EFT Payments & Fraud Report 2020-2021

Any efforts to confront this growing threat must begin with an accurate assessment of current circumstances, as well as a commitment to enhancing threat awareness levels among the broader business community. For this reason, eftsure conducted a widespread survey in conjunction with Crime Stoppers NSW to determine what CFOs, Accounts Payable managers and others perceive about the extent of the risk.

We then examined these perceptions against the statistical evidence from our own platform to determine whether they align or diverge.

This represents a first step in initiating a conversation that aims to ensure all Australian organisations are ultimately equipped to uplift their resilience against payments fraud moving forward.

The data in this report is derived from two primary sources:

Statistics drawn directly from eftsure’s proprietary platform. Our platform is built on a database that aggregates data from over 2 million Australian organisations. Unless otherwise stated, all data is from the dates 1 July 2020 – 30 June 2021.

Responses to a survey eftsure conducted through July/August 2021 in conjunction with Crime Stoppers NSW. This survey queried CEOs, CFOs, Accounts Payable managers, Risk and Compliance managers, CISOs, Auditors and others about their perceptions and experiences of B2B payment security, specifically electronic funds transfers (EFTs).

The past year has seen unprecedented changes to the way we all live and work.

The pandemic, along with associated lockdowns, has seen working-from-home become commonplace. Consequently, the procedures and controls that organisations spent years developing have had to be rapidly adapted to accommodate the new reality.

This is having a profound impact on accounting processes, in particular the way organisations run their Accounts Payable functions.

The changes are exposing organisations to greater levels of payments fraud than ever before. Staff working-from-home are more exposed to cyber-crime through the use of residential wifi routers and personal devices. Fraudsters are deliberately targeting sectors, organisations and payment types they perceive to be particularly vulnerable in circumstances where the ability to verify transactions is constrained.

Even an organisation’s suppliers may be more exposed to cyber-crime which has ramifications throughout the entire supply chain.

For CFOs and Accounts Payable managers, maintaining internal controls around outgoing payments has never been more challenging. Accounts Payable staff need to liaise remotely with colleagues when conducting 3-way matching prior to paying invoices. Conducting call-backs is harder than ever as suppliers are also working-from-home.

All this heightens the risk Australian organisations are facing.

Despite these risks, 37.9% of respondents to our survey believe their organisation is secure from fraud and cyber-attack. 

Do you think your organisation is secure from fraud and cyber-attacks?

The reality is that no organisation is ever truly secure from these threats. Cyber-criminals and fraudsters are continuously adapting their tactics to take advantage of any new perceived weakness.

Preventing payments fraud is an ongoing challenge that demands ongoing vigilance.

The challenge for CFOs is complex. Whilst they may be responsible for establishing Accounts Payable controls and often have oversight of their organisation’s fraud prevention strategy (38.4%), they are typically not the individuals that actually process payments.

Who is chiefly responsible for digital fraud prevention in your organisation?

Within the context of the traditional office environment, it was possible to maintain robust payments controls. But, in a world where most Accounts Payable staff are working-from-home, it becomes much harder.

In 62.1% of organisations, it’s the Accounts Payable team that is responsible for processing invoices.

Who has primary responsibility for processing invoices in your organisation?

In this new world of working-from-home, CFOs need to find ways to ensure continued adherence to payment controls, so their organisation is not exposed to a heightened risk of fraud.

48.3% Of survey respondents acknowledge that their Accounts Payable teams need some degree of additional training, tools or technologies to aid them in the fight against payments fraud.

AP teams are on the front line fighting payments fraud. Currently, our AP team:

What structural flaw in online banking is the leading cause of payments fraud?

Do you believe your bank is investing in solutions to strengthen payments security?

However, 56% of survey respondents also believe that the banks are investing in solutions to strengthen payments security.

In reality, the banks are limited in their ability to remediate this verification gap.

This is just one example of where perceptions about payments risks diverge from the reality. Below we explore some of the other kay findings and how they align or diverge with the statistical evidence from the Eftsure platform.

1) So you think you have strong fraud controls?

If there’s one outstanding takeaway from the latest Annual Cyber Threat Report by the Australian Cyber Security Centre (ACSC) it’s this: Business Email Compromise (BEC) attacks are rising exponentially.

Whereas other categories of cyber-attacks saw a year-on-year decline, BEC losses rose by a staggering 15%, now costing Australian organisations over $81.5million. Even more disturbing was the fact that losses from the average successful BEC attack jumped 54% to $50,600.

