Payment Security 101
Learn about payment fraud and how to prevent it
Eftsure is a leader in fraud detection and payment protection.
Our pioneering fraud-tech solution brings financial controls into the digital age and helps organisations of all sizes mitigate the risk of processing irretrievable Electronic Funds Transfer (EFT) payments to scammers.
Our multi-factor verification platform aggregates banking data from nearly 2 million Australian organisations, representing approximately 80% of actively trading Australian businesses. This enables you to verify banking details in real-time before processing EFT payments to your suppliers. This helps mitigate the risk of human error and prevents modern cyber fraud tactics such as social engineering, phishing, fake invoicing and ratting from impacting you financially. Our powerful verification is applied throughout the payment lifecycle: cleansing your existing vendor data, allowing you to add or change vendors securely and efficiently, and verifying payments before you process them.
In a business landscape where instances of digital fraud are rising exponentially, Eftsure enhances your payments controls and provide you additional peace of mind.
Digital transformation continues to revolutionise the way we do business. However, along with its many benefits come a range of challenges, notably a worrying rise in digital fraud.
Organisations are confronted by unprecedented threats from financially motivated offshore criminal syndicates that are intent on defrauding them via any means possible, including hacking into computer systems and inducing human error through deception.
The threat is most acute when processing EFT payments. This is because the banking system does not verify (or match) a payee’s account name with either their BSB or account number.
This verification gap opens the way for criminals to defraud organisations through a range of attack vectors, including Business Email Compromise (BEC), Vendor Email Compromise (VEC), hacking into ERP systems, or manipulating data in vendor master file and the text-based Australian Banking Association (ABA) files that are used to upload payment data to online banking portals.
Typically, Accounts Payable teams neither have capacity nor training to detect this type of fraud. And ERP and accounting software can only match new data to your existing data, meaning they’re unable to verify against an independent source.
The technology underpinning the banking system was created in a pre-internet era. And while the banks have made progress in certain areas, they do not have enough up-to-date data on the relationship between payee names, trading names and the match of those to BSB and account numbers to account for what’s inside all business’s vendor master data sets.
Even if they have current data on their own customers, they certainly don’t have it for other banks’ customers. Sharing this data across banks is extremely challenging for both privacy and technology reasons. In addition, as long as the banks do not match this data, the liability for an erroneous transaction sits with you, the authoriser. Should the banks take on the responsibility of matching account numbers to payee name and verify payments, the liability would shift to them.
Modern cybercrime and fraud uses identity theft and social engineering (manipulation) to impersonate trading partners and vendors. Vulnerabilities in supplier or partner organisations become your problem, too, by allowing fraudsters to get into their system and deceive you using legitimate email accounts and documentations.
These impersonations make use of legitimate email accounts and are extremely hard to detect. Further, fraudsters constantly adapt their tactics to circumvent most payment controls and AP measures.
A single factor of verification (be it your own records or a call-back control) is insufficient in such an environment. That’s why we’ve developed an approach that’s fit for a digitally connected world: multi-factor verification.
Multi-factor verification is a methodology, enabled by network technology and the scale of the cloud, that provides multiple points of verification for a given set of vendor bank account information.
Based on best-practice cyber-security methodologies, such as multi-factor authentication, Eftsure embraces a “Safety in Numbers” approach – we verify a given set of bank account details (matching payee name to BSB Account Number and ABN) if multiple businesses verify and pay at the same set of details, then we deem them correct.
We use our live-and-growing verified database of almost 2 million organisations to first verify and then crossmatch this data. This is powerful because, to deceive the system, a fraudster would have to deceive multiple organisations at the exact same time. Not to mention, they’d need to defeat our algorithms that look at the frequency and recency of businesses joining the network, among other factors.
Across your entire payment lifecycle, Eftsure draws on its large, proprietary, and dynamic database of verified vendors to provide you with real-time alerts – in the form of simple traffic-light style ‘red thumb’ and ‘green thumb’ symbols that indicate the validity of the vendors bank account information (or lack thereof). By “validity,” we mean that the BSB account number matches the bank account name and ABN, protecting you from making incorrect payments whether due to fraud or error.
