do it manually from an operate seamlessly even in an environment in which alternate financial institution technology plays such a vital role.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 36 CONCLUSION

The incidence of payments fraud declined slightly in 2020. There had been a gradual increase in payments-fraud activity at organizations from 2013 to 2018, and in 2018 and 2019 record levels of payments fraud activity were reported, with over 80 percent of organizations having fallen victim to payments fraud attacks. In 2020, 74 percent of organizations were targets of payment scams. While that is smaller than the shares reported in 2018 and 2019, it is evident that a significant percentage of companies continue to be impacted. The entire world began to grapple with the COVID-19 pandemic in 2020. The potential for increased occurrences of payments fraud were certainly on the radar for treasury and finance professionals as they organized how their staff could continue to function as seamlessly as possible as they worked “from home” without adversely impacting the organization’s operations. Despite the increased cognizance, 65 percent of respondents believe some share of the increase in fraud at their companies was due to the pandemic. ACH transactions signals that these perpetrators are scam artists might target the entire organization, Checks and wire transfers continued to be the targeting ACH payment methods more frequently they are more focused on the Accounts Payable payment methods most impacted by fraud activity than check and wire transfers. The share of department as that is where payments originate. in 2020. The percentage of financial professionals organizations experiencing corporate/commercial As business leaders focus on safeguarding against reporting fraud activity via these two payment credit card fraud also decreased substantially in 2020. fraud, they understand those planning these methods, however, has decreased in the past year. As was the case in 2019, business email attacks are devising new methods to deceive their The incidence of check fraud was at its lowest level compromise—or BEC—was the primary source of unsuspecting victims. It is vital that treasury and since 2008. Contributing to the decline in check payments fraud attacks at organizations in 2020. finance professionals continue to be vigilant and fraud is the fact that organizations are using fewer While treasury and finance leaders are keenly aware protect their organizations against future attacks to checks in their business-to-business transactions. of how widespread this type of fraud has become, the best of their abilities. It might involve validating The share of organizations that were victims of fraud they are not able to alleviate instances of this fraud controls regularly to ensure they are doing attacks via wire transfers has also been decreasing BEC. Fraudsters use email to successfully infiltrate what they are supposed to do—that is, preventing gradually. But this year’s survey results also reveal payment activity at organizations. BEC scams fraud as well as strategizing and implementing new a slight increase in fraud activity via ACH debits. continue to take various forms and change as these controls that might be more effective in preventing This shift in fraud activity from checks and wires to criminals become more creative. Even though these criminals from being successful in their endeavors.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 37 KEY FINDINGS

Nearly two-thirds (65 percent) of respondents believe that the increase in payments fraud at their companies was due to the COVID-19 pandemic. Twenty-eight percent of financial professionals report that 1% to 25% of the increase in fraud activity was likely due to the pandemic while 30 percent attribute 26% to 75% of the increased fraud instances to the pandemic; 7 percent indicate that over 75% percent of fraud activity observed in the past year was due to the pandemic.

Sixty-two percent of companies that experienced attempted or actual payments fraud in 2020 did so as a result of BEC, although there was less of a financial impact from BEC than in previous years.

In 2020, 74 percent of organizations were targets of payment scams. While that is smaller than the shares reported in 2018 and 2019, it still indicates that a large percentage of companies continue to be impacted by payments fraud.

Over three-fourths (76 percent) of respondents report that their organizations had been targeted by business email compromise (BEC) attempts in 2020.

Educating employees on the threat of BEC and training them to identify spear phishing attempts is an important component in controlling BEC, according to 77 percent of treasury and finance practitioners.

Accounts Payable departments are the most susceptible to BEC fraud. Sixty-one percent of respondents report that their Accounts Payable department was the most vulnerable business unit targeted. The department targeted second most- often by BEC fraud was Treasury, cited by 13 percent of practitioners.

In 2020, checks and wire transfers continued to be the payment methods most impacted by fraud activity (66 percent and 39 percent, respectively). However, the incidence of check fraud activity is on a decline and the check fraud activity observed in 2020 is an 8-percentage-point decrease from last year.

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 38 4 DEMOGRAPHICS ABOUT RESPONDENTS

In January 2021, the Research Department of the Type of Organization’s Payment Transactions Association for Financial Professionals® (AFP) (Percentage Distribution of Organizations) surveyed over 9,000 of its corporate practitioner members and prospects. The survey was sent to 3% corporate practitioners with the following job titles: Treasurer, Assistant Treasurer, Director of Treasury, Treasury Manager, Director of Treasury and Finance, 19% Senior Treasury Analyst, Cash Manager and Vice 24% President of Treasury. A total of 534 responses were received and after removing duplicates, etc., we When When eventually had 520 responses from practitioners, and making receiving 53% these form the basis of the report. payments payments AFP thanks J.P. Morgan for underwriting the 2021 AFP® 73% 28% Payments Fraud and Control Survey. Both questionnaire design and the final report, along with its content and conclusions, are the sole responsibilities of the AFP Research Department. The following tables provide a profile of the survey respondents, including payment Primarily businesses Split between consumers and businesses Primarily consumers types used and accepted.

