Wednesday, July 17, 2024

What every business needs to know about payments fraud.


This is the thirty-second in a series of informative monthly articles for North Carolina businesses from PNC in collaboration with BUSINESS NORTH CAROLINA magazine.

Mari Suzuki

As the owner of a small business, Joan wears many hats – from innovator to publicist to accountant. To bring her vision to life, she regularly collaborates with a network of vendors, with email often serving as the primary channel for communications. So, when Joan received a call from a longtime vendor about a missed payment for a recent order – a sizable payment Joan was certain she had paid several weeks earlier – her heart sank.

After cross-checking her bank statement with email correspondence to confirm she had remitted payment, Joan and the vendor arrived at the awful realization that a fraudster, posing as the vendor, had stealthily intercepted previous email correspondence between the vendor and Joan before sending Joan an invoice with new wiring instructions, which she dutifully followed.

In this case, Joan’s story is fictional, but her situation is not. Instances of fraud – and business email compromise, specifically – are playing out with increasing frequency.

As businesses of all types continue to innovate for scale and efficiency, fraudsters are fast-tracking their own capabilities with elevated sophistication and impact. And while fraud has the potential to impact organizations of all sizes, small businesses – including North Carolina’s 1 million small businesses – remain particularly vulnerable to fraud due to the likelihood of having fewer fraud prevention restrictions, controls and processes in place than larger organizations.

According to the recently released 2024 AFP Payments Fraud and Control Survey Report, a staggering 80% of organizations surveyed reported being the targets of actual or attempted fraud attacks in 2023 – up from 65% in 2022. And 63% of businesses reported experiencing some form of business email compromise in 2023. Additionally, fewer than 60% of organizations have developed the written policies and procedures necessary to limit exposure to business email compromise attacks and minimize the impact of fraud. (1)

For Raleigh-based Mari Suzuki, who serves as PNC’s Southeast territory executive for Small Business Banking, these statistics – and real-world stories like Joan’s – bring urgency to her team’s work to help small businesses achieve their financial goals while protecting themselves from payments fraud through client education and a range of fraud mitigation strategies and solutions.

“Small businesses are the backbone of our economy, and their success is increasingly tied to their vigilance against fraud,” says Suzuki. “It is absolutely vital for business owners to evaluate the fraud risks inherent in today’s environment – and to use every tool and resource available to protect themselves.”

The scenario that befell Joan provides a teachable moment for any employee who plays a role in managing cash flow and payments on behalf of an organization. What could Joan have done differently to avoid falling prey to a fraudster who impersonated her vendor? “It’s important to never rely on email as the only communication method when transacting a payment,” says Suzuki. “The importance of picking up the phone and speaking with a known vendor to verify payment requests cannot be overstated.”

Business email compromise also can take the form of a fraudster posing as an executive who instructs a colleague to pay an invoice. In that case, says Suzuki, an action as simple as walking into a colleague’s office to confirm the legitimacy of an invoice can quell a potential fraud incident.

Reviewing emails with an eye for some of the common characteristics of business email compromise also can help flag fraudulent communications. Among the qualities of an email that should raise suspicion, says Suzuki, include messages that are urgent, emotionally charged or convey secrecy; requests for payments to be sent to new accounts or mailing addresses; and messages with overly generic subject lines (such as “Invoice” or “Resume”).

The latter convention is frequently employed in phishing emails, which may contain dangerous financial malware variants in attachments or links. Once the malware – which often is not detected by antivirus software – has been installed, it may redirect a user’s online banking sessions to a malicious site that harvests access credentials, among other intrusions. And as evidenced by a spate of recent headlines, ransomware attacks targeting healthcare organizations are on the rise, representing a growing area of concern for healthcare businesses and practices of all sizes.

While wires have long represented the most vulnerable payment method for business email compromise fraud, the 2024 AFP Payments Fraud and Control Survey Report found that ACH credit payments now hold that distinction, with 47% of respondents reporting ACH credits as the most targeted payment means.   With ACH fraud schemes on the rise, Suzuki and her team urge clients to leverage the various tools that PNC’s business bankers deliver in collaboration with their dedicated treasury management colleagues.

And while business email compromise represents an increasingly prevalent threat, it is just one form of fraud that small businesses must be vigilant against, says Suzuki. “The good news is there are actionable and implementable steps small businesses can take to help protect themselves,” she says.

As a general best practice, for example, Suzuki and her team encourage small business clients not to share their account numbers with vendors – because if a vendor is hacked, the account number becomes compromised and fair game for fraudsters. “One option that small businesses can consider is using an encrypted account number, which prevents businesses from having to share their true account number.  If the encrypted number is compromised, it is useless to fraudsters,” says Suzuki.

“At the end of the day, our entire team is committed to helping clients achieve success in every aspect of their business, and while the stakes for preventing and mitigating fraud have never been greater or more complex, we are committed to delivering the full scope of PNC’s insights and fraud mitigation solutions to help small businesses protect themselves from various forms of fraud.”



(1) 2024 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals, April 2024,

These articles are for general information purposes only and are not intended to provide legal, tax, accounting or financial advice. PNC urges its customers to do independent research and to consult with financial and legal professionals before making any financial decisions. This site may provide reference to Internet sites as a convenience to our readers. While PNC endeavors to provide resources that are reputable and safe, we cannot be held responsible for the information, products or services obtained on such sites and will not be liable for any damages arising from your access to such sites. The content, accuracy, opinions expressed and links provided by these resources are not investigated, verified, monitored or endorsed by PNC.

“PNC” and “PNC Bank” are registered marks of The PNC Financial Services Group, Inc.

Bank deposit, treasury management and lending products and services, foreign exchange and derivative products (including commodity derivatives), bond accounting and safekeeping services, escrow services, and investment and wealth management and fiduciary services are provided by PNC Bank, National Association (“PNC Bank”), a wholly owned subsidiary of PNC and Member FDIC.

Lending, leasing and equity products and services, as well as certain other banking products and services, require credit approval.

©2024 The PNC Financial Services Group, Inc. All rights reserved.

For 40 years, sharing the stories of North Carolina's dynamic business community.

Related Articles