Payment fraud continues to be a silent crisis for the public sector. In addition to the potential loss of taxpayer funds, government agencies are also facing the negative press, reputational damage, the potential impact on credit ratings, and decreased public confidence as a result of such impropriety.
In consulting with hundreds of government treasury, finance, and IT professionals, my team at Kyriba hears many of the same misconceptions around payment fraud and confusion over where to start tackling this real threat. I’ve outlined several myths about payments fraud, and more importantly the truth about how to effectively safeguard your organization.
Myth: “My department/agency doesn’t have a problem with payment fraud”
According to a 2021 AFP report, 75 percent of organizations across all areas of business were targeted for payment fraud. Within government entities, we believe this number is significantly higher, with an estimated 95 percent of agencies being attacked. As vendor and purchasing information is public, government entities are the perfect target for cybercriminals. Though the transparency is required and well-intended, this problem is present, and the probability of a future attack is high: the median loss for payment fraud loss is $114K over 25 percent of losses reported over $1M. Delaying addressing this issue is the costliest option.
Myth: “We’ve already put internal safeguards in place”
When asked about payment fraud, most agencies point to “internal safeguards”, such as staff training and manual processes to identify potential attacks. This traditional approach to fraud protection is important but does not solve the problem — which is only exacerbated by more employees and contractors working remotely and are unwittingly clicking on things they shouldn’t be. Alarmingly, it is estimated that 36 percent of fraud is committed by individuals inside an organization, and nearly half of reported losses of $100M or more were committed by insiders. People are human, they make mistakes, and criminals can be very clever.
Myth: “We have cybersecurity Insurance”
Cybersecurity insurance typically covers the liability and costs incurred as a result of a cyber attack but does not cover payment fraud. As with any insurance, it’s the fine print that matters. Agencies often purchase these services to provide peace of mind, but this insurance has become increasingly expensive, and oftentimes requires extensive preventative measures before a claim qualifies for reimbursement. According to GovTech.com, “policy premiums are going up. Underwriters also are asking much more of potential clients in terms of information on the application and training of staff.” If your agency doesn’t have basic measures in place like multi-factor authentication, or technology to identify fraud triggers, the insurance may not protect you.
Myth: “Our team doesn’t handle payments or that many payments”
A common misconception from the Treasurer’s office is that they don’t have enough electronic payments to warrant a dedicated frauds program, or that the payments are someone else’s responsibility. The reality is that it is the Treasurer’s fiduciary responsibility, whether originated in a different office or managed by a different team, to protect the funds in each of the payments processed. Oftentimes cybercriminals target non-traditional payment vehicles and processes such as one-off payments made from the Treasury team knowing the vulnerability.
Myth: “The cloud isn’t safe”
Technology feels overwhelming to many people, and fear of a misstep prevents them from necessary protection. Despite these concerns, if deployed properly, cloud technology is much safer and more secure than on-premise solutions or manual processes. Standard governance and risk programs allow your IT department to ensure the appropriate tools are selected, guaranteeing minimal downtime should an emergency occur. These solutions should enforce best practices such as multi-factor authentication, IP Filtering, and strong password controls.
Myth: “We don’t have the budget for technology solutions”
A 2020 NASCIO study found that, unsurprisingly, government agencies lacking sufficient budget is the top barrier to overcome cybersecurity issues. However, combined with the high probability of a future attack, the question remains: how can your organization afford to not make payment fraud a priority? Government contracting doesn’t always make it easy to secure budget or procure solutions, but the case is very strong for the upfront investment to protect taxpayer dollars. Both CARES and ARPA Funds can be used to fund payment fraud solutions, and we’ve seen strong support across the board for infrastructure programs such as Fraud Detection solutions. Additionally, some fintech vendors like ours are pre-approved through a number of government purchasing vehicles, allowing agencies to purchase the solution at pre-negotiated pricing and reduce timely and costly bidding processes.
The Truth: Solutions to Mitigating Payment Fraud
The solution to addressing fraud doesn’t have to be complicated. Kyriba, for example, offers a solution that is easy to implement, and immediately protects funds in ways that no bank, insurance, or internal safeguard can guarantee. Our payments fraud detection module extends the effectiveness of standard payments controls to include real-time detection to stop suspicious payments in their tracks and includes centralized alerts, complete resolution workflow management, and data visualization. By building in real-time alerts, notifications, and workflows your organization can instill such key measures as:
– Separation of duties between the payment initiator, the payment approver, and the reviewer
– Designation of reviewer(s) by payment rule and specific payment scenario
– The ability to assign non-treasury personnel to review certain detected payments
– An option to hide alerts from initiators/approvers of the detected payment
– Scenario-based determination for stopping payments until resolved by designated users
By confronting these myths and working with your organization’s finance and IT teams to implement such measures, your agency will be better positioned to mitigate payment fraud and reduce financial and reputational risks — allowing you to better focus on your organization’s public mission.
