That sinking feeling. We’ve all had it. Something happens and a realization comes over us that it’s bad. The consequences begin to spread out before your eyes, and all you want to do is withdraw into your shell and block out the world.
When it comes to payment fraud, that sinking feeling will hit you hard if you’ve ever been a victim. When it comes to being a victim of payment fraud in a business setting, all sorts of consequences begin playing out in your mind.
As the eponymous guide in the Hitchhiker’s Guide to the Galaxy advises its readers, however, the first thing is ‘Don’t Panic’. You aren’t the first victim of fraud, and you won’t be the last, and following clear steps when it happens will start removing that sinking feeling and hopefully prevent any lasting damage.
We’ve talked extensively about types of payment fraud and how to prevent them, from money-laundering schemes to tactics like authorized push payment (app) fraud, but here we want to look at when you personally have been successfully targeted as an employee.
WHAT STEPS TO TAKE WHEN YOU ARE THE VICTIM OF PAYMENT FRAUD
If you’re an individual within a business and you’ve been a target of payment fraud, what do you do?
1. Tell people
Speed is the key in responding to payment fraud. Getting the fraud out into the open as soon as possible will help both in the recovery of any monies lost and mitigate against any potential data breaches. Do not wait until you understand what has happened, get on the phone and start talking to the following people:
- Your compliance and finance team: The people most experienced in payment fraud response will be in your compliance and finance teams. Indeed, this may be your only call as they can take the process and run with it.
- Your payments provider: Whether you’re using a fintech or a bank, contact them immediately and tell them what has happened. The best-case scenario is that they will be able to intercept the payment and recover the funds. In the worst cases, you may be able to recover it through insurance and other mechanisms.
- The police: It’s highly likely that you were not the only target of the fraudster. They will either be operating mass payment fraud schemes (targeting lots of individual businesses at once) or using the same tactic on lots of other targets. Informing your local police authorities (who will then pass on the information to the units dedicated to fraud) is a vital step to protect the wider business community. Also, on a public relations level, it shows you have done everything in your power.
2. Don’t delete the data
It’s easy to simply want to delete the offending email (if it’s a phishing scheme – a common method of infiltration) and hope that it all goes away. Don’t do this.
While it’s obviously important to not click on any more links, it’s vital you report the email to your IT team who can begin their own process of investigation, quarantining, and communication to the wider company.
If you have clicked the link, either through being tricked or by pure accident, it’s important to contact the IT department directly i.e. don’t simply report an incident on an online form and assume people have seen it. Again, speed is the key.
Any other data, such as a phone number used by the scammer, should be noted down and handed to investigators.
3. Don’t be afraid to wake people up
Scammers are clever in terms of when they target people. Early mornings, when people are distracted by getting kids to school (or are just tired from lack of sleep) and Friday afternoons (when people are switching off from the work week) are prime times to be targeted.
CEO scam emails, where the fraudster pretends to be the CEO looking for you to make a payment on their behalf, is often targeted in the early morning. A classic scam is pretending to be in an airport in a foreign country and needing payment to get a flight home, or a hotel booked. On a surface level, the fact you’ve received the email overnight makes sense with the time difference, and the emotional pull of helping someone in difficulty adds an urgency to the situation.
If this type of payment fraud is successful, you might find yourself realizing you’ve been a victim outside of business hours. This is one of those occasions where raising the alarm and calling people in their personal time is vital and will be appreciated in the long run.
4. Change passwords and protect access points
A basic step is to change your passwords, especially to any payment portals your company uses. Do this in concert with the IT team to ensure the fraudsters aren’t tracking this activity to use the information for future scams.
Other aspects to be aware of are things like the webcam on your laptop and if it remains secure.
5. Check your local laws
Once you’re reported the fraud and are confident the right people are on top of it, you can then begin to figure out the potential implications and the roadmap ahead. Of course, you will probably not be responsible for following this process, but it’s important to know what the next steps may be for peace of mind if nothing else.
Each jurisdiction (and, indeed, the payment institution that was used to pay the fraudster) will have different responses to payment fraud. Go to the relevant websites and get yourself as informed as possible. Getting this information will 1) almost certainly calm you down and 2) help you regain control of the process.
6. Share your experience with others
Once the incident is over, you may want to forget about the whole thing, but turning it into a positive will invariably mean helping prevent the same experience happening to someone else.
Volunteer to tell your experience at a future security briefing in your company, sharing how it happened and what people need to do to protect themselves. PowerPoint presentations with lists of actions are all very well but hearing a story directly from a peer is the best way to ingrain the need for security in other peoples’ minds.
REMEMBER, DON’T PANIC
Scammers know human vulnerabilities and exploit them very professionally. More people than not will be scammed in some fashion throughout their life, and we can only hope that it’s something we can brush off as an experience.
When it comes to being the target as an employee, and falling victim to the fraudsters’ tactics, it’s easy to panic and imagine all sorts of negative consequences. This can play right into the hands of the fraudsters.
By following the clear steps of informing the right people, keeping the data for investigators, and using your experience to prevent it happening to others, the experience might not be one you can brush off, but it can turn into one with real positives.
While we never want to experience that sinking feeling, our rational side knows that things are rarely as bad as you imagine in the moment. Share the problem quickly and you’ll soon be swimming to the surface and be able to take a deep, calming breath.
To learn how TransferMate protects businesses against payment fraud, go to our security page or contact the team directly.