Methods to Maintain Payments Accounts (Percentage Distribution of Organizations)

Decentralized 16% 12% 18% 8% 28%

Other 5% 2% 7% 2% 13%

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 40 Accounts to which Controls are Applied (Percentage Distribution of Organizations)

ANNUAL REVENUE ANNUAL REVENUE ANNUAL ANNUAL AT LEAST AT LEAST REVENUE REVENUE $1 BILLION AND $1 BILLION AND LESS THAN AT LEAST FEWER THAN 26 MORE THAN 100 ALL $1 BILLION $1 BILLION PAYMENT ACCOUNTS PAYMENT ACCOUNTS Applied to all accounts in all areas 87% 85% 87% 86% 87% Applied to all accounts but in select areas 10% 12% 10% 12% 7% Not applied to all accounts 3% 1% 4% 2% 5%

Other 1% 1% – – –

Number of Payment Accounts Maintained (Percentage Distribution of Organizations)

5-9 17% 19% 16% 33% –

10-25 19% 20% 19% 39% –

26-50 12% 7% 15% – 30%

51-100 11% 8% 13% – 25%

More than 100 18% 11% 22% – 45%

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 41 Annual Revenue (USD) Industry Classification (Percentage Distribution of Organizations) (Percentage Distribution of Organizations)

Under $50 million 5% ALL Agricultural, Forestry, Fishing & Hunting 1% $50-99.9 million 4% Administrative Support/Business services/ Consulting 3% $100-249.9 million 6% Banking/Financial services 5% $250-499.9 million 12% Construction 2%

$500-999.9 million 16% Energy 4%

Government 7% $1-4.9 billion 33% Health Care and Social Assistance 7% $5-9.9 billion 10% Hospitality/Travel/Food Services 2% $10-20 billion 8% Insurance 8%

Over $20 billion 6% Manufacturing 20%

Non-profit 8%

Petroleum 2%

Organization’s Ownership Type Professional/Scientific/Technical Services 1% (Percentage Distribution of Organizations) Real estate/Rental/Leasing 5% ANNUAL REVENUE ANNUAL REVENUE ANNUAL ANNUAL AT LEAST AT LEAST REVENUE REVENUE $1 BILLION AND $1 BILLION AND Retail Trade 7% LESS THAN AT LEAST FEWER THAN 26 MORE THAN 100 ALL $1 BILLION $1 BILLION PAYMENT ACCOUNTS PAYMENT ACCOUNTS Wholesale Distribution 5%

Publicly owned 38% 21% 52% 46% 57% Software/Technology 3% Privately held 38% 49% 29% 28% 31% Telecommunications/Media 3% Nonprofit (not-for-profit) 14% 21% 11% 14% 7% Transportation and Warehousing 4% Government (or government-owned entity) 9% 10% 8% 12% 5% Utilities 4%

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 42 AFP Research AFP Research provides financial professionals with proprietary and timely research that drives business performance. AFP Research draws on the knowledge of the Association’s members and its subject matter experts in areas that include bank relationship management, risk management, payments, FP&A and financial accounting and reporting. Studies report on a variety of topics, including AFP’s annual compensation survey, are available online at www.AFPonline.org/research.

About AFP® Headquartered outside of Washington, D.C. and located regionally in Singapore, the Association for Financial Professionals (AFP) is the professional society committed to advancing the success of treasury and finance members and their organizations. AFP established and administers the Certified Treasury Professional® and Certified Corporate FP&A Professional® credentials, which set standards of excellence in treasury and finance. Each year, AFP hosts the largest networking conference worldwide for more than 7,000 corporate financial professionals.

4520 East-West Highway, Suite 800 Bethesda, MD 20814 T: +1 301.907.2862 | F: +1 301.907.2864

www.AFPonline.org

2021 AFP® Payments Fraud and Control Report | www.AFPonline.org 43 Be Informed and Stay Ahead of Fraud

Unprecedented disruption calls for established expertise.

Combine insights from AFP’s survey with J.P. Morgan’s advanced fraud prevention tools and applied best practices to protect your organization against future challenges.

Learn more by visiting jpmorgan.com/fraudprotection