This database powers Eftsure’s ability to verify your data at all key phases of your payment lifecycle:
The power behind Eftsure’s ability to health-check your existing vendor data, securely onboard vendors and provide real-time payment alerts? Our database. This database or network contains nearly 2 million Australian organisations, which is 80% of the current actively trading businesses (by ABN) in Australia. The database was built by Eftsure and is proprietary to Eftsure.
However, it is growing and dynamic. As customers add or change vendors, the database grows and adapts. There are multiple layers of data in the database, including customer-verified data, supplier-verified data, bank-verified data and third-party data from ASIC and a series of credit bureaus. It is the cross-matching of all these data sets that underpins Eftsure’s multi-factor verification. Algorithms work across the database, monitoring recency of businesses and payment patterns to further secure the data and prevent it from being “gamed.”
Eftsure starts by auditing your existing supplier data. This process, known as the Vendor Master File Health Check, sees us comparing all your supplier data against our database of nearly 2 million Australian organisations.
This allows you to know which supplier data in your file is accurate and where anomalies lie, via a unique Eftsure dashboard. Typically, 25% of the records within vendor master files are anomalous.
Eftsure then seeks to verify any supplier data that is either incorrect or does not yet exist in our database. When necessary, our team of experts undertake independent verifications on your behalf.
Once your vendor master file is clean and matches the verified data in our database, we then help you integrate the Eftsure platform into your environment so that you can both manage vendors and verify payments, securely and efficiently.
There are three main ways you do this and derive all the benefits of Eftsure:
Having a trusted AP team is important. We all want to believe we can trust those we work with, but a core feature of any risk management framework is:
Trust but verify!
It’s never a good idea to be overly reliant on just one person, or even a handful of people. Effective business continuity planning requires you to have resilient systems in place, rather than being fully dependent on the people in your team.
Fraudsters are actively seeking ways to circumvent your traditional security layers. If those security layers are overly dependent on manual verifications by humans, they will be susceptible to tactics aimed at deceiving them into making errors and potentially facilitating fraudulent payments.
Along with the financial cost to your organisation, this brings a variety of other costs, including heightened anxiety in staff, potential reputational damage, delays, time spent on clean-up or attempting to recoup the loss, and much more. Even hiring additional personnel will not protect you from determined fraudsters.
Eftsure allows you to automate many of the human-centric, manual procedures your AP team currently uses. Embracing technology removes a lot of the friction in existing payment controls. It also helps ensure your organisation achieves a more effective and robust approach to mitigating fraud and preventing human error.
Importantly, Eftsure delivers significant efficiency dividends, allowing your AP team to focus on other important business priorities.
‘Call-backs’ are an important security measure. But many organisations struggle to implement call-backs effectively. For AP teams that are under pressure to complete other important tasks, undertaking call-backs is a highly manual and time-consuming activity. Many teams struggle to conduct call-backs effectively, which can mean they:
The people conducting call-backs are not trained to detect fraud. Recent reports indicate fraudsters are manipulating telephone numbers in vendor master files, or even using “Deep Fake” technologies to impersonate other peoples’ voices. Call-backs alone are insufficient in the fight against increasingly sophisticated digital fraud.
You may have several systems in your accounting environment to manage vendors and workflow. However, Eftsure is a unique platform that both verifies your suppliers’ banking details AND protects your payments in real-time before you process an EFT payment.
A clean vendor master file is critical because it’s used to generate EFT payment files, not to mention a range of other business activities. Incorrect data makes errors easier and can make attempted fraud harder to detect.
The data in your vendor master file is used in many business-to-business transactions, tax and GST reporting, management reports, compliance, purchasing, sales, contracts, sourcing, performance, and risk management.
Eftsure helps you achieve and maintain high levels of data hygiene in your vendor master file.
No. Integrating Eftsure is easy.
