The Payment Fraud Trends Dominating 2020 Featuring Cifas

This episode on the Payments Podcast features Amber Burridge from Cifas and James Richardson reviewing the latest payment fraud trends using industry payment data. Both Amber and James highlight key best practise techniques your business can use to help make sure you don't become the next victim of payment fraud.

Podcast Transcript

Interviewer:    Fraud trends are constantly changing depending on the environment. So how can we possibly be expected to keep one step ahead. And, more importantly, how does this impact the success rate of payment fraud attempts within businesses? Will there ever be a clear winner in the fight against fraud? We have a special episode on today’s Payments Podcast. 
James Richardson, Head of Market Development for Risk and Fraud at Bottomline, is discussing the current trends as well as what organisations can do about Fraud with Amber Burridge, Head of Fraud Intelligence at Cifas, a not for profit UK organisation who are leaders in fraud prevention.

James Richardson:    Amber, why don’t we start the discussion around the impact of fraud. I would love to get your views and thoughts on really what you have seen. Specifically, what has changed over the last few years. Maybe last five years. Let’s see where we go.

Continue Listening: The Trend in Payment Fraud Can't be Ignored

Amber Burridge:    Yes, I think it has been a very interesting time within the fraud threat landscape, particularly over the last five years. We have definitely seen, in terms of the numbers of application fraud that we see actually has declined over the years. I think the issue for that is because actually, organisations are getting better at detecting fraud applications. So therefore, criminals are turning to using genuine identities or genuine accounts.
    Essentially, one of the biggest problems that the UK faces at the moment is around identity fraud. So we have essentially seen it go up by 32% in the last 5 years and up 18% compared to last year. We know that plastic cards are predominantly targeted. It is predominantly around that older age group. 
I think there is a bit of a perception that this older age group are going to have a better credit history and therefore, they are going to be good, prime targets, to use their details to apply for products. I think one of the key things to really think about here is actually, it is not just individuals that are targeted for identity fraud and identity theft. The number of companies that we have seen that have been recorded as victims of impersonation is high.

So for us, as an organisation, our members reported over 200 companies as being impersonated last year. If you think about it, it is mainly to obtain those kinds of products that actually, you need to facilitate further fraud. So essentially, obtaining finance was one of the key things that came out last year. Actually, having a look at some of the products that have been abused by these false identities are in relation to company loans and also company credit cards.
Now, I think it is key here around the move that we have seen within the fraud landscape is predominantly because a lot of things are becoming digital now. The amount of data that is now available. We are very transparent with our data that we have and I think one of the key things for us going forward is actually, how do we make that personal information, like company information, less valuable? We see quite a lot of discussion on dark web forums, for instance.

Particularly at the moment, with the current COVID situation, where they are looking for business accounts. Now the reason for this is obviously with a lot of the stimulus packages that we are seeing at the moment. So, for instance, the retail and hospitality grants. Also, discretionary grants that are coming out at the moment, bounce back loans. Criminals are actively going out there to seek these types of business accounts, to essentially launder money.
That’s one of the things that are a real big issue for the banking industry in particular, is the aspect of money muling. We have seen a bit of an increase actually, in company accounts that have been used for money muling. So quite often, detailing themselves as wholesalers, because that way, it kind of gets around the point that they are receiving large amounts of money into their accounts, because they are a wholesaler, that’s what you expect.

I think the other key thing for us at the moment, is around account takeover. I have mentioned application fraud going down, but some of the techniques that we are seeing now are actually abusing accounts held by other people. So a 34% increase, compared to 2018, of the number of accounts being abused in 2019. We predominantly see this in the telecoms industry, but also online retail industry. 
The reason why? Well, as we are moving more digital, things like smishing campaigns, spoofing attacks as well, where webpages are being copied to facilitate harvesting of information. Like I said before, it’s not just about the individual. We have seen this particularly during the COVID period, where businesses are receiving these phishing emails. Particularly if they are potentially eligible for some of these loans that are coming out at the moment.
You know, receiving an email to say, ‘You need to fill out your details here.’ What is then happening, is that that criminal is then using those information to fraudulently apply for a stimulus package. You could be sat there, particularly if you need that, particularly at the moment, with the economic uncertainty. You are sitting there waiting for it and actually, a criminal has used your details to apply for that product.

