Payment fraud incidents in 2011 declined to the lowest level
in seven years, according to the Association for Financial Professionals' 2012
Payments Fraud and Control survey. Even so, "two-thirds of companies
experienced attempted or actual fraud during 2011," AFP noted,
underscoring the "persistently high incidence of fraud" and the need
by corporations to take steps to mitigate exposure.
Nearly three-quarters of organizational payment fraud
victims last year sustained no financial loss. Of those that did, the typical
loss was $19,200. About 20 percent of fraud victims reported losses of $100,000
or more.
The study found that "large organizations were
significantly more likely to have experienced payment fraud than smaller ones"—81
percent of 2011 fraud victims had annual revenue above $1 billion. The figure
jumped to 90 percent among those organizations with such revenue and more than
100 payment accounts. Across all respondents, 28 percent said incidents of
fraud increased in 2011 from 2010.
"The war against fraud is by no means over,"
according to Stephen Markwell, executive director of J.P. Morgan, which
underwrote the annual AFP study. "As payment options proliferate, so too
do new twists on fraudsters' schemes and techniques. Checks continue to lead as
the payment type most attacked, even as their use dramatically declines."
Eighty-five percent of the 447 corporate financial professionals
surveyed said their organizations experienced a check fraud attack in 2011.
Among all survey respondents reporting losses from fraud, six in 10 identified
checks as the method.
"Checks remain highly vulnerable to fraudulent
activity, which has spurred many companies to switch to less vulnerable
electronic payments," according to prepared remarks from AFP president and
CEO Jim Kaitz. "Now fraudsters have shifted their focus to higher-value
payoffs, including attempting to hack into corporate accounts."
Across the full survey base, 20 percent said they
experienced attempted or actual fraud on their corporate or commercial cards.
Among this subset of commercial card fraud victims, 34 percent said their
organizations suffered actual financial losses while another 34 percent said
the card issuing bank incurred losses, 22 percent cited the merchant and 6
percent cited a card processor.
"When an organization is responsible for the financial
loss associated with fraudulent use of its corporate/commercial cards, it is
usually because of employee-caused loss," according to the study. Asked to
identify the primary party responsible for the B-to-B card payment fraud, 38
percent cited employees and 16 percent said a third party such as a vendor,
professional services provider or business trading partner. The majority cited
an unknown external party.
Nearly 90 percent of respondents said their organizations
used corporate/commercial cards for business-to-business payments. Of the
respondents who cited actual or attempted fraud on such cards, nearly 75
percent specified purchasing cards, followed by T&E cards (38 percent), one
cards (26 percent), ghost or virtual cards (23 percent) fleet cards (15
percent) or UATP airline travel cards (2 percent).
In contrast to overall findings, the study indicated that "smaller
organizations were more likely than large ones to have seen fraudulent activity
on their corporate/commercial cards in 2011."
Other Methods Of
Payment Fraud
Respondents also cited payment fraud via such other methods
as Automated Clearing House debits (23 percent) and credits (5 percent),
consumer or small business credit or debit cards (12 percent), wire transfers
(5 percent) and payroll and, a new category to the annual survey, other benefit
cards (5 percent).
Given that two-thirds of responding companies reported an
increase in fraud attempts last year, AFP officials urged companies to use a
variety of defense mechanisms to combat attacks.
"Looking at payments fraud in a cost/benefit context
continues to make sense," according to the study's authors. "Corporate
practitioners must balance the cost of implementing controls with the
potential—or perceived—risk of loss." That perception of risk "varies
considerably across industries, organizational size and level of globalization
in the payment mix."
Such controls as "positive pay and daily reconciliation
unquestionably prevent fraud losses," AFP wrote. "Fraud losses are so
well-managed that many more companies incurred higher expenses to defend
against and clean up fraud (59 percent) than those that experienced actual
losses (26 percent)."
Losses tended to occur when organizations "were unable
to comply with their own fraud control procedures—typically failure to perform
timely reviews, or mistakes or outright fraud from employees."
Some are required to comply with a rigorous assessment and
audit detailed by the Payment Card Industry Security Standards Council. A
typical organization subject to PCI compliance last year spent $18,400 on the
effort, according to the survey.
Meanwhile, Visa-owned payment management firm CyberSource as
part of its 2012 Online Fraud Report conducted a survey of 325 online merchants
in the United States and Canada. Respondents on average reported larger losses
versus the prior year due to fraud, up to 1 percent of online revenues. Based
on e-commerce revenue projections, CyberSource estimated 2011 revenue losses of
$3.4 billion, $700 million more than the figure included in its 2010 annual
report.
This report
originally appeared in the May 2012 issue of Travel Procurement.