2016 AFP Payments Fraud and Control Survey · Association for Financial Professionals® (AFP) has conducted surveys each year since 2005. The surveys examine the nature and frequency

2016 AFP

Payments Fraud and Control Survey REPORT OF SURVEY RESULTS Underwritten by

9 out of 10 finance professionals strongly believe EMV cards will successfully alleviate point-of-sale fraud.

A majority of organizations were exposed to Business Email Compromise (BEC) scams in 2015.

KEY FINDINGS

2016 AFP

Payments Fraud and Control Survey

After checks, wire transfers were the second most popular vehicle for payments fraud, with 48% of organizations exposed.

EMV Card

Underwritten by

Association for Financial Professionals

4520 East-West Highway, Suite 750

Bethesda, MD 20814

Phone 301.907.2862

Fax 301.907.2864

www.AFPonline.org

2016 AFP

Payments Fraud and Control Survey REPORT OF SURVEY RESULTS

March 2016

Underwritten by

J.P. Morgan is proud to once again sponsor the AFP® Payments Fraud and Control Survey for the seventh consecutive year and we are pleased to provide you with a complimentary copy of AFP’s 2015 report. The survey results show that now, more than ever, the need for new cyber security models and strict control governance is crucial for all businesses given that 62 percent of companies were targets of payments fraud last year. Some of the key findings in this year’s survey include:

92 percent of finance professionals believe EMV (EuroPay, MasterCard and Visa) cards will be effective in reducing point-of-sale (POS) fraud

61 percent believe that chip-and-PIN will be the most effective authentication method in mitigating credit/debit card payments fraud

Wires fraud incidents nearly doubled, from 14 percent in 2013 to 27 percent last year Paper checks continue to lead as the payment type most susceptible to fraudulent attacks

even as their overall use continues to decline Credit and debit cards experienced a decline in fraudulent activity, down from 43% in 2013

to 34% in 2014 With these statistics in mind, it is important for all businesses to take preventive measures to prevent cyber fraud by educating their employees on current payments fraud practices and implementing the products and processes they need to protect their corporate assets. J.P. Morgan is one of the world’s largest providers of treasury management services and a leader in electronic payments technology and solutions. We’re committed to fraud mitigation and information protection across our entire infrastructure and will continue to invest in the technology, educational tools and risk management expertise in the ongoing fight to mitigate fraud. We’d like to thank the AFP for providing us with this year’s valuable insights. They are a cautious reminder that the best defense is to remain vigilant in fraud detection and cyber security protection protocols. With best regards,

Nancy K. McDonnell Managing Director J.P. Morgan

J.P. Morgan is a marketing name for certain businesses segments of JPMorgan Chase & Co. and its subsidiaries worldwide. The material contained herein or in any related presentation or oral briefing do not constitute in any way J.P. Morgan research or a J.P. Morgan report, and should not be treated as such (and may differ from that contained in J.P. Morgan research) and are not intended as an offer or solicitation for the purchase or sale of any financial product or a commitment by J.P. Morgan as to the availability to any person of any such product at any time. All J.P. Morgan products, services, or arrangements are subject to applicable laws and regulations, its policies and procedures and its service terms, and not all such products and services are available in all geographic areas.

J.P. Morgan is proud to once again sponsor the AFP Payments Fraud and Control Survey for the

eighth consecutive year and we are pleased to provide you with a complimentary copy of AFP’s

2016 report. The survey results demonstrate that cyber security models and strict control governance

is crucial for all businesses given that nearly 75 percent of companies were targets of payments fraud

last year.

Some of the key findings in this year’s survey include:

• 42 percent of survey respondents reported that the incidents of fraud attempts increased in 2015

(47 percent reported no change).

• Checks still continue to be the payment method most often targeted with 71 percent of

companies experiencing actual or attempted check fraud.

- Wire transfers were second, with nearly half reporting attacks via wire transfers.

• The security of mobile payments is a chief concern for 75 percent of corporate practitioners.

• 90 percent of respondents believe that chip-and-PIN will be the most effective authentication

method in mitigating credit/debit card payments fraud at the point-of-sale.

• 64 percent of respondents reported that their organizations have been exposed to business email

compromise (BEC), with wire transfers as the payment method most impacted by BEC.

• More than 50 percent of respondents foresee transactions in which cards are not present will be

exposed to greater fraud activity.

With these statistics in mind, it is important for all businesses to take preventive measures by

educating their employees on current payments fraud practices and implementing the products and

processes they need to protect their corporate assets.

J.P. Morgan is one of the world’s largest providers of treasury management services and a leader in

electronic payments technology and solutions. We’re committed to fraud mitigation and information

protection across our entire infrastructure and will continue to invest in the technology, educational

tools and risk management expertise in the ongoing fight to mitigate fraud.

We’d like to thank the AFP for providing us with this year’s valuable insights. They are a cautious reminder

that the best defense is to remain vigilant in fraud detection and cyber security protection protocols.

With best regards,

Nancy K. McDonnell

Managing Director

©2016 Association for Financial Professionals, Inc. All Rights Reserved www.AFPonline.org 1

2016 AFP Payments Fraud and Control Survey

IntroductionPayments are attractive targets for criminals. Given the nature of their function and the

potential access to funds, they are especially appealing to fraudsters. The rapid advance-

ment of technology has spurred innovation in payment methods, but at the same time

it has opened up more avenues for criminals to pursue. Perpetrators of payments fraud

are using their technological skills and knowledge to hack systems and succeed in their

attempts to assail companies’ payment systems.

In 2015, payments fraud was again on the uptick—and at the same level as it was in

2009 after steady declines from 2009 to 2013. However, there was a shift in the types of

fraud activity: while check fraud continued to be the payment method most often subject

to fraud, there was a decline in such fraud. Offsetting that decline was an increase in

fraud via other payment methods including wire transfers and corporate/commercial credit

cards; indeed, in the past few years well-publicized reports of data breaches at retailers

exposed the vulnerability of corporate/commercial credit cards.

If finance professionals thought their plates were already full dealing with these attacks

on payments systems, they have in the past year or so faced a newer type of fraud: the

business email compromise (BEC) scam. There is heightened concern regarding the rise

of BEC-based fraud as it requires considerable more effort than, for example, altering a

paper check. In BEC scams criminals gather confidential information on their targets and

use it to deceive their victims via email. It is disconcerting that those committing these

crimes are able to acquire personal and confidential data. The payment method most often

impacted by this hoax has been wires. The past two years, wires have been increasingly

subject to fraudulent activity and in 2015 were the second most common payment method

subject to fraud.

It is evident that finance professionals are finding it increasingly challenging to protect their

organizations from exposure to payments fraud activity. The perpetrators of these malicious

crimes are finding loopholes in the various payment systems and, unfortunately, continuing

to stay a step ahead of those attempting to foil their plans. The ramifications of payments

fraud activity can be pervasive and harmful to the organizations affected. Beyond any costs

incurred from cleaning up after exposure to payments fraud, companies have to deal with

protecting or remediating their reputation which can be an even more challenging task.

To gauge the level of activity of payments fraud, the payments methods impacted by

fraud, the various types of fraud and the challenges associated with payments fraud, the

Association for Financial Professionals® (AFP) has conducted surveys each year since

2005. The surveys examine the nature and frequency of fraud attacks on business-to-busi-

ness payments and strategies organizations are adopting to protect themselves against

fraudsters. Continuing these efforts, AFP conducted its 12th Annual Payments Fraud and

Control Survey in January 2016. The survey generated 627 responses from corporate

practitioners from organizations of varying sizes and representing numerous industries.

Results from this survey presented in this report reflect data for 2015.

AFP thanks J.P. Morgan for its continued underwriting support of the AFP Payments

Fraud and Control Survey series. Both questionnaire design and the final report, along

with its content and conclusions, are the sole responsibility of AFP’s Research Depart-

ment. Information on survey methodology and demographics of respondents can be found

at the end of the report.

