November 16, 2023
AI is Your Next Fraudster!
Danny Thompson, Chief Product Officer at apexanalytix
The Wormy Version of ChatGPT
ChatGPT, which stands for Chat Generative Pre-trained Transformer, is a large language model-based chatbot developed by OpenAI and launched on November 30, 2022. It does a pretty good job of understanding the question that a user asks, and responding with a clear, mostly accurate, well-written response. There’s controversy around it – concerns that students use it for written assignments, and that it sometimes gives incorrect or biased answers. In fact, several countries, including Italy, have banned the technology. But while ChatGPT has some controls that prevent it from being used for evil purposes, there’s a nefarious AI chatbot out there, called WormGPT that has no safeguards. Bad actors are using it to help commit crimes. Below is an example of how it is being leveraged to commit a bank account fraud. A criminal is asking WormGPT to write a convincing email, from a CEO, asking to make a bank account change urgently.
The Price of Cyber Crime; The Impact on The Supply Chain
Data from the FBI shows that losses from cyber crimes went up 66% from 2021 to 2022, to a whopping $10.3B. And these figures are based only on those incidents that are reported, by the way. Almost all the difference between the 2022 and 2021 losses – $2.7B – are Business Email Compromise crimes. Even if an organization has done a good job of developing its own controls against cyber attacks, there are threats from the supply chain. 62% of cyber breaches are from indirect attacks through the company’s supply chain, as you see in the chart. Ransomware is another major category of cyber crime – and a costly one – averaging a $570,000 ransom per incident. Damages in the form of operational expenses, lost revenue and fines from a single ransomware attack are more than eight times that – $4.62M.
In the Association of Certified Fraud Examiners 2022 Report to the Nations, they estimated $4.7T is lost annually to occupational fraud, with the largest category of fraud – at 81% – being asset misappropriation. It’s bad news for accounts payable, because this category of fraud involves check and payment tampering and billing schemes, payment bank account fraud and even collusion with suppliers.
Who Can You Trust?
In the July 2023 webinar, we launched a live poll asking which of several bank account controls they use. The most common control, used by 85% of the webinar attendees, was a call or email to the supplier. Verification via a bank letter of voided check was second (59%); requiring the supplier to provide the previous bank account was third (27%); Calling or emailing an internal sponsor to verify the change was fourth (24%) and penny test was fifth (15%).
Verifying with the supplier may seem like a good control. But criminals are clever. They understand this control and expect it. We hear story after story about how criminals have hacked supplier email accounts through business email compromise, seeming to the person requesting the validation as the actual contact at the supplier company, when they are actually the fraudster.
Bad actors are finding ways to monitor the supplier’s email for an important payment communication. They become aware of when the key contact is going on vacation or the day before holiday, and they interject themselves into the communication, requesting a bank account change request. They may even be aware that the vendor maintenance team doesn’t have their normal vendor control person in place because they are out of the office, and they take the opportunity to make a change request.
We’ve seen cases of fraudsters using phone masking technology that makes the call look like it is coming from the supplier because the caller ID is correct.
They’ve figured a lot out. They can make a first call to change the key supplier contact and then follow up with a call to change the bank account. When the company then calls to verify the change, they are calling the fraudster instead of the original, valid authorizer at the supplier.
Bank Account Controls of the 1900’s
Two controls that many companies still rely on are penny tests and bank letters or voided checks. My Gen-Z daughter would roll her eyes and say: “Dad, those are so 1900’s.”
Penny tests really aren’t intended to detect fraud. They were introduced back when companies were just stepping into the electronic payments game and were intended to make sure that the vendor maintenance team didn’t accidentally enter the bank account number wrong. Penny tests don’t tell you anything about whether the bank account belongs to the supplier you are paying. All it does is confirm hat the person who gave you that bank account information owns the account. If that’s a fraudster, you have a good bank account for a bad person.
What about bank letters and voided checks? The simple answer to this question, is both can easily be forged. Here is one actual example we came across (with sensitive information eliminated or changed).
Our client received a bank account change letter, allegedly from the bank, on bank letterhead, confirming the bank account change. But something just didn’t look right. The logo is off-center. The date is not in the common format. The fields are not quite aligned. There are three grammatical errors and language use errors. These are commonly red flags for fraud. And so, they went a step farther. Because the letter was a pdf, they were able to unhide the layers. What they found was surprising – more than 12 logos of different banks hidden in the pdf layers. And other fields were overlaid as well. The fraudster was using the same documents to attempt multiple frauds across multiple companies.
The lesson here is that if this was the single validating control for the bank account change, the fraud would have happened.
What about checking with internal sponsors? It turns out that’s one of the least effective bank account change controls. There are two main reasons why.
- Internal sponsors aren’t fully trained on bank account change fraud. Nor do they take the change as seriously as the vendor maintenance team does. Verifying a change to a supplier payment account isn’t their main job, and they may not see it as their responsibility. So they may say “okay” with minimal due diligence.