James Richardson:    I was going to say that the action fraud highlighted a report, I think it was at the end of May or beginning of June, so really early on into the whole lockdown process, where we pretty much… we maybe were only a few weeks into understanding what the stimulus package would be and how organisations could legitimately access it. There were already over 4.5m coronavirus related scams taking place within the UK, which I think is just to your point exactly.
    I think the fraudsters are pretty agile. What they may have been looking at a year ago or four years ago, they are in a whole new world of, dare I say it, in quotes, opportunity, with the COVID situation. The stimulus package, it’s just unbelievably criminal how the fraudsters are leveraging either loopholes in process, or recognising the air gaps that exist between the technologies, but just taking full advantage of it and just filtering off the funds.

Amber Burridge:    Yes, I think the point we need to remember actually, is that a lot of these techniques existed before the pandemic. They have really come into their own in the last three or four years. However, what the pandemic has done, as you rightly say, is open the doors for a wider audience to target. It’s not a select few that are vulnerable now. Actually a lot of us are susceptible and vulnerable because of the current situation.

Actually, what we have seen is, like with the advance in technology, is that these attacks can be deployed en masse. All it takes is for one person to fill out their details on one link and actually, you have got a wealth of information there. I think that is the key thing that we are seeing at the moment, is that actually, for employees as well that are currently working remotely, they are a great target for a lot of these criminals at the moment.
Your remote workers are at home and what we have seen is, business staff have been duped into believing, for example, that their IT department is contacting them and they want to take control of their computer. So they are using some of these remote desktop viewers to have a look and see exactly what is going on, in a great way, to steal credentials. It’s the same with the way business has changed. 
Because we have all gone into this working from home situation, if you receive an email from who you think is your chief exec or some senior manager, saying you need to make a payment, ‘Can you do it for me? Can you do it ASAP?’ it was very difficult, right at the beginning of COVID, where a lot of businesses and employees were getting used to working from home. It was very hard to detect whether or not that was legitimate.

Because actually, with the current situation, everything had a great urgency to it. So it’s very hard to distinguish between whether or not that could potentially be a criminal on the other side asking you to do that. One of the key things we usually say to look out for around particularly these phishing emails, if there is a sense of urgency. Well actually, what COVID has brought is a bit of an urgency about everything being done at the moment, which makes it very difficult. 
It makes it hard, as an employee. It brings me onto my next point as well, about some of the insider threat that we see. So it’s not just an external issue that we have seen over the last five years. The rise of internal fraud-

James Richardson:    That’s a great point and I was going to ask you about your views of insider fraud. You just mentioned about employees working from home. We are in a completely different set up now. Everyone is working at home. You have got finance teams working at home, treasury departments working from home, people that are either operationally involved in transferring funds or it’s just part of their division, part of their function. 
    The point is that people are sat at home with… there are layers of security and layers of defence provided by a company, but then equally, are they more susceptible to threats from the outside? So the reason for mentioning that is, the way in which you would look at insider fraud, perhaps changes, given the circumstance and the environment that we are currently in. What is your view of the whole insider scenario?

Amber Burridge:    If we look at the pre-COVID situation, in terms of the insider threat, if you like. So the majority of cases that we see are usually in relation to dishonest actions. So you are looking at the likes of theft from the customer, or theft from the employee. One of the interesting things that has come out quite recently is the number that are recorded for manipulating third party accounts.
    So it could be changing an overdraft account limit, or changing the interest rates applied to an account. I think, in this instance, it’s quite interesting to see actually, that the number of individuals we saw recorded for this increased by 13% in 2019, compared to 2018. What the current situation now means is that actually, we do have a number of staff that have access to a lot of sensitive information with a very difficult way of monitoring them.