So, it makes sense that approximately half of our survey respondents reported significantly higher (16.5%) or higher (34.1%) concerns around payments security compared with the previous year. Surprisingly, just under half of respondents reported that their levels of concern were unchanged (47.3%), lower (1.1%) or significantly lower (1.1%) compared to the previous year.

It seems that for some organisations, risk perceptions diverge significantly from the objective reality.

Our current payment security concerns, compared to the previous year, are:

When asked to describe their organisation’s posture against fraud or cyber-crime, a clear majority of over 57% believe they have very strong (7.3%) or strong (50%) controls in place to mitigate the risk of payments fraud.

What best describes your organisation’s posture to fraud and cyber-crime prevention?

At Eftsure, our experience strongly correlates with the statistics published by the ACSC. Through FY 2020-2021, we saw 17% of all verified payments result in a RED thumb, compared with just 10% in FY 2019-2020.

Year-on-year percentage change in safe, risky or unverified payments

For any organisation that has eftsure integrated into its accounting processes, a RED thumb is an important indicator that an EFT payment should be halted pending further investigation. A RED thumb notification is significant, as it flags an anomaly in the payment details.

There could be a variety of reasons for RED thumb signals:

• The supplier’s banking details may have been maliciously altered
• The supplier’s banking details may have been incorrectly entered
• The supplier may have updated their banking details without notifying you
• The destination bank may have updated their banking details

Pausing payments that are flagged with a RED thumb gives your Accounts Payable team the opportunity to investigate the transaction more closely to ensure the information is corrected before proceeding with the transaction.

The year-on-year rise in RED thumbs from 10% to 17% is an indicator that attempts to defraud Australian organisations are increasing significantly.

At the same time as the number of RED thumbs increased, instances of ORANGE thumbs declined. ORANGE thumbs indicate as-yet unverified payment details. With the expansion of eftsure’s database, now covering over 2 million Australian organisations, fewer supplier banking details remain unverified, resulting in less instances of ORANGE thumbs.

2) Payment Fraud: The Other Pandemic

In an attempt to contain the spread of COVID-19, millions of Australians transitioned to working-fromhome in FY 2020-2021. However, not all Australians were equally impacted. Victorian residents spent significantly longer in lockdown than any other Australians.

So, how did working-from-home impact payment security?

In short, there seems to be a clear correlation between working-from-home and an increased risk of payment fraud.

According to the latest Targeting Scams Report from the Australian Competition and Consumer Commission (ACCC), Victorians recorded $49 million in losses to scams, the highest of any state or territory and more than double the previous year’s figure.

The undeclared pandemic: Victoria sees 12% rise in high-risk payments as staff work-from-home.

At eftsure, the impact of extended lockdowns and working-from-home on payments security was clearly reflected in the volume of RED thumbs experienced by each Australian state and territory.

When comparing RED thumb notifications in FY 2020-2021 with the previous year, every state and territory saw a rise. However, the rise in Victoria, with its extended lockdown, was substantially higher than other large states, such as NSW or Queensland, where staff were not required to work-from-home for such extended periods. Victoria experienced a dramatic 12% year-on-year increase in RED thumbs notifications.

It seems clear that fraudsters are targeting states in lockdown in the knowledge that controls around payments are harder to maintain when staff are working-from-home.

When working-from-home, many Accounts Payable staff may find it increasingly challenging to verify the legitimacy of payments without the ability to easily confer with colleagues or superiors. This undermines payment controls and makes it easier for fraudsters to engage in Business Email Compromise attacks.

3) Simple Human Error: It Could Be Your Greatest Risk

In your opinion, what threat poses the most risk to outgoing payments?

Invoice redirection scams, hackers and Business Email Compromise attacks all regularly make the headlines.

Despite this, 26.4% of respondents identified human error as posing the greatest risk to their outgoing payments. We know that human error is a major contributing factor to data breaches. So, it makes sense that organisations should also be concerned about human error resulting in incorrect payments.

26% of organisations view human error as posing the greatest risk to their outgoing payments. 

Many organisations are still overly reliant on manual processes to input supplier data into ERP systems, undertake manual bank account verifications, and maintain manual payment control procedures. With such extensive human involvement in the procure-to-pay cycle, it’s easy to see how the greatest risk to payments may be human error.

