2023 Payments Barometer finds lack of preparedness for insider threats

The 2023 Business Payments Barometer, released earlier this week, finds businesses in the US and Great Britain making progress on stemming the tide of payments fraud by applying new technology solutions and solid security practices. But on the flip side, and as much as we’d like to not believe it, financial crimes are increasingly associated with internal involvement. Although technology solutions await, the report indicates that financial decision makers fear that prevention measures might not be keeping pace with security threats.  

These are just a few of the key findings in the fraud section of the report, which surveyed 1,600 financial decision-makers split between GB and the US. The data has implications for corporates of all sizes as they fight new and existing fraud vectors and continue to forge relationships with their banking and fintech partners to counter them. But before we get to the various data points covered in the report let's unpack the increasing incidents of insider threats.

By the numbers, when US businesses were asked to rate the level of concern among different fraud types, 73% singled out “a great deal or a fair amount of concern” about insider fraud, followed by the same sentiments attached to authorized push payment fraud 72% and external cyber-attacks also 72%. In GB external cyber-attacks caused the most worry (great deal or fair amount of concern) for corporates at 72%. Concern for authourised push payment fraud came in second at 60% with insider fraud taking 59%. In the US only 47% of companies surveyed used automated employee behaviour monitoring to detect suspicious conduct with 40% of GB companies using this technology. 

The data implies that companies on both sides of the pond are aware of the increasing prevalence of insider threats but might not be aware of how best to stop it.

The findings are concerning and might just be the tip of the iceberg given the prevalence of hybrid work environments where a company’s devices are taken to remote locations. For example, security and compliance personnel might suspect unethical or even criminal behaviour. But without solid evidence many cases slip off the radar. The hybrid work environment also adds a different level of complexity because some of these actions happen unintentionally. Companies are also discovering that it’s not just financial threats at risk, but other actions as well like leaking or stealing sensitive company data. Add macroeconomic pressures to the mix and you have a perfect environment for insider threats. 

On all fronts banking and fintech partners can help mitigate insider fraud. The fact that 47% (US) and 40% (GB) of companies have deployed employee monitoring solutions shows they are on the right track, but the numbers need to grow significantly to be effective. That’s not to say it’s a silver bullet. Technology should be part of a bigger approach that includes other measures like background checks, employee screening, training programs and continuous awareness of insider threats among employees. 

Trust is good, but when it comes to insider threats technology is even better. At Bottomline we have gone a step further. When suspicious activity is detected, we use application-level monitoring technology that replays suspicious behaviour on a screen-by-screen basis for the internal fraud investigator. So, the investigator can essentially see a visualization when there's a suspicion of insider fraud. The investigator now has forensic evidence, which we refer to as “record and replay.” There’s one very important caveat here. The objective behind employee monitoring technology is not to monitor email content, instant messaging chats or general productivity. It is important to respect privacy regulations. The main goal is to protect the companies’ most valuable assets from financial theft or data leaks. 

Other findings from the fraud section of the Business Payments Barometer include: 

39% of UK businesses said they've been hit by payments fraud over the last 12 months regardless of business size. Large companies 46% are more at risk than small to medium-sized companies according to the report. The numbers were similar for the US with 35% of all businesses experiencing payment fraud over the last 12 months. Medium-sized companies saw a decrease from 42% to 30% year over year, while enterprise level companies reported an increase in fraud incidents from 32 to 46%.

Most US and GB businesses are on the right track when it comes to payment protection. In the US, bank account validation and verification were used by 55% of respondents, with 53% using multifactor authentication. In Great Britain 57% used bank account validation and verification and 54% use multi factor authentication. This last data point comes with a warning: only 44% of small businesses are using MFA and only 35% are using automated transaction monitoring. 

US businesses are more pessimistic about recovering fraud losses than those in GB. Sixty-two percent think there is little their business can do to recover the loss incurred due to payment fraud, which has increased since last year. It’s a different story in GB where less than half (43%) feel fatalistic about fraud recovery. Attitudes are similar across business sizes. Here technology may be having a positive impact. GB has more extensive regulations and solutions such as the Confirmation of Payee (CoP) bank account name-checking service for UK-based payments. It is designed to confirm that the details of the recipient of the payment match the information provided by the payer.  As our London-based colleague Mark Bish told us by October this year close to 90 banks will participate giving GB 99% coverage on all faster payment transactions. Up to 400 more are mandated to join by October 2024. “The broader use of the service by businesses is critical,” Bish says. “They should be using it anywhere they’re accepting payment details to protect themselves, and that's something that we are enabling for our customers through Bottomline’s payment services.”  

Decision-makers were concerned about the ability of payment protection to keep up with new security threats. This is particularly true in the US, where 70% have doubts about this compared to 61% of GB businesses. Bottomline’s Christopher Gerda says that fintech partners and banks can help counter this attitude. “Companies feel largely like they're on their own island. It helps to be part of a larger network where everyone's working together against this. It’s important that companies like Bottomline build trust with their business customers by putting payment technologies in place that reinforce the ‘security first’ approach.”

The Bottomline: With innovative solutions like CoP and record and replay at the ready, that security-first approach could help companies and their financial service partners make significant progress in the fight against fraud.