Last month, the topic of vendor payment fraud grabbed international headlines after Hong Kong fraudsters used deepfake technology to impersonate a CEO and authorize a bogus payment of $25 million. It’s every accounts payable professional’s worst nightmare — after all, if you can’t trust a conference call with multiple members of your own C-suite, what can you trust?
A recent report of Trustpair data indicates that 96% of companies were the targets of at least one cyber fraud attempt in 2023, an increase of 71% over the previous year. Of the attempts that were successful, 36% lost in excess of $1 million. Keeping a low profile is no longer a defense.
“We’re in a completely new era of fraud,” said Baptiste Collot, cofounder and CEO of Trustpair. Phone calls, emails and even video chat are no longer reliable ways to confirm that a payment order is legit; all can be spoofed. The solution, Collot explained, is to use other techniques to verify the identities and accounts of the people on the other end of a communication.
Risk & Insurance® recently sat down with Collot to discuss the rising threat of fraud, the role of AI in perpetrating and preventing it, and how Trustpair is helping businesses secure their vendor payments. What follows is a transcript of that conversation, edited for length and clarity.
Risk & Insurance: To start, could you give us a brief introduction of what Trustpair does and your role at the company?
Baptiste Collot: Before cofounding Trustpair, I was a treasurer at a large international company, where I was responsible for managing cash and securing vendor payments. Even in 2015, fraud was a significant concern, especially with the increasing volume of data associated with payments.
The primary issue was ensuring that the bank account we were paying actually belonged to the vendor. This realization led to the creation of Trustpair seven years ago. Trustpair is a fraud prevention platform that helps finance teams ensure the accuracy of vendor details, particularly bank accounts.
Our solution verifies that the bank account belongs to the vendor, thereby helping our clients avoid fraud. We work with large clients, mainly in Europe and the U.S., and the company has more than 200 employees, with offices in Paris and a North American headquarters in New York, where I am based.
R&I: Can you give us a sense of the scale of cyber fraud today? How is AI aiding people to commit that fraud — who’s affected and what kind of losses are they facing now?
BC: Fraud always involves a scam based on the theft of identity. The company expects to pay a vendor that it knows or has a business relationship with, but in the end, it pays the wrong bank account.
Historically, the process of scamming a company was manual and time-consuming. Criminals would deeply investigate a company to understand its processes and key personnel. They would then impersonate someone in the organization, such as in a classic CFO or CEO scam. While this method had a high success rate, it was not scalable.
However, with the advent of modern cyber threats and AI, criminals can now operate at scale. They can easily identify cyber weak points — in an email server, for example — break into that email system, and use AI to analyze vast amounts of data. This allows them to understand the relationships within the company and craft convincing messages requesting changes to vendor information, and ultimately to divert legitimate business payments to fraudulent bank accounts by posing as real vendors via email.
AI automates this process, enabling criminals to target multiple companies simultaneously. And it’s not just limited to emails; AI can also be used in phone scams. Today, you never know if the person you’re talking to is the right one or not. For example, a scammer could use AI to impersonate my voice or create a deepfake to impersonate my voice, and this is how AI is used today by criminals to commit fraud.
R&I: That gets into my next question: How have advancements in AI and technology changed the landscape of fraud, and what new methods are fraudsters employing?
BC: We are in a completely new era of fraud. In business, trust is essential, but with the rise of AI and sophisticated fraud techniques, you need to be suspicious of everyone when there is a digital medium involved, whether it’s a call or an email. You can no longer trust the data or the person you’re communicating with, so you need to elevate your security measures.
These techniques, such as deepfakes impersonating CEOs, are not entirely new. But the significant difference between today and a few years ago is that they are now being used at scale, which is a major change. Previously, these tools were difficult to find, and there were often telltale signs that they were not genuine.
Now, it’s nearly impossible to distinguish between what’s real and what’s fake, as evidenced by the proliferation of scams on social networks. This has become a huge concern for whole finance teams in our field, because who can you trust? How can you trust your data?
R&I: What are the limitations of traditional methods for preventing fraud in this new landscape? And what are the new strategies organizations can implement to improve their resilience against fraud?
BC: Traditional methods, such as training employees on security principles, remain important and will always be necessary. Humans are often the weakest link when it comes to cyber risk, as even the best-designed processes can fail if team members do not consistently adhere to them.
However, relying solely on training is insufficient. While it is crucial to continue educating teams on broad security principles, training needs to be personalized for each individual to ensure they understand the specific risks they may encounter in their role. Generic messages about being cautious of scams are not enough in today’s threat landscape.
To elevate security, organizations must combine human training with technological tools that provide a second layer of defense. Technologies like Trustpair assist finance professionals — from procurement and accounts payable teams to master data teams and treasurers — in identifying trustworthy data and vendors. These tools offer insights into the risks associated with each entity and guide users on the appropriate actions to take when a risk is identified.
By striking the right balance between personalized training and the implementation of daily-use security tools, organizations can significantly improve their resilience against fraud.
R&I: How do tools like Trustpair’s work to prevent vendor payment fraud?
BC: To effectively prevent vendor payment fraud, it is crucial to validate two key aspects: the identity of the vendor and the ownership of the bank account. Verifying the vendor’s identity ensures that you are conducting business with a legitimate company and helps avoid scams.
Additionally, confirming that the bank account belongs to the verified vendor is essential. Simply validating the bank account ownership without tying it to the vendor leaves room for potential fraud.
At Trustpair, we leverage data from our clients, including vendor data and payment history, and enrich this information with external data sources. This allows us to confirm the vendor’s identity and validate that the bank account belongs to the specific company through connections with banks and open banking services.
Our tool also looks at vendor behavior, deals and payment values in relation to the client’s payment history with the vendor. This comprehensive approach helps identify potential risks.
Our tool is designed for daily use by finance teams, providing them with real-time evaluations and contextual data about their vendors. Unlike an antivirus software that runs in the background, our tool is actively used to provide enriched detail and prevent vendor payment fraud.
R&I: What should readers know about implementing automation or software-based solutions like Trustpair’s before moving forward with a new program?
BC: Automation is the key to preventing vendor fraud today. Relying on manual controls, such as callbacks, emails and so on, might have been a great process in the past, but it can no longer keep up with new kinds of fraud. This is why automating the process is necessary and why Trustpair exists.
Moving from time-consuming manual controls to a single control on a web app is the easiest way to start automating the process. Integration with ERPs [enterprise resource planning platforms] or treasury systems can then ensure data accuracy and avoid outdated information that leads to payment rejections.
Starting the automation process doesn’t require a huge project or significant IT bandwidth, which is often a concern for finance teams. The people currently performing manual controls, spending half an hour contacting a vendor, will instead spend less than a minute doing the same on the Trustpair web app, without requiring any IT bandwidth. &
The post AI and Vendor Payment Fraud: 6 Questions for Trustpair’s Baptiste Collot appeared first on Risk & Insurance.