2 www.AFPonline.org ©2016 Association for Financial Professionals, Inc. All Rights Reserved


Payments Fraud Overview From 2009 to 2013 there was a gradual decline in the percentage of organizations

having been victims of attempted/actual payments fraud. But in last year’s 2015 AFP

Payments Fraud and Control Survey Report, we noted that the downward trend of

payments fraud reversed, although by just a few percentage points. The situation has

since deteriorated further.

Seventy-three percent of finance professionals report that their companies experi-

enced attempted or actual payments fraud in 2015. That matches the largest percentage

on record first reported in 2009. It is a significant increase compared to levels reported

in the three previous years and comparable to levels reported between 2006 and 2010.

Such a significant increase in payments fraud in only one year—from 62 percent in

2014 to 73 percent in 2015—highlights the success of fraudsters in attacking organi-

zations’ payments systems.

Percent of Organizations that Experienced Attempted and/or Actual Payments Fraud, 2005-2015

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

68%72% 71% 71% 73% 71%

68%61% 60% 62%

73%

While organization size does not appear to have had an impact on the incidence

of fraud in 2015, those organizations with fewer payment accounts were more likely

to have been subject to fraud than those with more than 100 payment accounts.

Seventy-eight percent of organizations with annual revenue of at least $1 billion and

fewer than 26 payment accounts were victims of payments fraud in 2015 compared to

64 percent of companies with annual revenue of at least $1 billion and more than 100

payment accounts.

73% of companies were targets of payments fraud in 2015



When examining data from the last three AFP Payments Fraud and Control Survey

Reports, it is evident that the gap between fraud attempts/attacks at larger

organizations (annual revenue at least $1 billion) and those at smaller organizations

(annual revenue less than $1 billion) is shrinking. In the 2014 report (reflecting data

for 2013), the incidence of fraud at larger organizations was 16 percentage points

higher than at smaller ones. This gap shrank to nine percentage points in 2015 (2014

data), and this year’s survey results reveal the percentage difference in the incidence of

fraud at larger organizations compared with smaller ones was a mere two percentage

points. We are seeing a clear trend where smaller organizations are being increasingly

targeted by criminals.

Percent of Organizations that Experienced Attempted and/or Actual Payments Fraud in 2015

80%

70%

60%

50%

40%

30%

20%

10%

0% All Annual Revenue Annual Revenue Annual Revenue Annual Revenue Less Than at Least at Least at Least $1 Billion $1 Billion $1 Billion and $1 Billion and Fewer Than 26 More Than 100 Payment Accounts Payment Accounts

73% 71% 73%78%

64%

Checks continue to be the payment method most often targeted by those committing

or attempting to commit payments fraud. Seventy-one percent of companies that

experienced attempted or actual payments fraud in 2015 were victims of check fraud.

This is a decrease from the 77 percent that reported check fraud in 2014. One reason

for the decrease is the steadily declining use of paper checks for business-to-business

(B2B) transactions. However, checks continue to be the payment method most often

exposed to fraud because they are still the most frequently used payment method. In

addition, fraudsters are familiar with checks and so are able to commit check fraud

with relative ease with the help of sophisticated equipment.



Wire transfers were the second most popular vehicle for payments fraud in 2015.

Nearly half (48 percent) of finance professionals whose organizations were exposed

to payments fraud in 2015 report that such attacks were via wire transfers. This is a

significant increase from the 27 percent and 14 percent that reported wire transfer fraud

in 2014 and 2013, respectively. Following check and wire fraud was fraud via corporate,

commercial credit and debit cards with 39 percent of survey respondents reporting

their companies were targets of those types of fraud. Other fraud reported was via ACH

debits (cited by 25 percent of respondents) and ACH credits (11 percent).

The uptick in instances of wire fraud was not as surprising as how widespread

was the increase. Wire transfer fraud was second only to check fraud, and in 2015

surpassed credit/debit card fraud. One reason is that wires are attractive targets be-

cause of the speed of transaction and also the difficulty in retracting a transaction.

But another reason could be the escalation of business email compromise (BEC)

scams. Indeed, it is widely believed that BEC scams are responsible for the in-

crease in overall payments fraud activity. BEC scams are those in which criminals,

after considerable research, create profiles of executives at targeted organizations.

By being able to mimic the style a CEO or a CFO typically uses in email commu-

nications, criminals can succeed in deceiving employees into making payments to

fraudulent accounts.

Payment Method Subject to Attempted or Actual Payments Fraud in 2014(Percent of Organizations that Experienced Attempted or Actual Payments Fraud)

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

37%

25%

18%

27%

11%8% 9%

Checks Wire transfers Corporate/commercial ACH debits ACH credits credit and debit cards

39%39%

49%49%48%

77%

59%

71%

All

Annual Revenue Less Than $1 Billion

Annual Revenue at Least $1 Billion

48% of organizations were exposed to wire fraud in 2015, a significant increase from the 27% and 14% that reported wire transfer fraud in 2014 and 2013, respectively



What is troubling is that BEC is not a new scam. Last year’s survey results also

revealed a considerable increase in wire fraud from the previous year. This, together with

increased third-party fraud and account takeovers, imply an increase in instances of BEC

in recent years. (For more information on BEC activity, see page 6.)

While the incidence of payments fraud in 2015 was unchanged at nearly half of

organizations (47 percent), an almost equal share experienced an increase in payment

fraud attacks. Forty-two percent of survey respondents whose organizations experienced

payments fraud report that the number of incidents of fraud attempts increased in 2015

compared to 2014. Eleven percent of survey respondents indicate that the incidence of

payments fraud at their organizations decreased.

Change in Incidence of Payments Fraud in 2015 Compared to 2014 (Percentage Distribution of Organizations that Experienced Attempted or Actual Payments Fraud)

Increased

About the same

Decreased

11%

42%

47%

Smaller organizations with annual revenue of less than $1 billion were more likely than

larger companies to experience an increase in fraud activity over the past year (46 percent

vs. 41 percent). Thirty-seven percent of corporate practitioners from large organizations

with annual revenue of at least $1 billion and fewer than 26 payment accounts report an

increase in fraud in 2015 compared to that in 2014, while 47 percent of those from large

organizations with more than 100 payment accounts report an increase in fraud.

The incidence of

payments fraud

increased at 42% of organizations

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0% 2009 2010 2011 2012 2013 2014 2015 Checks Corporate/commercial credit and debit cards ACH debits Wire transfers ACH credits

3%4% 5%

11% 14%

48%

71%77%82%

27%

87%85%

93%90%

Trends in Payments Fraud Activity (Percent of Organizations that Experienced Attempted and/or Actual Payments Fraud)



Business Email Compromise (BEC)A relatively new challenge for finance professionals in the fight against payments fraud is

business email compromise (BEC) scams. BEC scams target corporate email systems in an

effort to trick employees into making payments to fraudulent accounts. By doing extensive

research, criminals obtain information (often through phishing) and build profiles of senior

executives in an organization. The CFO is often a target and criminals study how the execu-

tive corresponds via email; they even observe nuances in those communications to ensure

their fraudulent emails appear authentic. In one typical BEC scam, an email purportedly

from the company’s CFO is sent to employees. The email provides access to payment sys-

tems requesting an urgent payment for a certain purpose. Often this will happen when the

CFO is out of the office, making it difficult for employees to verify the email is credible.

Finance professionals tasked with protecting their organizations against fraud activity

are well aware of BEC and most likely have been making efforts to mitigate its impact. It is

disconcerting that in spite of safeguards being implemented, criminals are still making head-

way with BEC scams. The significant increase in wire fraud also suggests that BEC scams

may be more difficult to prevent than was previously believed.

The key to BEC scams is acquisition of information and what criminals are doing with it.

It appears from this year’s survey results that organizations have a challenging time protect-

ing their information from criminals who go to great lengths to access it. Scams like these are

now more widespread and are the cause of an increasing number of actual financial losses for

organizations. AFP’s Treasury in Practice Guide—BEC Scams: Treasury’s Number One Fraud

Threat—explains more in detail how these scams work and how to protect against them.

