How to Strengthen Company Fraud Protection and Cybersecurity

Fraud is a rapidly evolving threat to businesses of all sizes. As companies increasingly move to digital operations and payment processes for their convenience, speed, and cost savings, cybercriminals are exploiting the same technology to evade security controls and launch sophisticated attacks that are often harder to spot and potentially more damaging in terms of financial losses, reputational damage, and compromised data.

According to FBI data, losses due to fraud and scams topped $12 billion in 2023, a 22% increase over the previous year, and are likely to rapidly grow. One reason is that new technologies, such as generative artificial intelligence (AI), have the potential to fuel a huge increase in losses.

In this complex digital environment, it can be challenging for any business to deploy all the security measures and skilled staff necessary to prevent fraud. But a combination of training—upskilling employees to adapt to changes in fraudsters’ tactics—better security controls, and bank and fintech partnerships can help mitigate the risks.

This approach can also help reduce incidents of small business fraud. Even organizations with limited budgets can reduce their risk by recognizing that people, policies, and the right partnerships make up the backbone of any defensive strategy.

How the Fraud Threat Landscape Changes

While check fraud is still very common, the explosive growth of internet-based business operations, such as cloud-based tools and data storage, has exposed businesses to the threat of hacked passwords, compromised accounts, and stolen customer and vendor information. Malicious actors that capture unsecured information about a company, its vendors, or its customers, or find a way to compromise its accounts, can stage multiple-step campaigns that can remain undetected for long periods.

The growth of remote working is another factor that elevates risk. Every day, millions of workers sign in to digital accounts remotely from home or temp offices. Each remote connection expands a company’s vulnerability and provides bad actors with a new opportunity to commit fraud.

Compromising a single account, such as one used by an established vendor, can provide a fraudster with a means to establish or intercept communications or request changes to transaction details that reroute payments away from legitimate recipients. Information gleaned on the dark web, from compromised accounts or even on public-facing platforms, makes fraud attempts more convincing. Bad actors can use the information they collect to assume the identity of a person or organization with a legitimate connection to a business, such as a vendor or a customer.

Generative AI and machine learning are already partially delivering on their promise to speed up and improve business operations. They also have the potential to improve fraud detection (such as identifying and flagging anomalous transactions) and cybersecurity defenses.

But fraudsters are also manipulating technology for their own purposes, using apps like ChatGPT to craft convincing emails that are consistent with the style of legitimate account holders and using deepfakes to impersonate executives. Although still in the infancy stage, deepfakes, which are manipulated audio and video feeds that can sound or look like a real person, are already being used by fraudsters to trick employees into authorizing payments or releasing sensitive information. Companies of all sizes are taking notice: A 2024 survey of businesses found that 93% of respondents expect that they will be facing daily AI-powered attacks in the next six months.

Most fraud now involves some combination of long-established tactics and new technology. For instance, accounts payable fraud, when an AP employee authorizes a payment to a fraudster, often combines hacking login credentials and other sensitive information with social engineering tactics that exploit trust and deceive their targets.

Types of Fraud

Business email compromise (BEC) and phishing are among the major cyber threats to businesses, and they are some of the most efficient vehicles for fraud, with losses of nearly $3 billion in 2023, according to the FBI. A report by the Association for Financial Professionals said that recent BEC campaigns have targeted ACH credits, wire transfers, and ACH debits. The report also noted that less than 60% of companies surveyed had not drafted or refined policies for protection against business email compromise.

Identity theft and data breaches are tactics that can lead to account takeovers and spoofing that drive fraud related to vendor payment and account maintenance. Notable examples include requests to change account numbers or banking information, anomalous payment requests, and customer refund requests.