- Worse yet, the internal sponsor may be in collusion with the fraudster.
Another method that companies use is to call or email the supplier to confirm the change request is valid.
So what are the take-aways on this common verification method?
- Never accept an email confirmation of a bank account change
- Never accept an inbound phone call as confirmation
- If you do call the supplier, make sure you are using well-established contract data and not talking to a contact that was recently changed. Some companies are taking an additional step, getting authorization from another supplier contact to authorize any change of the primary authorizing contact at the supplier.
Arguably, the better control against an attempt to change a payment bank account fraudulently is to verify that the bank account belong to the supplier who has requested the change. The great thing is banks are legally obligated to confirm the legal ownership of their bank accounts. The bad thing is most banks aren’t willing to give out that information over the phone. Enter bank account ownership verification. Although it is only available in the U.S., other countries in the world have introduced their own versions of bank account ownership validation, driven by financial institutions and country governments.
Our supplier management solution, apexportal, is continuously enhanced to take advantage of every available bank account ownership validation service we can find. So far, we have automated this process within apexportal for the United States, Sweden, Poland, India, and the Czech Republic.
Fraud to Zero
It slams the door on fraudulent bank account changes. And we call it the ultimate control.
Clients using the automated bank account ownership capabilities of apexportal tell us that they have not experienced a single payment fraud when this service has confirmed the bank account ownership.
Confidence in the Absence of Verification Services
So what do we do about bank account changes in countries where we don’t have a bank account ownership verification service available?
Here’s where we got creative, led by a request from our clients. apexanalytix has accumulated arguable the most comprehensive and most accurate “vendor master of vendor masters,” through 35 years of performing transactional analysis, recovery audits and implementation of apexportal solutions. We have ninety million suppliers in the database and nine trillion dollars in transactions that we monitor every year.
Could that data be leveraged to produce a “confidence score” that could be produced when there isn’t a validation available by the bank itself?
Here’s what we figured out. We could make the data anonymous, and conduct analysis that would produce a score based on:
- Whether other companies are using that bank account for their supplie
- Whether we see the bank account used frequently or infrequentl
- Whether the bank account is relatively new or has been in place for a long time
- Whether we see the bank account being used to pay other suppliers – a potential red flag
The bank account confidence score applies to any part of the world, to any supplier. It’s the next best thing to bank verification of account ownership.
Creating a Hostile Environment for Fraudsters
Outpace the fraudsters, or at least your friend…Ideally, you want your company’s payment fraud security tied down so tight that fraudsters have you on “a don’t even bother” list. apexanalytix believes the only way to achieve this is through automation and security best practices. We constantly challenge ourselves by finding holes in our security, launching pseudo cyber attacks on our systems and all the points of failure in them. We named the enemy, and the enemy is manual processes. Here’s how we defeat them – we refer to this system as Layers of Protection.
- Lock down your vendor master changes, including bank account changes, using a secure online portal.
- Be sure that the portal has the latest and most robust access controls – as good as any bank. Things like multi-factor authentication, IP address tracking, and more.
- Check to see if the solution is monitoring behavior – Is the user logging on during normal business hours, from their known PC, from the known device, from their known address? If not, raise an alert.
- Stop taking bank account changes through any other channel besides the portal. Don’t take phone calls; don’t take PDF requests; don’t take emails; don’t take requests from inside your own company.
- When possible, integrate with the banking systems in countries where bank account ownership can be verified.
- Layer on top of that the bank account confidence scoring.
The Enemy: Manual Processes
Billions of dollars of opportunity are a huge temptation for fraudsters – whether they are acting as individuals or as part of more extensive, insidious crime networks. It’s their only job. Expect them to find every new scheme to deliver your company from millions or billions in payments. If you are relying on one or two manual controls, you are at risk. The ultimate control? Bank account ownership validation by the bank itself. Second best, bank account confidence scoring, based on patterns of buyer/supplier transactions. Slam the door on fraud by staying ahead of the experts at separating you from your payments.
Interested in learning how apexanalytix can help your company stop AI-powered fraud in its tracks? Contact us now to start the discussion.
Danny Thompson is the Chief Product Officer at apexanalytix. He collaborates with P2P clients to understand their needs and challenges, and to ensure apexanalytix solutions drive better outcomes to meet those requirements.
On a 25-year foundation of experience in P2P and shared services experience, process optimization leadership, and ERP system expertise, Danny collaborates with industry analysts and co-innovates with apexanalytix clients. He is responsible for the definition and communication of innovative services and software that address risk, improve P2P controls, and anticipate the next generation of process automation and efficiency.
He previously was VP of Product Management at a global business-to-business e-invoicing firm, and global process driver for Invoice-to-Pay at Pfizer.