When someone steals money from a business in a movie, it’s George Clooney and a team of con men. When it happens to your business in real life, however, it’s probably more like George from accounting.
Whether it’s perpetrated internally by an employee or externally by a hacker, payment fraud is a major issue for businesses of all sizes. The good news is, it’s also largely preventable.
“For most fraud threats, it’s all about your internal controls being built right,” says Matthew Harper, head of client security management and group vice president at SunTrust. “That’s where a lot of companies fall flat.”
According to Harper, these controls can help reduce the likelihood of fraud:
- Reconcile your accounts quickly and often
- Use Positive Pay, which ensures that posted checks match your records
- Frequently monitor internal and external payments
- Ensure that only certain people have payment access
“It’s not exciting, it’s not some whiz-bang tool—it’s old-fashioned, internal controls,” Harper says. “It’s not fun, but it works.”
Here are three payment fraud schemes that Harper says mid-sized businesses should be especially aware of, along with tips for preventing them.
One of the primary risks to mid-sized businesses is employee misuse of payment tools, Harper says. That largely means corporate credit cards.
To combat this, many purchasing platforms offer the ability to set limits and merchant categories. For example, if you owned a trucking company, you could limit purchases to gas stations and a few other related areas.
Harper suggests limiting who receives the card. “Ensure you’re giving the cards out on a business-need basis,” he says. “Not everyone needs a corporate card.”
Lastly, businesses should reconcile the appropriateness of the amount being spent. If one driver is within the limit and spending money only on gas, but is significantly higher than other drivers, that might signal an employee who has used the company card to fill up personal cars.
“A commercial card is a line of credit,” Harper says. “You’re extending a level of trust to the employee. You need to trust, but you also need to verify.”
A second risk is the misuse of internal payment processes, such as basic accounts payable functions.
To deter this, many companies rely on Positive Pay verification. Positive Pay requires a bank to examine a check that’s presented to be cashed against those the company issues. The system will flag the check if the serial number or dollar amounts don’t match. This helps ensure that only authorized checks get cashed.
Harper says other internal controls may include: rotating job duties, keeping payables up to date, ensuring ex-employees can’t access financial tools and resources, and having a person handle payroll rather than a machine.
Manipulating payment processes
One common type of online external fraud takes advantage of internal controls. This fraud often unfolds with a third party pretending to be a member of senior management. Posing as an executive, a hacker will send an email from a plausible-sounding address requesting an immediate payment.
Harper says it’s important to instill payment procedures and follow those even in the case of an escalated or urgent situation. Even if the person is the CEO, there should be a risk-compliance step where an accountant has to complete paperwork before the money is sent. With this type of fraud, it’s generally a matter of watching out for a sense of urgency when there usually isn’t one.
By setting up good internal controls and then monitoring the consistent execution of those controls, mid-sized companies can lower the odds of payment fraud and help keep their company finances secure.