Payment fraud continues to soar, as a record 82 percent of organizations reported incidents in 2018, according to the 2019 AFP Payments Fraud & Control Survey, underwritten by J.P. Morgan.

Large organizations were particularly vulnerable to payments fraud, as businesses with revenue greater than $1 billion reported a jump of seven percentage points year-over-year to 87 percent. Organizations with revenue less than $1 billion experienced fewer fraud attempts in 2018, down four percentage points to 69 percent from 73 percent.

Business Email Compromise (BEC) also set a record. Eighty percent of companies reported BEC fraud last year, up from 77 percent in 2017. More than half (54 percent) of organizations reported financial losses as a result of BEC, the first time since AFP began tracking this data that this number climbed above the 50-percent mark. More than three-fourths of companies are responding by adopting stronger internal controls.

“Payments fraud is a persistent problem that is only getting worse despite repeated warnings and educational outreach,” said AFP President and CEO, Jim Kaitz. “Treasury and finance professionals need to learn the latest scams and educate themselves—and perhaps more importantly—their work colleagues on how to prevent them.”

“It is equally important for businesses to mitigate against non-financial implications of payments fraud,” said Jessica Lupovici, Managing Director, J.P. Morgan. “Businesses stand to suffer reputational risk, which can be severe, expensive and require significant clean-up efforts.”

Highly targeted phishing attacks, known as Business Email Compromise or CEO fraud scams have exceeded $12.5 billion in total known losses worldwide. These social engineering attacks are used by the bad guys to impersonate your CEO, CFO, or even third-party organizations you work with.

They convince your users, often in accounting, HR, or even IT into making wire transfers or other sensitive transactions because they “own” the keys to the kingdom. In fact according to a recent Barracuda report, 60% of pretexting email attacks do not involve any link. These attacks are clever because they bypass your traditional approaches to email security.

This blog originally appeared on KnowBe4.

About the Author

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.