    Because actually, what is the new normal now? We don’t usually do a 9:00am to 5:00pm. I mean, I certainly haven’t since I have been working from home. I haven’t been doing a 9:00am to 5:00pm. That makes it very difficult for organisations to monitor what their staff are doing. Also, in a way, you have less control of keeping your staff safe from being approached, as an example.
    So we have heard stories of staff being approached by organised groups to give them information or to make changes to accounts or facilitate transactional fraud. If you are working from home, you don’t have that safety net of being within the office. We know that some of these employees that are targeted are often in low paid jobs. Also, they live in areas where actually, dare I say it, some of their neighbours are not very friendly.
    So actually, in terms of that organised crime network operating around them, it makes them quite susceptible to being bought into that world. I think one of the things, like we mentioned, obviously we do have security measures in place. So, for instance, I access my work through a remote desktop, as an example. If you think about your Wi-Fi, actually. How secure is your Wi-Fi? Have you got the most up to date firewalls on there to detect some of this malware?    

    The reason I say that, it was quite an interesting conversation I had the other day with someone who said, “Well actually, what about the Alexa devices? What about all these voice recognition devices that are in your houses when you are having conference calls? Where is that data then being stored?” I suppose that has really made me think about what devices I have that potentially listen. 
    Because this is the world we live in now. We live in a world of internet of things. Now, I learned about bluesnarfing and bluejacking the other day, where actually, it’s your Bluetooth that is being hacked. Actually, the surprising thing is that a lot of businesses, particularly at the moment, are still actually sending things unsecure. They are still sending files which are unsecure by Bluetooth, because it’s an easier way of getting from a work phone to a desktop.

    Also, in terms of sharing personal information, I think one of the things we really need to consider at the moment is actually, we may not be in the office, but we need to operate as if we are in the office still. If anything, definitely with those members of staff at the moment, we need to check in on staff working remotely. I mean, my poor team must be bored of me talking to them all the time, but it’s just to check because obviously, we all have access to all this sensitive data.
    There is a question, particularly if you live in shared accommodation, if it’s a group of people that you know, then it’s easier, but if it’s, for instance, you have applied on an advert to live in a house share and you don’t really know the people you are sharing with, that makes it very difficult if you pop away from your desk, I say that in quotes, to make a cup of tea or go to the toilet. 
If you don’t lock your computer like you would in the office, that opens up a can of worms for someone to go trapsing through your laptop, essentially.

James Richardson:    Yes, that’s such a good point. It’s funny, because I think we just tend to forget. I love your comment that we have just got to imagine that we are still working in an office, it’s just that we are at home. That is absolutely the right way of doing it. I’m with you 100%. We have put out a stat actually, from our business payments barometer that we did, which talked about the different types of organisations that would have employee behaviour monitoring. 
Which sounds a bit Big Brother, but actually, it’s partly about, yes, securing transactions and traffic, but also to make sure that policies are being upheld, that people are locking PCs. It’s all about safeguarding. We look at it as safeguarding payments, but I know it is so much more than that as well. Just comparing, say, this year’s report to last year’s report. Or actually, just comparing different size of organisations, 27% of enterprise businesses are using employee behaviour monitoring.

Versus 18% of small businesses. I’m not surprised by that stat. It’s something that we have talked about year over year, as seeing an emerging trend. It’s almost like you just can’t stand still on this stuff. You have got to recognise that frauds are evolving, security standards are evolving and what you had maybe three years ago might not be appropriate in what is 2020. Equally, I wonder whether today’s situation, does it meet the standard of COVID 2020?    
Where your policy for locking PCs might have a 2 minute shutdown, but actually, does it need to be a 30-second shutdown if you are in a shared working environment?