A majority of finance professionals (64 percent) reports that their organizations were

exposed to BEC in 2015. Business email compromise was slightly more prevalent among

organizations with annual revenue of at least $1 billion (69 percent of those survey respon-

dents) than among smaller organizations (60 percent).

Additional information on BEC Scams

www.AFPonline.org/TreasuryInPractice/

BEC Scams: Treasury’s Number One Fraud ThreatTreasury in Practice Series

Issue 9

Percent of Organizations that Experienced Attempted or Actual Business Email Compromise in 2015

70%

68%

66%

64%

62%

60%

58%

56%

54% All Annual Revenue Annual Revenue Annual Revenue Annual Revenue Less Than at Least at Least at Least $1 Billion $1 Billion $1 Billion and $1 Billion and Fewer Than 26 More Than 100 Payment Accounts Payment Accounts

64%

60%

69% 69%

63%

64% of companies were exposed to business email compromise in 2015

http://www.afponline.org/TreasuryInPractice/



Fifty-six percent of those organizations that did experience payments fraud via

BEC did so via wire transfers. Although a large share of organizations were targets of

BEC, less than half incurred any financial loss as a result.

Payment Methods Impacted by Business Email Compromise(Percent of Organizations that Experienced Payments Fraud via BEC)

60%

50%

40%

30%

20%

10%

0% Wire transfers Checks Corporate/Commercial ACH debit ACH credits credit cards

56%

29%

18% 16% 15%

Estimated Total Dollar Amount of the Potential and Actual Financial Loss Resulting from Business Email Compromise (BEC) in 2015(Percentage Distribution of Organizations that Experienced Attempted or Actual Payments Fraud via BEC)

Annual Annual Annual Revenue Annual Revenue Revenue Revenue At Least $1 Billion At Least $1 Billion Less Than At Least and Fewer Than and More Than All $1 Billion $1 Billion 26 Payment Accounts 100 Payment Accounts

No Loss 53% 53% 49% 51% 48%

Up to $24,999 8 10 7 7 10

$25,000-49,999 4 4 4 8 –

$50,000-99,999 6 6 5 5 2

$100,000-249,999 9 12 9 9 7

$250,000- 499,999 6 7 5 5 10

$500,000-999,999 4 2 6 5 10

$1,000,000-1,999,999 4 4 5 4 2

$2,000,000 or more 6 2 9 7 12



Financial Loss from Fraud Attempts In most cases, an attempted payments fraud attack on a company in 2015 resulted in a

relatively small financial loss. Seventeen percent of organizations that experienced

payments fraud in 2015 did not have to deal with any potential financial loss. For

25 percent of them, the potential loss from fraud in 2015 is estimated at less than

$25,000; for 29 percent of organizations the potential loss is estimated between $25,000

and $249,000. The potential loss is $250,000 or more at 27 percent of organizations.

Finance professionals from large organizations with more than 100 payment

accounts are more likely than those from other organizations to report potential

financial loss in the highest dollar ranges. Thirty-nine percent of corporate practitio-

ners from these companies report the potential loss from fraud in 2015 was greater

than $250,000.

Potential Financial Loss from Attempted or Actual Payments Fraud in 2015(Percentage Distribution of Organizations that Experienced Payments Fraud)


No Loss 17% 13% 16% 18% 16%

Up to $24,999 25 34 19 23 16

$25,000-49,999 7 9 8 12 2

$50,000-99,999 10 11 9 8 9

$100,000-249,999 12 14 13 11 18

$250,000-499,999 9 10 8 6 11

$500,000-999,999 5 1 8 6 5

$1,000,000-1,999,999 4 3 6 5 5

$2,000,000 or more 9 5 14 10 18



Seventy-two percent of organizations that were exposed to at least one payment

fraud attempt in 2015 did not incur an actual financial loss from that attempt.

Fourteen percent of survey respondents report a loss to their organizations of less

than $25,000 and only four percent of organizations realized a loss greater than

$250,000. Nearly half (47 percent) of larger organizations maintaining more than

100 payment accounts were more likely to have experienced a direct loss than

were other companies; 12 percent of such companies suffered a financial loss

exceeding $250,000.

Actual Direct Financial Loss from Attempted or Actual Payments Fraud in 2015(Percentage Distribution of Organizations that Experienced Payments Fraud)


No Loss 72% 75% 68% 73% 53%

Up to $24,999 14 18 10 12 12

$25,000-49,999 4 3 4 3 7

$50,000-99,999 3 1 4 3 12

$100,000-249,999 4 3 5 4 5

$250,000-499,999 1 – 3 1 5

$500,000-999,999 1 – 2 3 –

$1,000,000-1,999,999 1 – 2 2 2

$2,000,000 or more 1 – 2 – 5

72% of organizations that experienced payment fraud in 2015 did not incur an actual financial loss from those attacks



While checks were not only the most popular payment method subject to fraud, in 2015

they were once again the payment method accounting for the largest dollar amount of loss

due to fraud. However, the percentage of organizations that suffered loss as a result of check

fraud declined further—from 57 percent in 2013 to 45 percent in 2014 and 43 percent in

2015. Twenty-three percent of companies that experienced payments fraud suffered the larg-

est amount of losses via wire transfers, while 20 percent of them did so via fraudulent use of

corporate/commercial cards. Larger organizations were more likely to have incurred losses as

a result of fraud via wire transfers than were smaller companies.

Payment Method Responsible for Largest Dollar Amount Loss from Fraud Loss (Percentage Distribution of Organizations that Experienced Payments Fraud)

Checks

Wire transfers

Corporate/Commercial credit and debit cards

ACH debits

ACH credits

10%

43%20%

5%

23%

Costs to manage/defend and/or clean up from fraud attacks were relatively low for most

organizations. Nearly half (49 percent) did not incur any expenses as a result of a fraud attempt

and 35 percent spent less than $25,000 to defend against or clean up the fraud. A greater share

of larger organizations—and specifically those with more payment accounts—were more likely

to have spent more on cleaning up and defending against fraud than were other companies.

Cost to Manage/Defend/Clean Up from Attempted or Actual Payments Fraud in 2015(Percentage Distribution of Organizations that Experienced Payments Fraud)


No Cost 49% 56% 49% 45% 30%

Up to $24,999 35 34 35 42 28

$25,000-49,999 5 3 7 6 7

$50,000-99,999 4 3 5 2 12

$100,000-249,999 4 4 4 3 7

$250,000-499,999 1 1 2 2 –

$500,000-999,999 1 – 3 – 12

$1,000,000-1,999,999 – – 1 – –

$2,000,000 or more 1 – 2 – 5

Checks continueto account for the largest amount of loss due to fraud



Sources of Attempted/Actual Payments Fraud The majority of payments fraud continues to originate from an external source or indi-

vidual. In 2015, nearly two-thirds of companies (65 percent) that experienced attempted

or actual payments fraud in 2015 did so as a result of actions by an outside individual.

Half of finance professionals reports that for their companies, payments fraud originated

via business email compromise (BEC) and 15 percent of organizations were targets of an

organized crime ring.

Sources of Attempted/Actual Payments Fraud in 2015 (Percent of Organizations that Experienced Attempted or Actual Payments Fraud)

Outside individual

Business Email Compromise (BEC fraud)

Organized crime ring

Third-party or outsourcer

Account takeover

Internal party

Compromised mobile device

Lost or stolen laptop

0% 10% 20% 30% 40% 50% 60% 70%

2%

2%

5%

11%

12%

15%

50%

65%



Check Fraud Checks have been and continue to be the payment method most often exposed to

fraudulent activity. Forty-four percent of organizations that experienced check fraud in

2015 suffered between one and five incidents of check fraud; 22 percent were subject

to between six and ten incidents. A similar share—21 percent—were exposed to

check fraud more than 20 times, an increase from 17 percent in 2014. Larger

organizations with more than 100 payment accounts were far more likely to have been

victims of check fraud than were other organizations; 48 percent of survey respondents

from this group report that their organizations experienced check fraud more than 15

times in 2015. Nearly two-thirds of finance professionals (66 percent) report that the

number of check fraud attempts in 2015 was unchanged from 2014 while 24 percent

report an increase.

