Business fraud: How to help protect your company

Fraud protection is a priority for businesses across virtually every industry. The potential for costly losses, financially—with the average case lasting 12 months and leading to a loss of $117,000—and to a company’s reputation cannot be ignored. In fact, PwC found that nearly half of all businesses have experienced fraud, corruption or some other form of economic crime within the last two years, with external perpetrators driving the most considerable risks. 

Mitigating business fraud, however, can be more challenging in practice than in theory. That’s why we sat down with Teerna Choudhury, business director of fraud mitigation at Capital One, to share some insights about helping to protect your company from fraud. 

The types of business fraud are differentiated by how fraud is committed, what an attack is targeting and the tools used in the attack. According to Choudhury, “To help prevent fraud, business leaders require knowledge of potential signs of fraud and an established process for escalating information regarding possible fraud attempts.” 

Phishing and malware

Phishing and malware are two of the most common kinds of external business fraud. Both involve stealing essential data, albeit through two distinct methods. 

Phishing occurs when a scammer attempts to solicit information, like financial data or confidential personal details, by tricking targets into believing a request is legitimate. Phishing is usually done via electronic means like text messaging or email. 

On the other hand, malware is a form of software designed to damage a computer or steal files. Malware can infect a device in a few different ways but usually involves downloading a program, interacting with a website or opening attachments. 

The consequences of both phishing and malware are similar and can range from loss of intellectual property to significant financial impacts. “When done effectively, scammers can steal millions of dollars, access business secrets and interrupt the course of business indefinitely,” Choudhury said. 

Some of the most common signs of phishing and malware are: 

• Unusual content or requests in an email
• Poor grammar and misspelled words 
• Extreme and atypical urgency in messages 
• Emails from strange domain addresses 
• Suspicious confirmation requests of login data or banking information 
• Suspicious attachments or software download requests from strange sites

Business email compromise

Business email compromise, or BEC, is a form of business fraud in which third-party scammers pose as authentic contacts within a business to exploit employees. In practice, this may look like a fraudulent email impersonating someone in human resources requesting banking information from a payroll team member. When done at a high level of sophistication, scammers can make emails look and read like internal messages, giving other employees no reason to doubt requests. 

According to Choudhury, “Intuitively, BEC attacks are most commonly targeted at accounts payable, treasury and C-suite divisions and most commonly request payment authorization of some sort, like credit card charges, ACH transfers, wire transfers and checks.” 

Choudhury said, “Recognizing BEC fraud in small businesses requires a higher level of employee awareness than phishing attempts, which are often somewhat obvious. As most employees are trained to trust their colleagues, even in large companies with thousands of team members in locations worldwide, knowing how to address what appear to be legitimate business requests can be complicated.” 

Business leadership is encouraged to train employees to be guarded with any kind of financial requests, especially from unknown persons or unusual departments, or requests with an unusual urgency. For companies that flag internal versus external emails, employees should be prepared to report or investigate any requests from outside an internal system. In addition, putting checks in place to ensure multifactor authentication on all transactions can go a long way in helping prevent fraud. 

Internal fraud

Internal business fraud refers to any fraud committed by an internal member of an organization rather than a third-party scammer. Unfortunately, internal fraud can occur in numerous ways, including: 

• Embezzlement: This form of fraud occurs when an employee steals funds or property from an employer, whether by stealing physical cash and items, forging invoices, writing fraudulent checks or otherwise claiming assets. 
• Accounting fraud: Accounting fraud requires manipulation of financial records, like ledgers or financial reports, to misstate assets or funds or to hide improper use. Things like false invoices, altering accounting software, miscategorizing expenses and intentional errors in reporting can be ways to commit or cover up accounting fraud. 
• Information theft: This fraud takes place when an employee steals any kind of confidential information and either keeps it for personal use or sells it to a competitor. This kind of information can extend to anything proprietary, including IP, trade secrets, financial information and customer lists.  
• Bribery: Bribery involves accepting gifts or compensation in exchange for unethical or illegal activity, like awarding contracts, approving expenses or otherwise taking actions that aren’t permissible. 

Choudhury said, “Recognizing internal fraud is often challenging due to the different avenues available; educating employees on the most common types of fraud within their job functions can keep both workers and leadership aware and engaged.” 

No system is perfect, but implementing these policies can effectively help prevent fraud at the source and address it adequately should existing defenses prove fallible. To recap: 

• Educate and continually re–educate employees on the kinds of fraud, signs of fraud and how to take action in cases of suspected fraud. 
• Implement a process or system that can be used for fraud reporting, like a website, hotline or help desk, depending on company needs. 
• Background check all new hires, especially those in financial roles; ongoing background checks may also be recommended at companies with regulation or compliance requirements.
• Keep work duties segregated as needed to minimize the risk that one employee’s mistake can’t open the door to fraud. 
• Work with internal and, if required, external auditors to review financial statements for red flags, like unusual transactions or unverifiable numbers. 
• Invest in cybersecurity, whether internally or via a third-party firm, and make sure all data security and encryption practices are up to date. 
• Ensure insurance policies cover losses or damages from all forms of business fraud. 
• Consistently appraise security measures in place; as companies grow or business needs evolve, what formerly protected a company may no longer be enough. 

Establishing appropriate layers of mitigation is the goal

When a company’s mission is to help prevent fraud, it’s important to make sure all levels of operations are maximally resilient. This means starting from the inside out. A culture of smart, savvy and informed professionals, services designed to mitigate fraud, policies centered around accountability and protection and an up-to-date and on-point infrastructure can all work in tandem to ensure prevention efforts are active on every level. 

Business fraud mitigation may feel like an insurmountable struggle or a process that is destined to fail, but the right resources can be key. Capital One has associates who can provide deep insights into trends impacting business leaders.

Business fraud mitigation is the kind of work that requires proactivity, not reactivity. Companies should consistently work to improve mitigation efforts, rather than waiting for bad things to happen or responding after the fact. These tips can help contain B2B fraud. 

Make it hard for scammers

Choudhury said, “The best way to deter fraud is to make your business a challenging target. When nefarious players see strong defenses and limited entry points, they’re more likely to move on to an easier target.” This is why putting as many defensive strategies as possible in place against payments fraud should be a business priority regardless of industry. 

Risk management teams may implement policies to make fraudulent transactions as unlikely as possible. “Taking steps like ensuring transactions are never communicated via email alone, putting multifactor authentication in place for validating payment instructions and making transfers and prohibiting last-minute payment instruction changes can make defrauding a company challenging,” according to Choudhury.

Sustain and scale the effort

Sustaining and, as necessary, scaling mitigation efforts is integral to maintaining strong defenses.

Employee education is paramount; when everyone understands the risks and how to identify potential problems, the chances of lasting consequences are reduced. Make sure fraud mitigation is a part of annual refresher training, even for teams not involved in customer interactions, finance, payroll, treasury or accounts payable. 

Provide real-life examples of how fraud may manifest and set up trials, like putting a phishing reporting policy in place and consistently testing employees to be sure they understand and can follow protocols.