Amber Burridge:    Yes, I think, dare I say it as well, actually there is also a degree of establishing a bit of an anti-fraud culture. Certainly, from what we see, internal controls can do so much. Admittedly, that is how the majority of our insider frauds got identified. I think there is a degree as well of this anti-fraud culture. Because one of the interesting things that we found from our research is that actually, it isn’t just the newbies in the workplace.

    Actually, they are quite well-established individuals. They know the system and they know how to avoid detection. Touching on what you say, actually, are our measures appropriate for 2020? I think I mentioned it about the monitoring, in terms of what is a normal 9:00am to 5:00pm, or do you have a policy that says, ‘No employees should access this type of file outside of normal working hours?’ 
    We talk about it being Big Brotherish, but I think looking at the report, it talks about knowing your employees as well. That’s one of the key things for us. You can do your initial screening and an individual might come back as being fine, but how many checks do you then do once someone is in employment? Do you regularly screen them to see are there any trigger points that may lead to someone committing internal fraud?

    That’s something that, as a business, is really something you need to think about building into your policies and procedures, because actually, we have launched an IFD enhanced programme. So it’s our internal fraud database, where you can check an individual to see if they have been loaded by another organisation for internal fraud. Also, you can see if they are listed for any other types of fraud as well.
    I think this is key really, to understanding the risk and also maybe having that frank conversation with your employees around being open and honest as an organisation. It might be that actually, their circumstances have changed. So actually, can you offer support in that circumstance? Also, does that mean, as an employer, there are steps you need to take to mitigate that risk?

    I use Morrisons as a great example in this. For people that might not know, there was an individual working for Morrisons who actually was up for disciplinary, but they still enabled this individual to have access to a lot of personal information. What this individual then did was release 100,000 employees’ details on the internet. Now, if you think about that, that’s one person, but think how many lives they have then impacted because of that.
    Morrisons actually quite recently, because it went to the High Court, they agreed there that Morrisons weren’t liable, because they had taken all they could do. I think that’s what they needed to prove, they did all they could. It was a question as to whether or not the employer was actually responsible for that individual releasing that information. That’s just something businesses need to bear in mind. Is that actually, could the actions of one of your employees make you liable further down the line?

James Richardson:    Yes, and I wonder, you were talking about knowing your employee, I guess you want to have the same approach thinking about knowing your customer as well, right?

Amber Burridge:    Definitely. I think one of the things that we have definitely seen over the past year is actually, knowledge-based authentication is not sufficient anymore. Mainly because of the fact that so much information is available online. The amount of information that people put on, say, social media about their pet’s names, their children’s names, where they got married. If you think about security questions that you get asked.
    Like, “What is your maiden name?” as an example for a lot of females. 
A lot of people put as their Facebook name what their married name is and then in brackets, what their previous name was. So you just think, “Well, there is a wealth of information out there.” One of the things that I always think that, as professionals, we need to think about is what we do on LinkedIn.
    We should definitely associate the same risks with LinkedIn as we do with Facebook. For instance, the amount of information… I did a bit of a cleanse of mine and I think I need to do it further, to be fair. It’s one of those things. The amount of information we all put on LinkedIn because we want people to see our skills, but then you just think, “Actually, how much information does that reveal about ourselves?” about our companies as well, don’t forget.
    It’s quite an interesting conversation to have really, with employees, around what they are putting on some of these social media platforms. Not saying that you shouldn’t be sharing, but I think you need to be mindful of what your digital footprint is. Especially now. Which is why, for instance, you mentioned in the report about, ‘Know who you pay.’ That is absolutely vital now, I think. I suppose it’s how we adopt these mechanisms which will be interesting going forward.



James Richardson:    Yes, definitely. Knowing who you pay, it just seems to be so much more important now than ever before. I guess, not just around it is good practice, but frankly the payment infrastructure has changed around us, so that many organisations aren’t relying on a BACS three day payment cycle, in order to manage any issue. They could rely on the fact they had a slight buffer in time to identify something suspicious and then phone their bank and pull the transaction.