The United States differs from most other developed countries in that paper checks

are still used to a large extent for business-to-business (B2B) transactions. Although

the use of paper checks is declining, checks still account for a large portion of the

total number of payment transactions. This is also one of the reasons checks are the

predominant targets of fraudulent transactions. Other reasons checks are subject to

fraud is that they are physical items that can be altered fairly easily. Also, modern

technological equipment facilitates the counterfeiting of checks. However, as checks

continue to decline as a chosen payment method, so does check-related fraud. Those

committing fraud often seek out other methods of payment fraud believing they may

be more lucrative and might shift their focus away from checks. Nevertheless, checks

continue to account for the majority of fraud activity.

Number of Times Organization Experienced Attempted or Actual Check Fraud in 2015(Percentage Distribution of Organizations that Experienced At Least One Attempt of Check Fraud)


1-5 44% 57% 35% 39% 32%

6-10 22 22 19 20 19

11-15 10 7 12 13 5

16-20 3 2 4 6 0

21 or more 21 11 29 22 43



There are a number of protective measures that can effectively secure check payments.

It is critical that organizations implement these safeguards. If fraudsters are successful

in their attacks, they will persist in targeting an organization repeatedly until they are

caught. The figures cited above on the incidence of check fraud clearly validate this. A

majority of survey respondents report that their organizations were targets for check

fraud one to five times in 2015, suggesting that criminals cast a wide net hoping that

the targeted organization does not have sufficient protective measures in place. Twenty-

one percent of respondents report their organizations were attacked by fraudsters more

than 21 times. This suggests that those organizations are not adequately protecting their

check transactions and so are frequently being targeted. Companies that are exposed to

check fraud often should consider performing daily reconciliations and/or investing in

positive pay, etc.

Number of Times Organization Experienced Attempted or Actual Check Fraud in 2015(Percentage Distribution of Organizations that Experienced At Least One Attempt of Check Fraud)

Change in Incidence of Check Fraud in 2015 Compared to 2014 (Percentage Distribution of Organizations that Experienced Attempted or Actual Payments Fraud via Checks)

24%

66%

10%

Increased

About the same

Decreased

Positive pay continues to be the method most often used by organizations to guard

against check fraud. This approach is used by 88 percent of organizations—an increase

from the 79 percent in 2014. Other prevalent methods being used are:

• Daily reconciliations and other internal processes

(cited by 77 percent of respondents)

• Segregation of accounts (69 percent)

• Payee positive pay (56 percent)

88% of organizations use positive pay to guard against check fraud



While check fraud continued to be the most prevalent type of payments fraud

experienced by organizations in 2015, a vast majority of companies did not suffer

any financial loss as a result of such fraud. Twenty percent of companies that were

exposed to at least one check fraud attempt in 2015 incurred a financial loss as a

consequence. However, this is an increase from 15 percent in 2014. For larger

companies with more than 100 payment accounts the share was 35 percent.

Fraud Control Procedures Organizations Used to Guard Against Check Fraud in 2015(Percent of Organizations that Experienced At Least One Attempt of Check Fraud)


Positive pay 88% 85% 90% 93% 89%

Daily reconciliation and other internal processes 77 79 75 77 73

Segregation of accounts 69 69 69 73 62

Payee positive pay 56 53 58 57 59

“Post no checks” restriction on depository accounts 49 46 52 55 51

Reverse positive pay 16 13 18 16 22

Non-bank fraud control services 6 4 7 5 16

Other 2 3 2 2 3



Organizations incurred financial loss due to check fraud for

various reasons:

• No positive pay (cited by 41 percent of survey respondents)

• Clerical errors (29 percent)

• Account reconciliation not timely (25 percent)

• Stolen check stock (20 percent)

• Internal fraud (18 percent)

Suffered Financial Loss as a Result of Check Fraud (Percentage Distribution of Organizations that Experienced At Least One Attempt of Check Fraud)

Yes20%

No80%

Features Most Effective in Preventing Check Fraud (Percentage Distribution of Organizations that Experienced Payments Fraud via Checks)


VOID Feature (The word “VOID” appears if check is scanned or copied) 57% 58% 58% 57% 63%

Security/Safety Paper (Stains will appear if attempts are made to alter the check) 51 51 49 47 56

Micro Print (A fine line of print can be read when magnified – difficult to photocopy) 32 30 33 34 33

Blank Check Stock 30 30 29 37 25

Dual-tone True Watermark 30 30 29 24 34

Heat-reactive Ink 21 19 21 18 19

Other 16 16 15 12 19

Finance professionals are eager to reduce the number of check fraud incidents and are well

aware that that certain check features are more effective than others in limiting check fraud. The

two features survey respondents consider most effective in preventing check fraud are the VOID

feature—i.e., the word “VOID” appears if check is scanned or copied (cited by 57 percent of survey

respondents) —and the use of security/safety paper (stains will appear if attempts are made to al-

ter the check) (51 percent). Other features considered effective in preventing fraudsters from using

checks to deceive victims are micro print, a fine line of print which is difficult to photocopy and

can be read only when magnified. Blank check stock and dual tone watermark are also considered

to be effective in preventing check fraud (each cited by 30 percent of respondents).



ACH Fraud ACH transactions are typically considered a safer form of payment. Criminals not only

need to obtain a customer’s credentials but must also be able to generate ACH files in

the originator’s name. In order to be successful, criminals most often need help from

someone inside a targeted company to assist them. As a result, ACH transactions are

less impacted by fraud than are other payment methods. Even among the small share of

companies which experience ACH fraud, this type of fraud occurs infrequently. As with

check fraud, criminals will attempt ACH fraud on a wide scale. If they succeed they will

continue to target the same organization over and over again until they are stopped.

In 2015, one-fourth of organizations were subject to ACH Debit fraud and 11 percent

to ACH Credit fraud. Larger companies with more than 100 payment accounts are six

more times likely than similar-sized organizations with fewer payment accounts to have

been targets of ACH fraud more than 20 times. Seventy-three percent of respondents

from companies that experienced ACH fraud report one to five incidents of such fraud in

2015. Only nine percent of finance professionals report their organizations experienced

more than 20 incidents of ACH fraud. This is a good indication that most companies are

protecting themselves fairly well from ACH fraud. These figures have also not changed

much over time; trends in ACH fraud have shifted somewhat from year to year but not to

any large extent.

Number of Times Organizations Experienced Attempted or Actual ACH Fraud in 2015(Percentage Distribution of Organizations that Experienced At Least One Attempt of ACH Fraud)


1-5 72% 79% 68% 71% 63%

6-10 13 10 14 16 7

11-15 5 3 6 7 –

16-20 2 2 2 2 4

21 or more 9 5 10 4 26

Seventy percent of finance professionals report that the instances of ACH fraud

attempts at their organizations in 2015 was unchanged from that reported in 2014.

Twenty-three percent report a rise in ACH fraud occurrences during the same time-

frame, an increase from the 13 percent that reported a rise in 2014 compared to 2013.

Organizations adopt various strategies to mitigate the impact from ACH fraud. Sixty-

nine percent of companies reconcile accounts daily to identify and return unauthorized

ACH Debits while 56 percent block all ACH Debits except those with ACH Debit filter

and/or ACH positive pay. Forty-one percent take the additional step of blocking ACH

Debits on all accounts.



Eleven percent of organizations that were victims of at least one ACH fraud attempt

in 2015 suffered a financial loss as a result. The share increased to 16 percent for larger

organizations with more than 100 payment accounts.