Mitigating the risk of human error starts with making greater use of technologies that can automate much of the procure-to-pay cycle. This allows the Accounts Payable team to maintain closer oversight of payments, without being responsible for many of the manual processes that are both time consuming and prone to error.

Many organisations rely on Eftsure to automate their bank account verification procedures, thereby achieving greater efficiencies and mitigating the risk of human error.

4) A Wake-Up Call for All Organisations: Don’t Skip Call-Backs

What controls do you follow before paying an invoice?

• Call-back verification: 27.1%
• Match invoice to Purchase Order: 45.8%
• Duplicate invoice search: 46.9% 
• Match Invoice to Purchase Order and Receipt: 53.1%
• Segregation of Duties: 67.7%

Call-backs are one of the most basic, but important, controls every organisation should implement to ensure supplier banking data is current and accurate.

It is critical that organisations communicate directly with their suppliers via telephone to verify banking information before processing payments. As the risk of Business Email Compromise and invoice redirection scams grows, call-back controls have never been more important. Despite this, only 27.1% of survey respondents conduct call-back verifications.

This is a staggering gap in verification procedures that is leaving the majority of organisations exposed to a significantly heightened risk of fraud.

With only 27.1% of survey respondents conducting call-back verifications, many organisations are leaving themselves exposed to a significantly heightened risk of fraud. 

Whilst most CFOs and Accounts Payable managers understand the importance of call-backs, this is no guarantee they are actually taking place. Call-back controls are manual and time consuming. Many busy Accounts Payable teams may be tempted to cut corners, or skip them entirely. It’s possible many CFOs aren’t even aware call-backs aren’t always being done.

Conducting call-backs with suppliers is one of the most effective ways to identify and stop fraud.

5) Your Small Payments Could be a Big Target

To many fraudsters out there, it doesn’t matter whether you’re paying a $1,000 invoice, or a $1 million invoice. If they sense an opportunity to defraud you – they will!

It’s a mistake to assume fraudsters only target large payments. They are actively looking to divert any funds they can. Often, small payments are processed without the caution used with large payments, making them a soft target.

Statistics from eftsure underscore the threat to small sized payments. Whilst FY 2020-2021 saw a rise in the rate of RED thumbs across most payment size categories, small payments valued under $1,000 saw the steepest year-on-year increase.

This indicates that fraudsters may be actively targeting small payments that they perceive to be vulnerable because
organisations often neglect to implement sufficiently robust controls around such payments.

6) Email Remains the Greatest Risk

We all rely on email. It’s hard to imagine running any organisation without it. However, fraudsters understand that email systems can be compromised and manipulated in multiple ways, allowing them to defraud organisations all over the world.

The risks posed by email are well-understood by the survey respondents. 66.7% view email interception and manipulation as the most significant communications security gap that can result in payments fraud.

Of course, email isn’t the only communications security gap. Deepfakes and redirecting callbacks do certainly occur. However, these are more complex for fraudsters, requiring a greater investment of time and resources.

Email-based tactics remain the most efficient for fraudsters. As such, there is unlikely to be any decline in Business Email Compromise attacks in the near future.

7) Even with Robust Internal Controls, Outside Factors May Make You a Target

Fraudsters are always adapting to take advantage of perceived vulnerabilities. The challenge for every organisation is that, whilst you may have implemented robust internal controls to secure payments, you may still be targeted due to vulnerabilities in your industry or in third-party organisations in your supply chain.

Consider this: One of your supplier’s systems is compromised, allowing fraudsters to gain access to their email accounts. The path is now clear for them to tamper with invoices and manipulate banking data. You end up transferring funds to the fraudster, rather than the intended supplier. Through no fault of your own, you have been defrauded on the one hand, whilst still remaining liable for the outstanding invoice that needs to be paid to the supplier.

This is why supply chain security is critical. You need to have visibility into whether the third parties you transact with also have robust internal controls.

17.6% of survey respondents are unaware as to whether they, or others in their supply chain, have experienced a cyber-attack or digital fraud. Organisations need to communicate with suppliers, so they understand their exposure to supply chain vulnerabilities. 

Supply chain risks are further heightened if you, or your suppliers, happen to be in a highly targeted sector.

One trend causing concern is the determination with which scammers are increasingly targeting the education sector. It is a trend that has been exacerbated by lockdowns, with educators increasingly reliant on email for communication between administrators, teachers and students.

Reports indicate that educational institutions are twice as likely as the average organisation to be targeted with a Business Email Compromise attack. The risks faced by educational institutions are reflected in the fact that this sector saw a steep rise in the percentage of RED thumbs between FY 2019-2020 and FY 2020-2021.