    That luxury has completely evaporated in the world of faster payments, which is just the world we live in now. Any time that I’m making a payment, it goes pretty much immediately, within a few seconds. That’s just what we’re used to. Anything slower than that just doesn’t quite feel right. That does put the pressure on me to make sure that I have applied the right level of diligence into making payments. So, I think about it as a consumer and I want to feel safe.
    I want to feel that someone is really looking out for my transactions going to the right person. I think, as a business, it almost feels a little bit more challenging. If you are multi-banked, or depending on your set up or how you are organised to make payments, you end up having to take a bit more responsibility and accountability for checking your payments thoroughly. Not just relying on other players in the lifecycle of settlement doing it for you.
    I just wonder, you know, you mentioned about knowing your customer and knowing your payment, what your thoughts are or your experience of fraud scenarios in that space of payments.

Amber Burridge:    I think one of the things really that we tend to see is, criminals do take advantage of loopholes. So, for instance, if one company’s onboarding checks at the application stage are a bit weak, then it, kind of, essentially rolls out, doesn’t it? It’s like a bit of a domino effect, in terms of everyone that is involved in that supply chain, essentially. I think that is one of the difficulties that we have, is ensuring there is this pressure for us to do payments very quickly and for us to not put any friction in that customer journey.

    At the same time, we need to mitigate the risk of making that payment so quickly. Are you paying to who you think you are paying? It’s incredibly difficult now because some of the technology that we see, we have had instances of, for instance, intercepting of one-time passcodes. 
Which makes it really difficult, if you’re trying to let that payment go through and you’re like, “Well, I have had confirmation of it, so it should be fine. It should go through.” That’s one of the difficulties that we see for business at the moment, is that technology is against us. On the one hand, it’s a blessing because it means we can do things faster and there is more convenience.
On the other hand, and I don’t want to sound like a technophobe and I know it is probably coming across a little bit like that, but I think sometimes that convenience and that haste almost takes away that taking five minutes or five seconds to think, “Actually, is this the right thing? Am I doing the right thing? Is it going to the right person?” The normal logical steps that you would take. It’s quite interesting how we refer to that aspect as being a chimp brain, if you like.

So it’s that, kind of, “I need it. I want it. I’ve got to do it,” aspect. Whereas the part that goes through all those steps, I think they call it the computer part of your brain, if you like. That sometimes gets overtaken by the chimp brain because actually, that part is more powerful. So I use that in a bit of a crude way, I guess, but I think it explains really how, particularly at the moment, with the current situation, where there is a lot of demand to make payments very quickly.
So, for instance, if you take the local authority government stuff at the moment, there was a lot of pressure on local authorities to make those payments very, very quickly. Unfortunately, the situation we now have is that a lot of post-checking is now going on. Which, in an idea world, that wouldn’t happen. You would do all your checks before payment.
I think it is, kind of, key really. I mentioned it before about, you know, it is vital to do your due diligence at onboarding but actually, keep it going throughout that lifecycle of the client relationship, the customer relationship. Because things like changing the direction of where the payment is going, particularly if you have got a long-standing client, and all of a sudden, they are changing where they want that payment to go to, that should be a bit of a trigger to do some further checks.

James Richardson:    Yes, definitely. We have seen it certainly being in the payments industry ourselves and a technology provider that supports payments, but also fraud detection. We see this pinch. We see this pinch constantly about, we want to be able to make super quick payments, but we also want to make sure that there are levels of security around it. Just to talk about knowing who you pay for a moment. The industry has reacted, hasn’t it?