The most plausible reasons for ACH fraud incidents include:

• OrganizationdidnotuseACHDebitblocksorACHDebitfilters

(cited by 40 percent of respondents)

• Account reconciliation not timely (30 percent)

• Organization did not use ACH positive pay (30 percent)

• ACH Return not timely (25 percent)

• Internal fraud (e.g., employee responsible) (15 percent)

Although ACH fraud occurs considerably less often than check fraud, the actual

exposure of ACH transaction information may be more damaging due to its sensitive

nature, including actual bank account numbers, etc. At the same time, criminals need

to make more significant efforts than most may be willing to in order to obtain such in-

formation. Since AFP began tracking payments fraud, we have not seen a major shift in

ACH fraud activity. If criminals do decide to put in the extra effort, as in BEC scams, this

may change. Therefore, it is always wise to implement any protective measures available.

Fraud Control Procedures Used to Prevent ACH(Percent of Organizations that Experienced At Least One Attempt of ACH Fraud)

80%

70%

60%

50%

40%

30%

20%

10%

0%

45%

29%32%

29%

23%

16%

29%

Reconcile accounts Block all ACH debits Block ACH debits Debit block on all Create separate daily to identify and except on a single on all accounts consumer items with account for return unauthorized set up with ACH debit filter on electronic debits ACH debits debit filter/ACH commercial ACH debits initiated by the positive pay third party (e.g., taxing authority)

35%

41%

59%

51%

56%

68%

71%69%

All


Annual Revenue At Least $1 Billion



Corporate/Commercial Card Payments After two years of decline, the use of corporate/commercial cards for business-to-busi-

ness (B2B) transactions seems to be trending slightly upwards. The most widely used

B2B cards in 2015 were purchasing cards (used by 75 percent of organizations, up from

71 percent in 2014) followed by Travel & Entertainment (T&E) cards (45 percent, up

from 39 percent in 2014). The use of ghost or virtual cards has declined slightly from

31 percent to 29 percent in the same timeframe. Larger organizations with more than

100 payment accounts were more likely to use T&E cards than were other companies.

Percentage of Corporate/Commercial Cards that Organizations Use for B2B Payments(Percent of Organizations that Experienced Attempted or Actual Fraud via Corporate/Commercial Cards)


Purchasing cards 75% 68% 80% 79% 81%

T&E cards 45 39 50 49 58

Ghost or virtual cards (valid card account without a physical card issued) 29 22 34 33 29

Fleet cards 16 17 16 16 13

“One card” combining several uses above 15 21 12 8 16

Airline travel cards (UATP) 6 5 6 7 3

Other 2 3 2 2 3



As the use of B2B cards increases, so does the likelihood of fraud via such vehicles.

Forty-two percent of companies that experienced payments fraud in 2015 were impacted

by fraud associated with their own commercial cards, an increase from 32 percent in

2014. Corporate/commercial cards were the third most-often targeted payment method

for those attempting to commit payments fraud in 2015. The recent increase in corpo-

rate/commercial card fraud most likely is the result of the increased use of such cards,

particularly purchasing cards and T&E cards. The previous decline reported in 2014

followed a decline in overall card use for B2B transactions.

As with fraud via other payment methods, corporate/commercial card fraud can often

result in a financial loss to companies. But in addition, fraud via corporate/commercial

cards can also result in financial losses to third parties such as an organization’s bank

or merchant partners. While 38 percent of organizations that were victims of this type

of fraud in 2015 did not incur a financial loss, 36 percent of their card-issuing banks did,

an increase from 31 percent in 2014. A larger share of organizations’ merchants also

experienced an increase in corporate/commercial card fraud—from 15 percent in 2014

to 21 percent in 2015. Other parties that suffered increased financial loss as a result of

corporate/commercial card fraud include card processors—increasing to 8 percent from

4 percent the previous year.

40%

35%

30%

25%

20%

15%

10%

5%

0% No organization Card Merchant My organization Card processor Other suffered issuing bank financial loss

38%36%

21%

13%

8%

Parties That Suffered Financial Loss from Fraud on Corporate/Commercial Cards(Percent of Organizations that Experienced At Least One Attempt of Corporate/Commercial Card Fraud)

3%



For the large majority of organizations (77 percent) that experienced fraud via their

own corporate/commercial cards, the fraud was initiated by an unknown external

party. For 17 percent of those companies, this type of fraud was perpetrated by an

employee, a decrease from 25 percent in 2014, suggesting an improvement in internal

controls for card payments. Corporate/commercial card fraud committed by a third-

party or outsourcer (e.g., vendor, professional services provider) declined slightly from

16 percent in 2014 to 14 percent in 2015. The large percentage of card fraud commit-

ted by an unknown external party highlights the vulnerability of cards. Large data

breaches can expose a vast number of card credentials to a wide range of criminals.

These credentials are being sold and then used to create fraudulent cards.

Larger organizations with annual revenue of at least $1 billion were more likely than

other companies to have been exposed to fraud committed by an employee

(23 percent versus 13 percent) or by a third-party (19 percent versus nine percent).

However, smaller organizations with annual revenue less than $1 billion were more

prone to fraud attacks from unknown external parties than were other companies

(85 percent versus 69 percent). Larger organizations face a significant challenge in

that they need to control all the cards they issue. Because there are typically more

cards in circulation from larger companies, especially purchasing cards and T&E

cards, the more cards in circulation the greater the opportunity for fraud.

Party Responsible for Fraud on Corporate/Commercial Cards(Percent of Organizations that Experienced At Least One Attempt of Corporate/Commercial Card Fraud)

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

23%

14%

9%

19%

13%17%

69%

85%

77% All



Unknown external party Employee Third-party or outsourcer (e.g., vendor, professional services provider, business trading partner)

Fraud attempts on corporate/commercial cards is often initiated by an unknown external party



Mobile Payments Despite recent technological innovations and the vast number of start-ups specializing

in the mobile payments field, the adoption of mobile payments has failed to achieve

the level anticipated every year. Survey results suggest that finance professionals are

skeptical about the use of mobile payments. Among the issues constraining the

adoption of mobile payments are concerns about the security of mobile payment

applications and the phone networks being used. Indeed, the number-one concern

regarding mobile payments among corporate practitioners is whether they are a secure

method of payment (cited by 76 percent of respondents). Security appears to be a

greater concern for large companies with annual revenue of at least $1 billion with

fewer than 26 payment accounts than organizations of the same size with more than

100 payment accounts (81 percent versus 66 percent).

Other issues preventing companies from adopting mobile payments more extensively

are the potential exposure of personal financial information resulting from a loss of

phones used to make the payments (55 percent) and transmitting financial data over cell

networks (53 percent). The potential compromise of financial data when transmitting

over cell phone networks is a greater concern among survey respondents from larger

organizations with annual revenue of at least $1 billion than those from smaller compa-

nies (annual revenue less than $1 billion) (57 percent versus 45 percent). Additionally,

larger organizations with more than 100 payment accounts are more apprehensive about

consumers using mobile payments than those with fewer payment accounts (66 percent

versus 54 percent).

Security Issues Preventing Consumers from Further Embracing Mobile Payments(Percent of Organizations)


Concerns about whether mobile payments are a secure payment method 76% 75% 78% 81% 66%

Potential exposure of personal financial information resulting from a loss of the phone 55 54 55 57 54

Transmitting financial data over cell phone networks 53 45 57 54 66

The authentication process 29 26 32 34 34

Other 4 4 4 2 9

The security of mobile payments and the phone networks used are of most concern to corporate practitioners



Credit/Debit Card Payments Seventy percent of corporate practitioners report that their companies accept debit/credit

card payments from their customers. A slightly smaller share of companies with annual

revenue less than $1 billion accept credit and/or debit card payments than do larger

organizations (64 percent versus 74 percent).

The uptick in credit card/debit card fraud continued in 2015 with 39 percent of finance

professionals reporting their organizations experienced fraud attacks via these vehicles.

