Community Association Management companies are under siege from high-tech conmen determined to rip them off. From check fraud and Business Email Compromise (BEC) attacks to account takeovers and vendor impersonation, fraudsters have become more brazen and more sophisticated.
Mailbox keys purchased on the Dark Web or stolen from postal carriers have made it easy for bad actors to steal checks sent through the mail. Artificial intelligence (AI) and social engineering enable fraudsters to create convincing bank account change requests. And malicious software hidden in email links or attachments can give bad actors unfettered access to an organization’s finance systems.
The increased reliance on email to onboard suppliers, receive and process invoices, and chase down payment approvals is contributing to fraud risk, as evidenced by the growth of phishing schemes.
Falling victim to payment fraud can have big financial consequences for a Community Association Management Company, including lost funds, investigation and recovery expenses, potential legal and regulatory penalties, and disruption to their operations. Five percent of the typical company’s revenues are lost each year to payment fraud and errors, according to the Association of Certified Fraud Examiners (ACFE). Payment fraud can also irreparably damage a Community Association Management company’s reputation and brand image and weaken stakeholder, shareholder, investor, and supplier trust. It’s no wonder that the risk of payment fraud is the top concern of accounts payable leaders, according to research from the Institute of Finance and Management (IOFM).
There are steps that you can take to mitigate your risk of cyberattacks and payment fraud.
1. Don’t skimp on employee education. Your finance team is your organization’s first line of defense against bad actors. Keep staff updated on the latest payment fraud schemes and how to spot them. Remind staff to be leery of links and attachments in emails. Urge staff to never insert system credentials into a link in an email until they confirm that the email is legitimate. Ensure that staff follow your organization’s procedures for verifying bank account change requests, no matter where they work or their role within your organization – cutting corners can throw the door open wide to fraudsters. And train staff on the tell-tale signs that a bank account change request may be a phony, including an off-center logo, misaligned text, dates that are not in U.S. format, poor grammar, and inconsistent grammar and punctuation.
2. Leverage invoice-to-pay automation. The user access permissions, vendor master database matching, segregation of duties, systematic invoice approval workflows, complete audit logging, advanced data encryption, automated document retention, and other controls built into modern invoice-to-pay platforms mitigate the risk of payment fraud. And real-time reconciliation of invoices with enterprise resource planning (ERP) applications or accounting software packages helps organizations identify issues faster, reducing losses. Some invoice-to-pay solutions also use AI to identify invoice anomalies that may indicate fraud – such as an increase in invoice volume from a supplier or an invoice for an unusually high amount.
3. Pay suppliers electronically. Despite the decline in the volume of checks, checks still represent the lion’s share of payment fraud losses. That’s why it’s imperative that community association management companies pay suppliers electronically. Unlike checks, electronic payments cannot be intercepted in the mail, whitewashed, and deposited into a fraudster’s bank account. Suppliers always know when electronic payments will arrive, so they can act fast at the first sign of a problem. And electronic payments data can be encrypted.
4. Pay suppliers with virtual cards. Virtual cards are the most secure way to pay suppliers. Only 3 percent of organizations have experienced attempted or actual fraud on virtual card transactions, according to the Association of Financial Professionals. Unlike p-cards, finance must approve each vendor invoice and the payment amount before a virtual card payment is made. Virtual cards cannot become misplaced. A unique number is generated for each virtual card. Virtual cards are vendor specific. Virtual cards offer configurable time and spending limits. Virtual cards can be used only once. And virtual card data is encrypted.
The risk of payment fraud is high and actual fraud can result in significant financial losses and reputational damage. But the strategies in this article can mitigate your risk of financial losses.
Sean Madigan is a senior director at Edenred Pay, a leading provider of invoice-to-pay solutions to PMCs. Edenred Pay’s platform enables Community Association Management Companies to automate, optimize, and monetize the entire invoice-to-pay cycle – from invoice receipt through payment reconciliation. Sean has contributed to presentations at several CAI conferences and served on CAI Arizona’s board for three years.