    Whilst it has taken time, this Which? super-complaint a few years back which, as a consequence, resulted in the industry announcement of confirmation of payee. Which is just coming into force now. Which is a great initiative, largely biased towards retail payments. So the likes of… I made a payment to a friend that I have not paid before electronically the other day and it came up and said, ‘What’s the account name?’ and it was verifying, real time, the account name against the sort code and the account number.
    It either matches exactly, does some form of fuzzy match, or says, ‘No.’ If there is any kind of degree about, ‘Not so sure about this,’ then it pushes a question to me, making the payment, saying, ‘Are you sure?’ I think, on one hand, I really applaud that sort of thing. I think, number one, it is absolutely critical. We have got to have that in this day and age. What it is doing is, it is pushing the liability on to the corporate to make the decision and verify their payment.

    Verifying who they are paying. It’s a lot easier for me, doing one payment as a consumer. You go and do 10,000 payments, as a corporate or 1,000 payments as a corporate, some people that you have not paid before. It’s going to create some friction in the payment process. I’m sure people will get around that. I know they will and it’s still the right thing to do. The point is, I guess, organisations, we have seen in some of the surveys, are finding it harder to recover funds.
    I think one of the things that confirmation of payee may well do, because it’s not a silver bullet in acting on fraud, it will just prompt and challenge to see if the payment is actually right to go through. Which is good, but it may well shift liabilities around as well, across the banking and the corporates. Any thoughts around confirmation of payee or other industry initiatives?

Amber Burridge:    Yes, I think confirmation of payee, it has been welcomed actually by a lot of organisations, in all fairness. I think, for a business that is trying to adopt it, sometimes it might seem a little bit difficult to start with. Like you say, if you are making payments en masse, it’s a bit of a, “We don’t know,” space at the moment. I think, because essentially, in terms of the confirmation of payee, you get a yes match, which ultimately means yes, you can make the payments, you will be fine.

    You have got the no, close the match. So if you recognise the name provided on the account, then you can proceed with it. It, kind of, puts the onus on the person making the payment, doesn’t it? Actually, you can do it if you think it’s right. It’s an indicator. Like you said, it’s not a silver bullet, it’s an indicator. So actually, what technology detection platforms have you got that you can make real use of?
    It’s one of those… it’s a bit like if you matched to the data that you have on Cifas. It’s not necessarily saying you should automatically decline, but it’s saying actually, do further investigation. At the end of the day, it’s up to your risk appetite as well, as to whether or not you want to go ahead with that. I think, from an individual level, it is great. So, from a personal perspective. The amount of APP fraud that we have seen over the past year has been horrendous.
    The volumes that have come through that. I am quite intrigued to see how it would work from a business perspective, if I’m honest. I think it is a step in the right direction, but I think actually, we need to give businesses support in how to use this kind of technology going forward. It’s educating our businesses around the regulations, the initiatives that are there. Also, I think there are other aspects that you can do, as a business, as well.

    So for instance, that… without banging the drum on it, that due diligence part. Particularly if you are making regular payments, is absolutely vital. The same with taking part in open banking as well. The sharing of information is absolutely vital at the moment. We always talk about data matching and I think one of the things to also remember is that actually, we should share intelligence as well, on some of the methods we’re using on some of those key threat actors.
    Because, as a business, how do you know what to look for if you have not been told? You can try and use algorithms within technology, but you also sometimes need that little bit of intelligence to say, “Actually, these are some of the key MOs that we are seeing in this space, that actually you should look out for. Here are the key threat actors.” So, it has got to be used in tandem with all your other checks that you do.

James Richardson:    Definitely. I think as the years have gone on, especially an overlapping suite of services is far more appealing and appropriate than just a one size fits all. I just don’t believe in that and I think it’s quite healthy to have slightly overlapping solutions that give you degrees of confidence. I completely agree with your point about risk-based approach. People are going to make their own conclusions, based on the information that they have got.
    I was going to mention something about the confirmation of payee. It, again, came from our barometer that only one in two organisations were aware of confirmation of payee as an industry initiative. Only one in five small businesses had heard of these industry terms. We are in the industry, so someone says, “COP,” we kind of know what they are on about. But you shout out, “COP,” to any other corporate or individual and they will look at you a little bit funny.
    What do you think of… how do we get this information out? How do we educate people around this?