This is an increase from the 34 percent in 2014 but still below the peak of 43 percent in

2013. However, that 2013 figure may have been a result of the media hype surrounding

the large data breaches at high-profile retailers in December 2013.

Results from the 2015 AFP Payments Fraud and Control Survey, conducted prior to the Oc-

tober 2015 deadline for the shift in liability from card issuers to merchants, revealed that over

40 percent of corporate practitioners anticipated somewhat of an impact on their organization’s

investment in card fraud prevention methods and 28 percent anticipated a greater impact.

By the time the current survey was conducted, the deadline for the shift in liability from card

issuers to merchants had passed, and survey results reveal that 32 percent of respondents

report there was some impact on their investments in preventing card fraud. This figure is

less than the 42 percent who held this view in 2014. Nineteen percent of organizations were

significantly impacted by the liability shift in 2015, but that share was a decrease from the 28

percent of survey respondents in 2014 who anticipated a similar impact their companies’ outlay

on fraud prevention systems. The share of finance professionals who believed the impact would

be negligible increased dramatically from 14 percent in 2014 to 35 percent in 2015. The current

survey results also suggest that—just a few months after the liability shift—the investment costs

and complexity of upgrading terminals, as well as the costs of training, may be having less of

an impact than previously anticipated. This mitigated impact of the liability shift suggests that

organizations that haven’t installed EMV-capable terminals have not experienced a significant

increase in fraud attacks; alternatively, the implementation of new terminals, training of staff and

customers has been less challenging than expected.

Impact of Liability Shift in Organization’s Investment in Card Acceptance Fraud Prevention Methods/Solutions(Percentage Distribution of Organizations that Accept Credit/Debit Cards from Customers)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

(1) No Impact (2) (3) Somewhat of an Impact (4) (5) Significant Impact

All

Annual Revenue Less than $1 Billion


Annual Revenues at Least $1 Billion and Fewer than 26 Payment Accounts

Annual Revenues at Least $1 Billion and More than 100 Payment Accounts 30% 13% 33% 15% 10%

32% 18% 34% 10% 7%

39% 11% 32% 9% 11%

35% 15% 32% 10% 9%

33% 22% 29% 9% 7%



While EMV (EuroPay, MasterCard, VISA) cards have been in use for many years in many

parts of the developed world, their use only started gaining traction in the U.S. because of the

shift in liability—from card-issuer to merchant—that went into effect in October 2015. The key to

the EMV chip card is the “smart chip” that is considerably more difficult to counterfeit than the

magnetic strip traditionally used on credit/debit cards. The authentication is usually done with

a PIN. However, the U.S. banking industry has opted for a less secure signature authentication,

claiming that consumers will experience a negative experience because of too many changes in

the purchasing procedures with cards. Some banks have since indicated a PIN authentication

may be planned for the future since it adds a layer of protection. Merchants are typically in favor

of PIN authentication as it is more likely to prevent fraud at card-present (POS) transactions.

It is still too soon to determine the real impact of this liability shift. Implementation of the

new cards has been slow, often due to a short supply of EMV-capable terminals making them

expensive. For merchants with high-volume, low-value transactions, the investment cost for

new terminals and training of personnel may exceed the potential loss from fraud.

As the use of EMV chip cards becomes more extensive, fraudsters are likely to shift their

focus to other, less-secure payment methods. Ninety percent of finance professionals believe

that if EMV chip cards do cut back on the instances of fraud, perpetrators will shift their focus

to other payment methods. This is a 10-percentage-point increase in the share of finance

professionals who held the same view last year and a 20 percent increase from 2014. The

majority of survey respondents (55 percent) foresee those transactions in which cards are not

present, such as online purchases, will be exposed to greater fraud activity. Smaller shares of

finance professionals anticipate greater fraud activity via checks (17 percent), ACH Debit

(7 percent) and wire transfers (7 percent).

The share of finance professionals who believes checks will be exposed to greater fraud

activity if EMV chip cards are successful in mitigating fraud continues to decline—from

58 percent in 2013 to 38 percent in 2014 and a mere 17 percent in 2015. However, a greater

share of respondents from larger organizations with more than 100 payment accounts

(28 percent) than other companies believes checks will continue to be impacted.

Forms of Payments Subject to Greater Fraud Activity if EMV Cards are Successful in Reducing Fraud(Percentage Distribution of Respondents)


Card-Not-Present transactions 55% 58% 54% 62% 32%

Checks 17 17 16 14 28

Fraud will not migrate to other payment forms 10 10 11 11 15

ACH debit 7 7 6 5 9

Wire transfers 7 4 10 6 13

ACH credit 1 2 – – –

90% of corporate practitioners believe that criminals will shift their focus to other payment methods if EMV chip cards are successful in mitigating fraud



Similar to last year’s survey results, a vast majority (92 percent) of finance

professionals strongly believe that EMV chip cards will be successful in alleviating

point-of-sale (POS) fraud. Sixty-six percent consider Chip-and-PIN an effective method

in reducing POS fraud. In addition to using a stolen credit card, fraudsters would need a

card’s associated PIN, making it more difficult to authenticate a transaction.

Other methods survey respondents consider effective are Chip-and-Choice, which

allows merchants to choose the option of PIN or signature (12 percent), EMV regardless of

authentication method used (10 percent) and Chip-and-Signature (5 percent). A far smaller

share of finance professionals from larger organizations with more than 100 payment

accounts are more likely than those from organizations with fewer payment accounts to

consider Chip-and-PIN as effective (50 percent versus 78 percent).

Authentication Method for EMV Cards Most Effective in Preventing Fraud and Providing a Better Customer Experience(Percentage Distribution of Respondents)


Chip-and-PIN 66% 62% 69% 78% 50%

Chip-and-Choice (merchant can chose PIN or signature) 12 13 11 6 15

EMV is effective in reducing POS card fraud regardless of authentication method used 10 10 9 7 15

EMV will not be effective in reducing POS fraud 8 9 6 5 15

Chip-and-Signature 5 6 5 6 6

Securing CredentialsOver the past couple of years, data security breaches have been rampant. These mali-

cious attacks have compromised the personal data of thousands of consumers and even

U.S. government employees have not been spared, leaving many vulnerable and insecure.

Organizations, too, are on guard and making all efforts to protect themselves from being

victims of such attacks or taking steps to lessen the impact if they are victims. Strategies

being implemented at companies to protect their reputation and their consumers’ information

include the following:

Seventy-fivepercent perform daily reconciliations on transaction activity.

Fifty-three percent have adopted a stronger form of authentication or added layers of

security for access to bank services.



Forty-one percent ensure their disaster recovery plans include the ability to continue

with strong controls.

Thirty-nine percent have upgraded the authentication procedure/devices used to access

the company network.

Other tactics organizations are adopting to safeguard themselves from any potential attacks

include restricting company network access for payments to only company-issued laptops

(27 percent) and restricting network access for payments via mobile devices to emergency

situations only (18 percent).

Daily reconciliations are an effective way to expose fraudulent transactions with minimum

delay. By performing daily reconciliations, organizations can minimize any harm caused by a

data breach. Additionally, this is an exercise that is done internally and independent of exter-

nal parties. Stronger authentication procedures are also effective as they add layers of security

to the access of the vital payment systems. The more layers of security the more difficult it

is for criminals to gain access to sensitive information. If faced with a difficult-to-break-into

system, criminals will most likely move on to a less-secure target where their efforts may pay

off in a much shorter time.

