Ed Adshead-Grant, general manager, payments, Bottomline Technologies
Ed Adshead-Grant, general manager, payments, Bottomline Technologies

Financial risks are stifling growth for UK businesses. And to thrive in today's demanding environment, there's a continued need for an enhanced risk strategy to ensure stability and business continuity.

In fact, earlier this year Bottomline Technologies commissioned a report which looked at the UK business payments landscape to provide insights to help businesses tackle these challenges. The report was based on a survey of more than 400 UK financial decision makers, including business owners, chief finance officers, and finance directors.

From a range of businesses - SMEs to some of the UK's largest enterprises employing more than 10,000 people - the report concluded that protecting payments from fraud and error is the single biggest challenge currently faced by financial decision makers – above reducing the cost of payments, innovation and regulation.

It's therefore not surprising that the number of companies choosing to employ a strong security posture to combat criminals both inside and outside the organisation is on the rise. This is prudent considering ever more sophisticated crime syndicates are targeting UK businesses, especially in the small to medium business (SME) sector, and specifically Accounts Payable (AP) departments, with alarming success rates. The Association of Certified Fraud Examiners (ACFE) estimates that British businesses lost an eye-watering £98.6 billion to fraud last year.  

External exploitation of internal staff and processes

According to the Centre for Counter-Fraud Studies at the University of Portsmouth, “fraud losses in any organisation should currently be expected to be at least three percent, probably almost six percent, and possibly more than 10 percent.”

Bottomline Technologies findings certainly reflect this with 36 percent of financial decision makers admitting there has been a material impact on revenue due to financial fraud. This was felt more stongly amongst SMEs, with 53 percent admitting that financial fraud has negatively impacted their revenue.

External cyber-fraud, such as the direct hacking of systems, remains the greatest concern for most businesses, but this could be due to the high-profile breaches that often hit news headlines. Consequently, some companies have invested disproportionate amounts into protecting their systems against cyber-fraud at the cost of internal vulnerabilities.  

By its nature, cyber-fraud, when discovered, is visible and quick to spot. Whereas external exploitation of internal staff or processes, as well as internal fraud, can lay undetected for months, even years. The report found that the greatest threat to large business is the internal exploitation of internal payments staff. This includes insider fraud and ghost employees.

Stuck in the middle: Growing organisations face shifting fraud risk  

For corporates – who by size fall between large and enterprise companies -  the biggest concern is the external exploitation of internal payments, systems, and staff. One in three corporates surveyed cited this as their greatest concern. Potential external threats include invoice diversion fraud and CEO fraud. Also known as ‘whaling', CEO fraud is where an email is received that appears to be from an individual or business known to the receiver, but instead has been sent by criminal hackers hoping to exploit the receiver.

One explanation behind this shift lies in the increasing complexity of processes and organisational structure as businesses grow. Smaller businesses tend to have more simplified processes and organisational structure, so incidences of internal or external manipulation tend to be more readily noticed.

Yet as businesses grow, through mergers and acquisitions, the processes powering the organisation become less consistent and more fragmented. As such, these become weak points that criminals both inside an organisation and externally can exploit. 

Conversely, enterprises have gone through these pain points as they have grown, addressing these issues as they are identified. However these are often tackled by patching issues on an ad-hoc basis. While this solves the issues in the short term, it often comes at the cost of higher levels of inefficiency in areas such as business payments. 

Business can no longer afford to be reactive. It's crucial for financial decision makers to acknowledge the potential fraudulent threats against their business payments to ensure revenue is affected as little as possible.  There is a clear call to action for companies to ensure that they have the correct security measures and education in place to protect them against any internal and external payment fraud. Providing ongoing training and education for employees, putting guidelines and automated procedures in place for protecting sensitive data on corporate devices, and regularly advanced threat and adversary intelligence solutions can all help reduce the risks of fraud.

Contributed by Ed Adshead-Grant, general manager, payments, Bottomline Technologies