How to protect yourself from payment fraud

With 2.97 million confirmed cases of fraud last year, it's essential to learn how to protect yourself and your business from these threats. This guide offers practical tips and strategies to help you proactively prevent fraud in your organisation.

Think SCOPE:

• Software
• Compliance
• Operations
• Procedure
• Education

Software

Security standards

When using software, make sure to check how it keeps your data secure from hacks and external fraud. If they manage payments, also look into how they protect your funds.

It's important to review not just the tools you use for sending payments, but all the software involved in the payroll and supplier payment processes:

• How you add or register bill payments: Check out the best data capture solutions for Xero.
• How you process payroll (including approvals): Check out the best payroll software providers for 2024.
• How you create, approve and send payments: You can do all this quickly, easily and securely with Telleroo. Learn more.

If you're an accountant or bookkeeper, you'll also want to look at the Best AML Software for 2024 - to minimise risk when taking on new clients.

Further reading 🚀 How to Structure Your Accounting App Stack: flinder’s 7-Step Process

Two-factor authentication (2FA)

Two-factor or multi-factor authentication (2FA/MFA) is a crucial security step that adds extra protection beyond just using a username and password. By asking for a second form of verification—like a code sent to your phone, a fingerprint scan, or a security token—it greatly lowers the chance of unauthorised access to your accounts.

This extra step makes sure that even if your password is compromised, an attacker would still need a second form of authentication to access your account.

Never share your two-factor authentication code, not even with your software providers.

Compliance

Depending on your industry, the clients you serve, the organisations and associations you belong to, and whether you are a registered business, there may be specific regulations and compliance practices you need to follow.

When it comes to payments, these measures are often to prevent fraud, both from external parties and internally.

For example, many insurance providers charge accountants and bookkeepers high premiums or refuse coverage if they access client bank accounts. Allowing team members to access these accounts can lead to costly mistakes or even fraudulent payments.

That's why Telleroo is ideal; eliminating the need to access client bank accounts to maintain your insurance. Clients approve payments directly, taking on that risk themselves, while enjoying a smoother experience by simply topping up their account to cover payments.

When reviewing a specific software, process, or procedure, consider these questions:

• What are the possible risks involved?
• If these risks occur, what negative effects or outcomes could we face?
• Where can we find guidance on compliance best practices? (For example, associations, regulators, software vendors)
• How can we reduce these potential risks?
• Will reducing these risks positively or negatively affect the process or the client/team experience?
• How can we manage any impact? Is there a balance where software and automation can assist?
• How can we evaluate this change after it's implemented to see if it's effective? Can we track specific metrics or gather feedback?

Further reading 🚀 What are client accounts and should you be using them?

Operations

Once you understand all your software providers' security standards, and your compliance requirements, consider how your team and clients will use the software. What gaps for payment fraud might still exist? How can you reduce these risks?

Example: Adding invoices to your accounting software

✅ How software helps: Using software to automatically add invoices to your accounting system helps reduce the risk of employee fraud, prevents duplicates, and minimises errors that can happen with manual data entry.

❌ Possible risk: If there are no approval processes in place to cross-check invoices before processing payment, you might still be at risk of fraudulent invoices being added and paid.

🔒 Recommendation: To reduce this risk, it's important to have proper controls in place, like an approval process. This means another person should check and verify the invoice before it gets processed.

❌ Possible risk: Fraudsters are getting clever. Emails and invoices can look like they're from your team or client, complete with signatures and branding. So when you're asked to make an urgent payment to a supplier you know, it's easy to fall for a scam.

As these scams become harder to spot, there's an increasing need for strong safeguards to keep your money and accounts safe.

Further reading 🚀 Fraudsters Are Adapting: Takeaways from UK Finance's 2024 Fraud Report

🔒 Recommendation:

Add an extra layer of protection against payment fraud by stopping the payment before it gets sent, with checks and tools shown in this diagram:

Further reading 🚀 5 ways Telleroo helps to de-risk payments.

Define a clear process

Changing a current process can be challenging for both your team and clients if not handled correctly.

1. Make sure that any current process diagrams/flows are updated.
2. Update your team before introducing the new process - this stops the team from being blindsided by any questions from clients!
3. Share any explanatory video, help centre articles or cheat sheets with the team.

Here’s an example process for accounts payable using Telleroo:

As shown in the example, multiple people review and check payments before they are sent out. Avoid putting all your eggs in one basket by assigning every role to just one person.

Assign various roles to team members so that at least two people can review payments, helping to reduce the risk of fraud.

In Telleroo, you can assign several different roles:

• Viewer - This role lets users view pay runs and payments, but bank details are hidden. If paired with another role, bank details will be visible.
• Creator - This role allows users to create pay runs for approval and set up connections to other apps like the Xero bank feed.
• Approver - This role enables users to approve pending pay runs. If combined with the creator role, users can create pay runs that don’t need approval.
• Admin - This role allows users to add or edit other users in Telleroo, including changing their own roles. It's best to limit the number of admins due to their extensive controls.

If you're an accountant or bookkeeper using Telleroo, you can assign Reviewers to let users review payments internally before sending them for client review. You also have the option to choose which team members can access specific clients in Telleroo.

Procedure

Establishing a clear fraud prevention procedure to share with teams is vital for reducing risks and ensuring a quick response to potential threats. A well-documented procedure provides a standard approach for all team members, helping to minimise confusion and delays in critical situations.

The procedure should clearly outline steps for reporting suspected illegitimacy, including notifying a designated fraud prevention officer or using a secure, confidential communication channel.

At a minimum, if something seems suspicious, team members should verify it through a different channel. For example, if they get an email that looks like it’s from the Director asking for a payment, they should call the Director to confirm it’s real. This may also involve steps to verify the identity of requestors, cross-reference information, and quickly flag any unusual or unexpected requests.

It's also important to include the following in your procedure and fraud prevention training:

• Urgency / Pressure / Threats: If you get a call or email from someone claiming to be your employee, supplier, or Telleroo and you feel rushed or pressured, politely end the call with, "Let me get back to you." After that, contact this party to verify the authenticity of the request.
• Updating account details for suppliers: If a supplier or employee contacts you to request changes to account information, call them back to verify the request.
• Too good to be true: Cheap goods can be a great deal, but they might also be a red flag. If a price seems too good to be true, take a moment to check the company's online presence and reviews.
• Using scare tactics: "Your account is hacked. Move money to a safe account." Telleroo will never request that you transfer funds to a "safe account." If we need to change your account number, we'll ask you to send funds back to your original corporate account used for funding Telleroo.

Education

After you share your procedure with the team, develop training and tools to ensure ongoing learning and awareness of fraud prevention.

At Telleroo, we use Albert to train the team to spot fraudulent emails.

The team can practise spotting and reacting to fraudulent activities in a safe setting. These mock drills are helpful for finding gaps in current processes and identifying areas that may need additional training.

Looking to discuss your accounts payable process? Sign up for Telleroo here, where you can also schedule a call with our team. You'll have the chance to explore and test Telleroo, and we'll talk through a solid process for your team.