Actions Taken to Defend Against Attacks that Would Compromise Security (Percent of Organizations that Experienced Attempted or Actual Payments Fraud)

Perform daily reconciliations

Adopt a stronger form of authentication or added layers of security for access

to bank services

Ensure disaster recovery plans include the ability to continue with strong controls

Upgrade the authentication procedure/devices used to access our

company network

Restrict network access for payments to only company-issued laptop

Restrict company network access for payments via mobile devices (laptop,

tablets, phones) to emergency situations only

Dedicate a PC for payment origination (with no links to e-mail/web

browsing/social networks)

Replace proprietary bank connections with secure access through the SWIFT network

Other

0% 10% 20% 30% 40% 50% 60% 70% 80%

13%

11%

18%

27%

39%

41%

53%

75%

5%



Conclusion In the past few years, organizations have been targets of severe fraud attacks which

have had far-reaching consequences for their business operations, bottom lines,

consumers and overall reputation. Even if malicious fraudsters are not successful in

accessing funds, they are often able to access highly secure data which puts organizations

and their customers’ at risk. In such situations, clean-up efforts for companies may be

significant; beyond just incurring costs, fraud can also result in staff resources being

shifted from other key priorities to focus on dealing with the assault and its aftermath,

including remediating an organization’s reputation.

Finance professionals are fully cognizant that fraud attacks are the “new normal”

and they are on high alert, making efforts to minimize the impacts of these attacks.

However, it appears that the perpetrators of these acts are managing to stay ahead

of their targets. Over the last two years, we have seen a significant increase in fraud

activity. Indeed, in 2013, 60 percent of organizations experienced payments fraud; the

share increased slightly to 62 percent in 2014, but jumped to 73 percent in 2015.

In addition to the increased incidence of fraud, fraudsters are also focusing their

efforts on targeting other payments methods beyond traditional targets such as

checks, moving towards wire transfers and adopting new strategies like business

email compromise to prey on their victims.

Results from the 2016 AFP Payments Fraud and Control Survey reveal key trends in

the payments fraud area. Notable among these are the following:

Therehasbeenasignificantincreaseinfraudattacksoncompanies with

73 percent of organizations experiencing actual/attempted payments fraud in

2015, an increase from 62 percent in 2014.

Forty-two percent of survey respondents whose organizations experienced

payments fraud report that the number of incidents of fraud attempts

increased in 2015 compared to 2014 and 47 percent report no change.

Checks continue to be the payment method most often targeted by those

committing or attempting to commit payments fraud and once again account

for the greatest amount of financial loss due to fraud. Seventy-one percent of

companies that experienced attempted or actual payments fraud in 2015 were

victims of check fraud. Wire transfers were the second most popular vehicle

for payments fraud, with nearly half (48 percent) of finance professionals whose

organizations were exposed to payments fraud in 2015 reporting that such

attacks were via wire transfers.

Sixty-fourpercentoffinanceprofessionalsreportthattheirorganizations

were exposed to business email compromise (BEC) in 2015. Wire transfers

are the payment method most impacted by BEC.

The majority of payments fraud continues to originate from an external source

or individual.



The security of mobile payments is a chief concern for three-fourths of

corporate practitioners.

A vast majority of finance professionals believes that if EMV chip cards do cut

back on the instances of fraud, perpetrators of fraud will shift their focus to

other payment methods. Over half of survey respondents foresee transactions

in which cards are not present will be exposed to greater fraud activity even

with the introduction of EMV chip cards.

Nine out of ten finance professionals strongly believe that EMV cards will be

successful in alleviating point-of-sale (POS) fraud. Most believe Chip-and-PIN

an effective method in reducing POS fraud.

Three-fourths of organizations perform daily reconciliations on transaction

activity and a majority have adopted a stronger form of authentication or added

layers of security for access to bank services to safeguard against fraud attacks.



About the SurveyIn January 2016, the Research Department of the Association for Financial Professionals® (AFP)

surveyed nearly 14,000 of its corporate practitioner members and prospects. The survey

was sent to corporate practitioner members with the following job titles: cash manager,

analyst and director. After eliminating surveys sent to invalid and/or blocked email

addresses, the 399 responses yielded a response rate of nine percent. Additional surveys

were sent to non-member corporate practitioners holding similar job titles, which generated

an additional 230 responses for a total of 629 responses.

AFP thanks J.P. Morgan for underwriting the 2016 AFP Payments Fraud and Control Survey.

Both questionnaire design and the final report, along with its content and conclusions, are

the sole responsibilities of the AFP Research Department. The following tables provide a

profile of the survey respondents, including payment types used and accepted.

Types of Organization’s Payment Transactions(Percentage Distribution of Organization’s Payment Transactions)

When Making When Receiving Payments Payments

Primarily consumers 6% 22%

Split between consumers and businesses 20 24

Primarily businesses 74 54

Number of Payment Accounts Maintained(Percentage Distribution of Organizations that Experienced Payments Fraud)


Fewer than 5 28% 38% 20% 36% –

5-9 16 17 16 28 –

10-25 20 22 20 36 –

26-50 9 5 12 – –

51-100 6 4 8 – –

More than 100 21 13 25 – 100%



Annual Revenues (USD)(Percentage Distribution of Organizations)

Industry Classification(Percentage Distribution of Organizations)

Banking/Financial services 7%

Business services/Consulting 6

Construction 2

Energy (including utilities) 9

Government 7

Health services 8

Hospitality/Travel 2

Insurance 6

Manufacturing 20

Non-profit (including education) 7

Real estate 5

Retail (including wholesale/distribution) 8

Software/Technology 5

Telecommunications/Media 4

Transportation 2

Other 4


Under $10 Million 5% 12% – – –

$10-99.9 Million 8 19 – – –

$100-249.9 Million 9 19 – – –

$250-499.9 Million 8 18 – – –

$500-999.9 Million 15 33 – – –

$1-4.9 Billion 30 – 55 67 25

$5-9.9 Billion 10 – 18 17 15

$10-20 Billion 7 – 13 9 28

Over $20 Billion 8 – 14 7 31



Appendix: Survey Data Tables

Payment Methods Subject to Attempted or Actual Payments Fraud in 2015(Percent of Organizations that Experienced Attempted or Actual Payments Fraud)

Change in Incidence of Payments Fraud in 2015 Compared to 2014(Percentage Distribution of Organizations that Experienced Attempted or Actual Payments Fraud)


Increased 42% 46% 41% 37% 47%

About the same 47 43 48 52 40

Decreased 11 11 11 10 14

Percentage Distribution of Organizations that Experienced Attempted and/or Actual Payments Fraud via Business Email Compromise (BEC) in 2015


Yes 64% 60% 69% 69% 63%

No 36 40 31 31 37


Checks 71% 59% 77% 75% 86%


Corporate/Commercial credit and debit cards 39 39 37 39 28

ACH debits 25 18 27 25 33

ACH credits 11 8 9 5 19



Payment Method Responsible for Largest Dollar Amount Loss as a Result of Business Email Compromise (BEC)(Percentage Distribution of Organizations that Experienced Payments Fraud via BEC)

Payment Method Responsible for Largest Dollar Amount Loss from Payments Fraud (Percentage Distribution of Organizations that Experienced Payments Fraud)


Wire transfers 56% 63% 56% 60% 40%

Checks 29 26 40 10 70

Corporate/Commercial credit cards 18 5 20 10 10

ACH debits 16 5 24 10 30

ACH credits 15 11 20 20 10


Checks 43% 36% 46% 38% 66%


Corporate/Commercial credit cards 20 28 13 21 –

ACH debits 10 13 8 10 5

ACH credits 5 8 5 10 –



Sources of Attempted/Actual Payments Fraud in 2015(Percentage Distribution of Organizations that Experienced Payments Fraud)

Number of Times Organizations Experienced Attempted or Actual Check Fraud in 2015(Percentage Distribution of Organizations that Experienced At Least One Attempt of Check Fraud)


Outside individual (e.g., check forged, stolen card) 65% 63% 65% 65% 73%

Business Email Compromise (BEC Fraud) 50 48 54 52 50

Organized crime ring (e.g., crime spree that targets other organizations in addition to your own, either in a single city or across the country) 15 9 22 21 25

Third-party or outsourcer (e.g., vendor, professional services provider, business trading partner) 12 12 13 9 18

Account takeover (e.g., hacked system, malicious code – spyware or malware from social network) 11 12 11 9 11

