Payment scams are spiraling. How can businesses respond?

As fraudsters get more creative, payment scams are on the rise. Many fraudsters have ingenious methods of manipulating customers into disclosing personal details or even convincing the customer to pay them directly.

Organizations that want to provide a good experience for customers while safeguarding their own reputation should take heed. The first step is to have a deep understanding of payment fraud. This includes knowing about popular payment scams and best practices for how to mitigate them so you can stay ahead of the scammers.

Customer-involved payment scams: The personal level

These days, customers get pulled into all types of payment scams. The pandemic only made matters worse – 2020 was a record-breaking year for scams, and there's no sign of a slowdown. Some scams, like romance scams and free money scams, strike at a deeply personal level. Let’s look at two broad types of payment scams that fall into this category.

Romance scams (also called relationship or dating scams)

With romance scams, fraudsters take advantage of their victims’ emotions. Generally, they target victims through dating apps or social media. First, they get close to the person and gain their trust so that the victim will be emotionally invested in the relationship. Then they start asking the victim to send them money. This usually starts with small amounts and increases over time.

Sometimes they claim to need money so they can travel to visit the victim, maybe because they live abroad. Other times, they claim to be ill or say they need money to pay rent. Victims, often embarrassed or in disbelief, keep sending money because they don’t want to believe it’s a scam.

Just like scams that take deep aim at someone’s personal life, payment scams that involve customers in their business lives feel personal, too – and therefore legitimate.

Boiler room scams (a.k.a., investment, pension, or free money scams)

Victims of this type of payment scam receive an unsolicited call, text or email from a fraudster pretending to work for a legitimate company. They sometimes offer the victim an investment opportunity promising high returns. Or they may say the person has won something but they have to pay taxes or fees first before receiving the prize.

Fraudsters sometimes set up fake websites and profiles to look like they work for legitimate companies. Usually, the offer they make is tied to a time limit. This forces the victim to act fast. As a result, they have less time to think things through or investigate the company and the offer.

How businesses can prevent personal-level customer scams

• Educate your customers and employees about these types of scams.
• Use customer demographics to identify at-risk segments, then take steps to flag and check higher-risk payments made to these segments.
• Monitor those who receive money to determine if there are suspicious patterns.
• If the payment is flagged, make sure the fraud check you do with the customer contains questions to ensure the customer isn’t being manipulated.
• Consider a cooling-off period for payments at high risk.

Customer-involved payment scams: The business level

Payment scams that involve customers in their business lives are all too common. And just like scams that take deep aim at someone’s personal life, these scams feel personal, too – and therefore legitimate. That’s the recipe for how fraudsters get away with stealing money and duping people into sharing payment information. Let’s look at two common types of business-level scams.

Business email compromise scams (also called CEO or CFO scams)

Fraudsters sometimes spoof or compromise the email address of a company’s CEO/CFO or another high-ranking person – then they send an email to an employee demanding that they make an immediate transfer. Employees, thinking the email is from their CEO or CFO, sometimes send the transfer without doing any additional checks to confirm the sender’s identity. They often forward the email request to other colleagues in the approval chain to reinforce the request and its time sensitivity. All these quick actions improve the likelihood that the payment scam will succeed.

Invoice redirection scams

In some cases, a fraudster will pose as a supplier or someone else conducting business with the victim. Then they email their contact person at the business, asking them to change their payment details. The new payment details redirect invoice payments to the wrong account.

Alternatively, the scammer may intercept an invoice and update the payment details to those of their own account. Any subsequent payments are then sent to the fraudster instead of the legitimate business.

How to prevent business-level customer scams

• Educate your customers and employees about these types of scams.
• Ensure dual approval processes are in place for both your accounts payable and finance departments.
• Compare the beneficiary’s name and account number combination for changes (which could indicate fraud).
• If payment is flagged, make sure you verify the payment with a different employee – not the same person who sent it. This additional oversight works in conjunction with other fraud prevention efforts.

Account takeover scams

Account takeover fraud happens when a criminal “takes over” a person’s financial account then uses it for shopping, conducting fraudulent transactions, and more. Sometimes the fraudster buys account information from the dark web. Other times, they get it directly from the victim. Here are three types of account takeover fraud businesses should recognize.

Customer education is one of the key tools businesses should use to fight back against payment scams.

Phishing or smishing scams

For this type of crime, the fraudster poses as a representative of the victim’s bank. They start by sending an email (phishing) or a text message(smishing), asking the victim to click on a link and enter their personal details or sign in to their account. The link is a fake one that the fraudster has created to look like a legitimate website. When the victim logs in, the fraudster captures their personal information – then they then take over the victim’s account.

Vishing scams

Fraudsters sometimes call their victims, pretending to be from their bank. During the phone call the fraudster attempts to obtain personal details from the victim, perhaps telling them that they already have fraud on their account. From there, the fraudster convinces the victim that they need to confirm sensitive information – like their social security number – so they can stop the supposed fraud that has taken place.

Tech support scams

With this type of scam, the victim receives a call or a pop-up message on their device, where the fraudster claims to be from a well-known tech company or mobile network. They tell the victim that there is a problem with their device, or that it needs an upgrade. Next, they persuade the victim to allow them to gain access to their device remotely. At that point, the fraudster installs malware to scan the device for confidential details or to capture user information when the victim logs in to their accounts.

How businesses can prevent account takeover scams

• Educate your customers about these scams.
• Use customer profiling to identify unusual payments, such as higher-than-normal values or suspicious countries (as compared with the customer’s past payments).
• Use a leading-edge analytics solution to gather session and device information. This will inform your strategies around searching for unusual patterns.

Learn more about payment fraud and how to fight back