Frauds that exploit real-time payment rails are not yet as prevalent as those that target checks and ACH transfers. However, the volume of these transactions, estimated at $266.2 billion in 2023, is expected to rise to $575.1 billion globally by 2028, according to software firm ACI Worldwide. As customers and partner organizations have become accustomed to the speed and convenience of real-time payments, fraudsters are likely to increase their efforts to exploit them. The next big challenge for all types of businesses is to build in protection around the rapid transactions their partners and customers expect. Fortunately, banks are taking this responsibility seriously, and they’re well-positioned to share their strategies with their customers and clients.

How Organizations Can Prevent Fraud

Fraud detection and cybersecurity tools are improving rapidly. Organizations need to implement strong security controls and protocols around their payment departments and key business operations. But it’s also important to recognize that digital security tools are not foolproof. Every business needs to supplement its technology with strong policies and a cybersecurity-focused culture that involves every employee.

The key to fraud mitigation for almost any business is people, whether they are servicing accounts, shaping policies, managing risk, or simply using the digital tools and platforms that fraudsters typically try to exploit. Making sure these employees have sufficient skills and up-to-date fraud awareness is essential.

But as digital connectivity becomes more complex, the breach that results in financial fraud has the potential to begin with any employee who uses the same networks and tools as more privileged users. The more that malicious actors are able to learn about individuals and businesses, the more convincing their fraud can become. Because the initial breach can begin with any employee, fraud and cyber awareness must extend across company leadership and the entire workforce, including the firm’s cyber professionals, who need to update their expertise as cyber threats evolve.

The same principle applies to third and fourth parties that work with a business. It is critical for an organization to have visibility into partners’ security and fraud prevention controls. The company’s policies for oversight of payments, redundant approvals, and flagging anomalous payments ideally should be matched by similarly robust policies among its vendors and key partners.

However, few businesses have the means to monitor transactions and build fraud-resistant protection beyond their own networks. For that reason, bank and fintech partnerships are another essential part of defense. By law, banks, lenders, and other financial institutions must implement strong security controls around transactions they enable.

How to Partner With Your Bank to Reduce Fraud

A bank is a well-resourced partner in mitigating fraud. While services and capabilities will vary by institution, most banks have extensive fraud expertise that can help businesses implement stronger controls and processes in a digitized marketplace.

Partnering with banks for fraud protection can help businesses leverage additional technology and processes, which may include:

• Payment authorization and account access controls. Banks offer technology solutions that can identify discrepancies between checks that have been issued and those that have been paid, which can highlight fraudulent activities. For ACH debits and credits, they may also set transaction amount thresholds and authorization services to help businesses monitor account access.
  
  
• Account reconciliation. Banks have many services that help commercial customers gain visibility into their cash flow, consolidate their financial resources, and increase efficiency through automated systems. However, these services can also help identify anomalous financial activity that may indicate unauthorized or fraudulent activity.
  
  
• Centralized reporting. Organizations that maintain many different accounts and disparate operations can benefit from banks and fintech firms that provide management tools that consolidate transaction information and generate reports that produce a clearer picture of current and historical activity. Pulling this information into a single desktop can help organizations identify unusual activity that may indicate fraud or unsafe practices.
  
  

Smart Fraud Mitigation and Cyber Awareness

Even with solid partnerships in place, every business must stay proactive in its own defense strategy. One important step is creating an up-to-date response plan that details actions to be taken by stakeholders in the event of fraud or a cyber breach, whether or not the business has experienced fraud or cyber breaches in the past.

In addition, organizations need to make regular risk assessments of the potential economic impact an outage of a few days’ duration might have. Financial institutions can work with organizations in assessing their fraud risk and building out plans for responding to a variety of fraud scenarios.

Bad actors are constantly innovating and devising new deceptive tactics and technologies that will bypass even the most alert and aware employees. The best defense remains employees who are informed about the changing nature of fraud, who never assume their accounts are 100% safe, and who are prepared to respond when evidence of fraud surfaces.

Furthermore, working with financial institutions that can help your firm understand potential threats and provide strong fraud prevention controls can further reduce the possibility of account compromise and fraudulent transactions.

Contact your Fifth Third Relationship Manager for more information on cybersecurity protection.