Internal party (e.g., malicious insider) 5 3 7 7 9

Lost or stolen laptop 2 3 3 3 2

Compromised mobile device 2 2 2 2 2


1-5 44% 57% 35% 39% 32%

6-10 22 22 19 20 19

11-15 10 7 12 13 5

16-20 3 2 4 6 0

21 or more 21 11 29 22 43



Change in Incidence of Check Fraud Attempts in 2015 Compared to 2014 (Percentage Distribution of Organizations that Experienced Attempted or Actual Payments Fraud)


Increased 24% 21% 27% 21% 41%


Decreased 10 13 7 6 5

Suffered Financial Loss as a Result of Check Fraud(Percentage Distribution of Organizations that Experienced At Least One Attempt of Check Fraud)


Yes 20% 16% 21% 15% 35%

No 80 84 79 85 65

Reasons for Financial Loss Due to Check Fraud(Percent of Organizations that Experienced At Least One Attempt of Check Fraud)


No Positive Pay 41% 57% 33% – 54%

Clerical errors 29 21 23 31 15

Account reconciliation not timely 25 36 23 15 31

Stolen check stock 20 29 17 8 15

Internal fraud (e.g., employee responsible) 18 7 27 23 23

Gaps in online security controls/criminal account takeover 10 21 17 15 8



Number of Times Organizations Experienced Attempted or Actual ACH Fraud in 2015(Percentage Distribution of Organizations that Experienced At Least One Attempt of ACH Fraud)

Change in Incidence of ACH Fraud in 2015 Compared to 2014(Percentage Distribution of Organizations that Experienced At Least One Attempt of ACH Fraud)


Increased 23% 27% 20% 24% 14%


Decreased 7 6 8 7 11

Suffered Financial Loss as a Result of ACH Fraud(Percentage Distribution of Organizations that Experienced At Least One Attempt of ACH Fraud)


Yes 11% 11% 11% 10% 16%

No 89 89 89 90 84


1-5 72% 79% 68% 71% 63%

6-10 13 10 14 16 7

11-15 5 3 6 7 0

16-20 2 2 2 2 4

21 or more 9 5 10 4 26



Reasons for Financial Loss from ACH Fraud(Percent of Organizations that Experienced At Least One Attempt of ACH Fraud)

Fraud Control Procedures Used to Prevent ACH Fraud(Percent of Organizations that Experienced At Least One Attempt of ACH Fraud)


Reconcile accounts daily to identify and return unauthorized ACH debits 69% 71% 68% 69% 77%

Block all ACH debits except on a single account set up with ACH debit filter/ACH positive pay 56 51 59 66 48

Block ACH debits on all accounts 41 35 45 48 32

Debit block on all consumer items with debit filter on commercial ACH debits 29 32 29 31 32

Create separate account for electronic debits initiated by the third party (e.g., taxing authority) 23 16 29 33 23

Other 5 6 4 3 3


Did not use ACH debit blocks or ACH debit filters 40% 71% 25% 17% 40%

Account reconciliation not timely 30 29 25 17 40

Did not use ACH positive pay 30 29 33 17 60

ACH return not timely 25 29 25 33 20

Internal fraud (e.g., employee responsible) 15 – 25 17 40

Gaps in online security controls/criminal account takeover 10 – 17 17 –



Acceptance of Credit and/or Debit Card Payments from Customers(Percentage Distribution of Organizations)


Yes 70% 64% 74% 74% 73%

No 30 36 26 26 27

Organization’s Own Corporate/Commercial Cards Used in Attempt to Commit Fraud(Percentage Distribution of Organizations that Experienced At Least One Attempt of Corporate/Commercial Card Fraud)


Yes 42% 52% 34% 34% 34%

No 58 48 66 66 66

Party Responsible for Fraud on Corporate/Commercial Cards(Percentage of Organizations that experienced At Least One Attempt of Corporate/Commercial Card Fraud)


Unknown external party 77% 85% 69% 69% 73%

Employee 17 13 23 24 18

Third-party or outsourcer (e.g., vendor, professional services provider, business trading partner) 14 9 19 14 18

Other 0 0 0 0 0



Parties that Suffered Financial Loss from Fraud on Corporate/Commercial Cards(Percent of Organizations that Experienced At Least One Attempt of Corporate/Commercial Card Fraud)


No organization suffered financial loss 38% 30% 43% 40% 53%

Card issuing bank 36 41 33 28 38

Merchant 21 23 20 22 9

My organization 13 12 14 15 13

Card processor 8 8 7 7 13

Other 3 2 3 3 3

Reasons for Financial Loss Associated with Corporate/Commercial Cards(Percent of Organizations that Experienced At Least One Attempt of Corporate/Commercial Card Fraud)


Employee theft 44% 42% 45% 46% 50%

Fraudulent credit card charges made by a TP company 44 42 45 38 25

Lack of internal controls 22 33 15 15 25

No segregation of duties 6 8 5 8 —



Impact of Liability Shift in Organization’s Investment in Card Acceptance Fraud Prevention Methods/Solutions(Percentage Distribution of Organizations that Accept Credit/Debit Cards from Customers)

Actions Taken to Defend Against Attacks that Would Compromise Security(Percent of Organizations)


Significant Impact (5) 9% 11% 7% 7% 10%

(4) 10 9 10 9 15

Somewhat of an Impact (3) 32 32 34 29 33

(2) 15 11 18 22 13

No Impact (1) 35 39 32 33 30


Perform daily reconciliations 75% 75% 75% 77% 67%

Adopt a stronger form of authentication or added layers of security for access to bank services 53 54 52 54 48

Ensure disaster recovery plans include the ability to continue with strong controls 41 37 43 42 45

Upgrade the authentication procedure/devices used to access our company network 39 38 40 37 45

Restrict company network access for payments to only company-issued laptop 27 22 31 29 33

Restrict network access for payments via mobile devices (laptop, tablets, phones) to emergency situations only 18 19 18 14 31

Dedicate a PC for payment origination (with no links to email/web browsing/social networks) 13 15 11 12 10

Replace proprietary bank connections with secure access through the SWIFT network 11 7 13 7 28

Other 5 5 6 4 7

AFP ResearchAFP Research provides financial professionals with proprietary and timely research

that drives business performance. AFP Research draws on the knowledge of the

Association’s members and its subject matter experts in areas that include bank

relationship management, risk management, payments, and financial accounting and

reporting. Study reports on a variety of topics, including AFP’s annual compensation

survey, are available online at www.AFPonline.org/research.

About the Association for Financial ProfessionalsHeadquartered outside Washington, D.C., the Association for Financial

Professionals (AFP) is the professional society that represents finance executives

globally. AFP established and administers the Certified Treasury ProfessionalTM and

Certified Corporate FP&A ProfessionalTM credentials, which set standards of excellence

in finance. The quarterly AFP Corporate Cash IndicatorsTM serve as a bellwether of

economic growth. The AFP Annual Conference is the largest networking event for

corporate finance professionals in the world.

AFP, Association for Financial Professionals, Certified Treasury Professional,

and Certified Corporate Financial Planning & Analysis Professional are

registered trademarks of the Association for Financial Professionals.© 2016 Association for Financial Professionals, Inc. All Rights Reserved.

General Inquiries [email protected]

Web Site www.AFPonline.org

Phone 301.907.2862

Put Cyberfraud on Lockdown

In 2015 alone, 73 percent of companies were impacted by payments fraud. But that doesn’t have to happen to your company. Get proactive about cybersecurity, and learn how our fraud protection services can help your business.

jpmorgan.com/cb/fraudprotection

© 2016 JPMorgan Chase Bank, N.A. Member FDIC. “Chase” is a marketing name for certain businesses of JPMorgan Chase & Co. and its subsidiaries (collectively, “JPMC”). 188545

Commercial Banking Treasury Services

www.jpmorgan.com/cb/fraudprotection

Documents

2016 AFP Payments Fraud and Control Survey · Association for Financial Professionals® (AFP) has conducted surveys each year since 2005. The surveys examine the nature and frequency