Amber Burridge:    One of the things that we have definitely identified over the years is because it is great that we are all keen to get this fraud prevention advice out there. I think however, as you say, with all these initiatives coming out, it’s very difficult to know which one is best for your business, which one should you follow. I think it is difficult. Who do you turn to? Do you turn to your bank to give you that advice? Or, do you go with what other people in the industry are saying? 
    I think you need to do your research, in terms of what best fits your business, essentially. So, for instance, doing that cross-checking element. Can you afford to do that as an organisation? Can you afford to put a little bit more friction within that payment journey? Or, does it outweigh the risks of the potential fraudulent payments coming through?

I think one of the things that really struck me from your report actually, is around the numbers of respondents that basically accepted fraud as part of their day to day business. That so shouldn’t be the case. I think, for me, I think it was, like, 58% of those that you spoke to saw financial loss due to payment fraud as part and parcel of running your business. Fraud is a crime and actually, without reporting it, it makes it very difficult to understand the bigger picture of what is going on.
Actually, those payments could be going on to fund things like organised crime. I think this is where, if you are part of a trade body, for instance, or if you are part of a fraud prevention community, this is really, really useful for you as a business, as a small enterprise even. Because you can get the facts around all these different initiatives coming out. So for instance, if you are part of a trade union, actually they can help give you some guidance around implementing some of these things. 
I think you shouldn’t be afraid to branch out as well. We are so used to working in silos. For me, it is about talking to people. Like I said, sharing intelligence is absolutely vital. Which is one of the things with our… we have got community membership now. So if you can’t provide a fraud case to our database, actually, you can share intelligence that you are seeing and get the views from your peers, if you like, around what solutions are the best solutions for you to tackle particular problems.
I think we need to get better at doing that. We are making some headway. Like you said, in terms of understanding what things like confirmation of payee and payee requests and all this stuff that is out there, it’s very difficult for you, as a business, to understand actually which one is best for your business model. Do you just deploy all of them? Or, do you take a couple of them? 
I mean, from people that you spoke to within your research, was there anything that really came across, from what they were saying?

James Richardson:    Just to link that to the stats, people are saying… 58%, you are absolutely right. 58% of the decision-makers admitted to seeing financial loss, payment fraud as just part and parcel of running a business. I am semi-mortified at that. It shouldn’t be okay that that is the way in which we look at the world. It shouldn’t be that it’s okay that fraud is part of our operational cost. Number one, it just jacks the prices up of everything that we do.

    So we do feel it. Whether or not we feel it directly, we do feel it. On a more serious note and exactly to your point, it is related to financial crime. So there is a really bad vibe coming as a result of it, that is fuelling financial crime in the economy and that is not okay. Culturally, I think we have got to get into this mindset that it’s not just about the monetary loss and please don’t just think of it like that. It’s far deeper.
    I think organisations, corporates especially, it’s not in your face. It’s just not as visible like that. It’s almost like an invisible crime. When you look at the values and whilst the volume of incidents have gone down, the values have gone up for many different sized organisations. So yes, you are talking about medium and large businesses being hit, on average, at about £250,000 a year. At what level did that become an acceptable loss?

    I think it’s really tough to read. Firstly, I am really pleased that we are so honest when we are seeing this set of information come through because it is actually really challenging me, as someone within the industry, to want to really tackle this. I know, Amber, you will feel the same and others listening will. We just can’t be okay with this. 
I do think though, and I have certainly talked about this in the past, that this metaphor of fraud being a balloon, you squeeze it in one end and it’s going to grow in another. My worry with some of the technology that is coming on, if anything, what is happening, what we are seeing across any technology vendor. Forget Bottomline for a minute, but any technology vendor in the space. More solutions are available more readily.