Additional sectors showing an increased percentage of RED thumbs are the not-for-profit and healthcare sectors – both of which have also been targeted by scammers throughout the pandemic.

8) Flying Under the Radar Not Viable for SMEs

For any small-medium enterprise (SME) that thinks it can fly under the radar and avoid being targeted by fraudsters, it’s time for a rethink.

The threat posed to SMEs is more severe than many realise. 71.9% of all business scams reported to the ACCC were from micro, small or medium-sized organisations, with under 199 employees.

71.9% of business scam reports come from micro, small or medium sized organisations. 

In many cases, SMEs remain unaware that this threat is so widespread. This is particularly concerning as SMEs are often targeted by fraudsters due to the perception that many lack robust internal controls. The problem is exacerbated because many SMEs erroneously believe they are too small to be targets. However, the reality is that fraudsters always follow the money.

This means that any organisation may be targeted.

SMEs without robust payment controls may be seen as a soft touch, putting them at heightened risk. At Eftsure, our data clearly shows that only 65.02% of transactions by small organisations displayed a GREEN thumb. However, 82.4% of transactions by large organisations displayed a GREEN thumb.

By contrast, 32.59% of transactions by small organisations displayed an ORANGE thumb, whilst just 15.73% of transactions by large organisations displayed an ORANGE thumb.

Clearly, small organisations have less certainty around their payments compared to large organisations. With fewer GREEN thumbs, small organisations lack certainty that many of their payments are being sent to the correct recipient. At the same time, more ORANGE thumbs being displayed indicates there are question marks over more of their supplier payments.

Organisation size is based upon Australian Bureau of Statistics definitions:

• Small: 1 – 19 employees
• Medium: 20 – 199 employees
• Large: 200+ employees

It is essential that SMEs understand the extent of the threat. It is just as important for SMEs to implement robust controls to safeguard their payments.

Every organisation may be targeted with payments fraud, but that does not mean every organisation will be a victim of payments fraud. Whilst 53.8% of survey respondents claimed not to have been targeted, 46.2% either experienced a serious attempt to defraud them (22%), suffered one or more losses (14.3%) are simply unaware if they were targeted (9.9%).

The key lesson is that every organisation needs to treat the threat seriously and take responsibility by strengthening its own payments security controls. Many organisations still believe external institutions will be able to recover their funds in the event they are defrauded. Survey results show that 50.5% of respondents erroneously believe the banks can recover the funds. The reality is that in many instances banks cannot recover funds.

The- mistaken belief that funds can be recovered leads many organisations to be complacent about taking action to mitigate their risk of payments fraud. It also leads many organisations to be overly optimistic (48.4%) about whether they are investing sufficiently to prevent payments fraud.

The statistical evidence from Eftsure shows that significant levels of organisational uncertainty surround EFT payments. Perceptions of the threat often diverge from the statistical reality. With a threat landscape that is constantly shifting as malicious actors adopt new attack vectors to take advantage of perceived vulnerabilities, vigilance is essential.

Every organisation needs to embrace measures that will strengthen their resilience against both current and future threats to payments security. This must be a multi-layered approach, incorporating people, processes and technologies:

• People – ensure your Accounts Payable staff are fully trained in the range of threats and know what signals to lookout for
• Processes – ensure your organisation has robust policies and procedures that all Accounts Payable staff follow to mitigate the risks of payments fraud
• Technologies – embrace automated controls that enable your Accounts Payable staff to efficiently process large volumes of invoices without increasing your exposure to the threats

Eftsure is a unique fraudtech solution that sits on top of your accounting processes. Our database comprising over 2 million Australian organisations, allows Accounts Payable teams to verify supplier banking details in real-time, immediately prior to processing an EFT payment.

When a supplier’s banking details in your systems match the records in our database, the payment will display a GREEN thumb signal. A mismatch results in a RED thumb signal, whilst an unverified supplier results in an ORANGE thumb signal. This user-friendly approach ensures that your

Accounts Payable team gain assurance that the banking details are up-to-date and accurate. It reduces the risk that malicious actors may have manipulated supplier banking information in order to redirect payments. It also helps reduce the risk of human error resulting in incorrect payments.

Contact Eftsure today for a comprehensive demonstration of the power of our fraudtech solution and ensure your organisation becomes resilient in the face of this growing threat.