On a regular basis, the e-commerce director at a Pennsylvania manufacturer used PayPal, as well as other digital and person-to person payment systems to buy equipment and services on behalf of the company.
The convenience of clicking a few buttons – instead of cutting physical checks or going through the hassle of a wire transfer – offered speed and convenience.
There was only one problem: many of the transactions were bogus, and over a two-year period the director funneled about $170,000 into his own bank accounts, according to Jeremy L. Witmer, a senior consultant in the business consulting services group at the professional services firm RKL LLP, which has offices across Central Pennsylvania.
There was “almost no oversight of the e-comm director,” according to Witmer. “His acts weren’t discovered until the company did a budget-to-actual review and found that more than $60,000 was paid to a web developer but never budgeted. The CFO asked for documentation, and realized the paperwork was faked. At that point we were called in.”
Tips from an insider
Alternative payment methods like Square, PayPal, Stripe and Payoneer represent a convenient and flexible way for businesses to accept payments from customers, according to Jeremy L. Witmer, a senior consultant in the business consulting services group at the professional services firm RKL LLP.
“On the flip side, however, allowing your employees to pay vendors through these methods can be a risky proposition,” he noted. “Because these payment methods are still relatively new, there is often confusion around the unique risks associated with them. However, once you understand these risks and common fraud schemes, you can institute a few best practices to prevent your company from falling victim to alternate payment fraud.”
Fraudsters often take advantage of the anonymity these kinds of services provide, he cautioned.
“While most companies have strong policies for cutting checks or making ACH payments, few have updated these policies to expand controls related to alternative payment methods,” he said. “Fraudsters know this and are happy to exploit this weakness.”
One weakness is the fact that credit card or ACH electronic transactions identify the payee on the credit card or bank statement.
“But alternative payment methods usually mask these payment details,” said Witmer. “Instead, the processor name, such as ‘Square’ or ‘PayPal’ will first appear on your bank statement. In some cases, however, the payee name will only appear on the statement if the vendor has set up their account to do so. In alternate payment schemes, the fraudster vendor will omit their name or use a misleading company name to hide the true payee identity.”
One defense is to institute a policy of tracking down supporting documentation relating to any payment that has been processed through an alternative payment method. “The goal is to verify that the payment was properly approved and is being made to a legitimate vendor,” Witmer added. “Supporting documentation can include purchase orders or original invoices.”
Another best practice is to limit the number of employees with direct access to company bank accounts and credit card numbers.
“Alternative payment method fraud relies upon the fraudster having access to the company accounts; otherwise, he’ll need to devise a different scheme,” noted Witmer. “Restricting employee use of company accounts is also important in investigating any suspicious activity. With limited users, it is much easier to quickly uncover the fraudster and stop them in their tracks.”
The firm worked with the State Police on the case, and the (soon-former) e-commerce director pleaded guilty, served time and had to make restitution.
“One of the reasons he was able to get away with this for so long was that the company didn’t have a procedure to verify and approve new vendors,” added Witmer.
The problem of fraud is a big one, according to a February posting from the information technology company IBM. “Online payment fraud losses from e-commerce, airline ticketing, and money transfer and banking services are expected to reach $48 billion by 2023, more than double the $22 billion in losses estimated for 2018,” noted the report, citing data from Juniper Research. “With the global rise in instant payment schemes, specifically new P2P payments methods, Juniper Research forecasts fraud losses for money transfers increasing by over 20 percent per annum to $10 billion in 2023.”
“We want to live in frictionless, one-click world, but that can bring its own problems,” said Jonathan T. Marks, a partner at the advisory, tax and assurance firm Baker Tilly and member of the forensic team. “When your bank account is linked to an outside payment provider, you need to be aware of what’s going on, and constantly monitor your transactions. Many people don’t bother to set up account alerts [which signal them about a variety of issues, including a transfer of funds above a certain dollar amount]. Even when merchants and individuals utilize two-factor authentication and other safeguards, that only helps to guard against — but won’t necessarily completely prevent — fraud.”
Financial institutions are also doing their part, he added. “If I use my credit card to buy gas in my hometown, and 60 seconds later my ‘card’ is charged for thousands of dollars of purchases in, say, Chicago, my bank may freeze the account. So that’s part of the solution, but there’s no single one-size-fits-all answer. You have to tailor a solution to fit each business and every transaction, because fraudsters are persistent and creative.”
No safety net
Nothing is 100% safe, according to Scott Groner, business technologist at the CPA and business consulting firm Concannon Miller in Bethlehem, but businesses and consumers alike can take some precautions, even if they involve tradeoffs.
“Merchants should try to know their customers,” he said. “When possible, request some form of valid identification, even though this may defeat the ease of digital transactions.”
He also has some advice for consumers when it comes to digital wallets, which can let them make in-store purchases by swiping their smartphones or other devices, instead of having to dig out a physical credit card.
“The beauty of using a digital wallet is that it’s not vulnerable to ‘skimmers’ [fraud devices attached to ATMs and other inputs that can swipe credit and debit card information], the way a physical card may be,” he said.
“But beware of using your mobile device on public wi-fi connections, since hackers may then be able to access your digital data,” he added. “Also, set your smartphone to lock after a certain period of time, so if you lose it, a hacker will have a tougher time getting into it. Finally, merchants and consumers alike should check their credit card and other account statements on a frequent basis to try to spot suspicious activity.”
Like freedom, the price of online financial security is eternal vigilance.