Things are more cloud oriented by default and therefore, there is quicker up time, quicker accessibility to get hold of technology that will help, which is awesome. All for it. The challenge, I think, is going to be the laggards in the process. So those that are actually… they’ll just wait a little bit to see the technology get adopted and then move on. 
I worry that there is going to be this really long tail between those that have embraced the technology and actually, those that aren’t embracing the technology, they are going to become targets. They will become… there will be ways of the criminals identifying those that haven’t got the latest defences. It will be like the houses down the street that don’t have the burglar alarm. They will be the ones that will be obvious.

They will be the ones that have got their window open and people will be able to see it. Maybe it’s related to their digital footprint. It goes back to your comment about LinkedIn. Identifying who is in an organisation. You can do that pretty easily in LinkedIn. You can identify who is the financial controller within an organisation. Hell, you can go over to Facebook and find out if they are on holiday anytime soon. 
Then why not impersonate them to then say, “Right, I am this person, this CFO of this organisation.” This is how some of the frauds start, right? It’s about leveraging the digital footprints to the criminal’s advantage. I guess, as we are starting to close out our conversations, it would be good to get your thoughts about how the laggards deal with the problem. How you avoid getting left behind. Maybe that’s the better question. 

Amber Burridge:    Yes, I think, going back to your point actually, it’s quite interesting now, about finding out who works in financial departments and that kind of thing. Because we have seen, during COVID, that the traditional business email compromise situation of going to those more senior managers within organisations has actually now gone to those who work within financial departments. We have seen that slight shift.

Although, potentially the payments might not be as high as if you went at that higher level, they are getting quite a good bang for their buck. I don’t think necessarily for a lot of people that is in relation to not wanting to adopt all the technology in the world, because technology can only help you so far, I think. I think there is a fear of, potentially, the cost of it, which, particularly for smaller organisations is very difficult, in terms of trying to get that on board.
Which is why using your platform, so Bottomline platform, is a start. Also, I keep banging on about it, sharing intelligence as well. Because if you are doing monitoring yourself and you know what the fraud threats are hitting the industry, then you know to look out for them as well. I think there is a piece around education for us, as businesses, as well, in all fairness, in terms of what to look out for. 
It’s very hard to keep on top of the latest cyber threats because they change so significantly and they’re so quick. Obviously, do make use of resources, like the National Cyber Security Centre, which have the latest… from a cyber perspective, the latest fraud threats. For instance, at the moment, at Cifas, we have got a webpage talking about the threats from a COVID perspective. You can arm yourself with all the knowledge as well, and that’s key to part of this.

I think, in terms of technology, do invest, because we see, for example, from our member who joined our membership, they saved £1.5bn last year. That was through data matching. That’s powerful. I would say, if that’s not an incentive to join some kind of fraud prevention community, or deploy some kind of fraud detection software, I don’t know what is. The amount of money we lose a year to fraud is frightening. 
They haven’t done an updated fraud indictor, but the last one in 2017 hit £190bn. It’s a significant amount of money that we lose to fraud on a daily basis, dare I say. I think we have worked out that, literally, one fraud is committed every three minutes. So that is essentially less time than it takes to boil an egg. That’s how many frauds we get a day. I think, if you can’t empower yourself to detect some of this fraud… I see that a lot of the respondents find it difficult to recover the funds.
If we are finding it difficult to recover them, try and prevent them from going out in the first place. That’s the key take away from me, is don’t be afraid to join a prevention community, or even invest. Because essentially, you will save money by doing so.

James Richardson:    Brilliant. Amber, thank you so much for the conversation. It has been really good to chat through the different items here. Thanks so much. 

Amber Burridge:    No, thank you. Always a pleasure. 

Interviewer:    An interesting topic, I’m sure you will agree, with some vital data points to compare. Both James and Amber highlight some best practice techniques, which would be worth consideration to digest and implement for any business. Unfortunately, that’s all we have time for today, but in the meantime, you can listen to more episodes on all things payments at the touch of a button using your preferred provider. We will see you all next time.