If you wish to use eftsure seamlessly within your online banking portal, simply install a plugin in your browser (either Microsoft Internet Explorer or Google Chrome). You’ll be ready to start using Eftsure within minutes.
You can also export ABA files from your ERP system and upload them into your Eftsure portal to verify the banking information. This should not require any involvement on the part of your IT team.
If you wish to connect your ERP system to Eftsure via an API, contact our technical team for additional information and assistance.
There’s no reason why technology or systems upgrades should delay securing your organisation from the risk of digital fraud. If your organisation is in the process of upgrading ERP systems or embracing AP automation, it’s an ideal time to ensure the data being used is accurate and up to date. Irrespective of what systems you use within your AP environment, if the data is incorrect, you are much more likely to experience adverse outcomes.
Integrating Eftsure requires very little investment of time on the part of your IT team, but will deliver significant efficiency dividends, helping you automate many manual processes. In addition, it’s worth considering that fraudsters aren’t waiting. Why should you?
The security of your personal and confidential business information is critical to us.
We take appropriate industry recognised steps to prevent personal and confidential business information we hold from misuse, interference, or loss, and from unauthorised access, modification, or disclosure.
This protection includes the use of technologies and processes such as access control procedures, network firewalls, encryption, and physical security. eftsure is fully compliant with the Australian Privacy Act (APA) and handles all data as if it were Personally Identifiable Information (PII), irrespective of whether that data pertains to an individual or an organisation.
Your supplier data is not visible to any other organisation using Eftsure, nor do you have visibility over other organisations’ supplier data.
Our approach is to aggregate data from almost 2 million Australian organisations. With this data we can determine whether a supplier is being paid using matching banking information by multiple organisations. If this is the case, then there’s a very strong likelihood that the banking information is accurate.
No additional information, including the names of payer organisations, nor the amounts of any payments, is disclosed.
All data is encrypted, both in transit and at rest. TLS 1.2 is used for all data is transit, whilst 256-bit encryption is used for all data at rest.
When using the Eftsure portal, you can create unlimited numbers of user accounts for people within your organisation. Each user account you create can have different privileges, based upon the level of access to data you want that person to have.
All data is only ever stored in our secure hosting environment on AWS in Sydney. Nothing is stored offshore.
The Eftsure platform has been extensively vetted by Westpac, PwC, and Amazon Web Services.
To ensure we maintain the highest information security standards, our architecture, processes and systems are regularly audited by independent experts and penetration tested.
Eftsure has never been affected by any compromises or data breaches.
We provide comprehensive support throughout your onboarding and beyond. Our goal is to help you maximise the benefits your organisation derives from Eftsure.
Eftsure is used by hundreds of leading businesses in almost every sector of the Australian economy from education to construction and property, mining and resources, infrastructure, state government departments, local government, hospitality and tourism, financial and legal services, to name a few.
Eftsure is also endorsed by PwC, Crime Stoppers NSW, Westpac, HLB Mann Judd and PKF.
Every day, Eftsure alerts organisations to suspicious EFT payments before the funds are irretrievably released. Several hundred ‘red thumb’ alerts are issued each month.
Furthermore, our approach to data hygiene helps you maintain accurate and up-to-data supplier information. This reduces the chances of errors as a result of incorrect banking data in your systems.
Eftsure has stopped attempted frauds. Due to the confidential nature of these defrauding attempts, we are not at liberty to disclose the identities of the impacted organisations.
However, some notable recent Eftsure successes include:
Eftsure is designed to require very little investment of time from your side.
Prior to going live, we will undertake several important steps:
Once we complete these steps, you can start using Eftsure within minutes.
When joining Eftsure, you gain full access to all the features in the platform. All the features form a holistic fraud-mitigation system and cannot be separated out.
We are so confident you will see the value of eftsure to your organisation’s efforts to curb digital fraud and EFT payment error that we offer a full three-month satisfaction guarantee. If at any time during your initial three months with Eftsure, you are not fully satisfied with our platform, we’ll refund all payments, including any set-up fees.
More information about getting verified with Eftsure can be found here.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.