Authorised Push Payment Fraud: how can you avoid it?

A phantom threat… Unpredictable yet very real!

Fraud, a threat beyond borders

Cybercrime & Authorized push payment fraud around the world



favourite European country for fraudsters


of frauds are fake suppliers frauds


estimated damage for 10% of French companies


of companies have fallen victim to fraud, 1 company out of 4



of companies suffer at least one cyberattack per day


of companies have been victims of fraud in the last 24 months


frauds on average per company, reported over the last 24 months


estimated damage to businesses in 2021 globally

Sources : PWC , Cybercrime Magazine Top 5 Cybersecurity Baromètre DFCG • Euler Hermès, Etude PWC PwC’s Global Economic Crime and Fraud Survey 2020, Rapport Acronis, article CyberSecurityVentures

Authorised Push Payment Fraud

Bank transfer fraud affects all companies, whatever their size or sector of activity. Although fraud is now better known to the general public, it is no less threatening in the face of unscrupulous fraudsters with increasingly technical and sophisticated methods.

Both professionals and private individuals are affected, from bankcard and cheque fraud to in-house fraud and scams. Cybercriminals are cunning and know how to deceive their victims. Every potential victim needs to be vigilant.

Since the health crisis and the spread of teleworking, every department within a company is exposed to major risks of fraud. The finance department in particular is the main target of fraudsters when it comes to transfer scams. Weaknesses are highlighted and exploited to obtain fraudulent payments.

Of the various types of bank transfer fraud, the most popular is the fake supplier fraud, which involves impersonating a company’s supplier, but other types of fraud also exist.

Fake supplier fraud

48% of frauds

Social engineering & identity theft

False supplier fraud is the fraudster’s favourite technique

Fake bank advisor fraud

100% manipulation

Identity theft & manipulation

Fake banker fraud involves impersonating an official entity

Fake President fraud

38% of frauds

Pressure & identity theft

The fraudster puts pressure on the financial department, often by telephone via deepvoice.


100% trendy

Phishing technique

Phishing, a dreadful form of e-mail and SMS fraud.

The techniques most commonly used in bank transfer fraud (or FOVI) are identity theft and social engineering. The way in which the victim is contacted and approached varies. In phishing, for example, the fraudster sends an e-mail or text message to encourage the victim to enter sensitive data (bank details, login details, bank card, etc.) on a fraudulent page. Another risk concerns online credit card payments, which are often subject to phishing attacks. Companies are weak in the face of these attacks and have very little recourse, even if legal proceedings are initiated. Victims are often hit by a rebound attack. In other words, once a company has fallen victim to a money transfer scam, the next victim is often one of its customers or suppliers. There are no borders to this threat, the fraudster is difficult to identify and the chances of a refund of the amount stolen are very slim. Fraudsters are usually organised in groups and carry out these scams in order to finance larger illegal operations.

Worldwide, it is estimated that almost half of all companies have been the victim of a fraud attempt, but few are willing to share their experiences. As a result, they do not lodge complaints, even though they have few rights to assert when faced with a situation of bank transfer fraud. By making as many companies as possible aware of the different techniques used, how to protect themselves and the risks involved, the fight becomes a collective one.

Fraud is a collective battle!

Securing processes beyond the company

Fraud risk at every of the Purchase-to-Pay (P2P) process

The human factor is central to validating the data of your third parties, customers and suppliers. In particular, this is where action needs to be taken to eliminate manual errors and check the identity of each person involved, especially if they are known to the company. Fraud is, in 72% of cases, external to the company and each stage of the P2P process put in place by the finance department presents a risk for the company.

The payment process is often undermined by a scam, resulting in a significant loss that could put an end to a company or at least permanently damage its image. For example, in the case of a fake supplier scam, victim companies experience losses of over €10,000 per company. The victim’s lack of information about the risk of fraud is an aggravating factor, which can nevertheless prove highly preventive.

To thwart any attempt at fraud, processes must be made more secure and controls must be digitalised.

Aggravating factors of corporate fraud

  • External source: 72% does not come from the company

  • Human factor: central to data validation

  • Sophistication of techniques: social engineering, IS infiltration

  • Change of situation: news, crisis context & reorganisation

Measures to combat bank transfer fraud

What are the right things to do?

For companies

When creating or modifying third-party data, if a request is made to change bank details, it is important to check with the usual contact person.

In an emergency, it is all the more important to have confirmation from superiors. Particularly in the case of fraud against the Chairman, it is advisable to contact the person in charge again, using known contacts.

This involves checking third-party data and payments by several people, sometimes from different departments.

Regularly seek information on the risks of fraud and how it works, to protect yourself more effectively.

Use secure bank transfer solutions such as Sis ID, which secures the payment chain by checking the bank details of third parties (RIB, SIREN).

For individuals

Stopping payment on your bank card is the first thing to do in the event of an irregular transaction on your bank account.

If you are a victim of fraud, it is important to inform your bank so that it can initiate the procedures required to recover the funds.

Your bank details or bank identifiers should not be disclosed on a website if you are not sure of the authenticity of the page.

Your bank details or bank identifiers should not be disclosed on a website if you are not sure of the authenticity of the page.