Articles & E-Books


Healthy online payment practices for financial institutions amid COVID-19

Apr 01, 2020

By Mary Beth Marchione and DeAndre King

Digital and online payment channels, such as wire transfers, offer businesses a convenient way to keep financial transactions happening even in the absence of traditional banking and financial mediums during the COVID-19 crisis.

But those  channels also come with their own challenges and risks, including payment fraud, one of the most prevalent and relevant threats facing digital payment channels today.

Industries including e-commerce, money transfer and financial institution services will cumulatively lose billions to online payment fraud. Add to these projections our current situation — larger than normal expenditures, abnormal financial behaviors, an added sense of urgency — and it is the perfect environment for fraudsters. While that may sound grim, there are practices companies and individuals can adopt to avoid becoming a victim of payment fraud.

Whether cybercriminals target individuals or companies, the goal in both cases is the same: Complete a false or illegal transaction to steal money, property, sensitive information, etc. In today’s world, it often is as simple as a click to facilitate these transactions, and fraudsters know that it takes only one click by one individual to gain access to a company’s valuables. With that being the case, it is important for people to implement practices at the individual level to combat payment fraud.

Halt and hover

One of the most simple and effective controls an individual can practice to protect against digital payment fraud is to halt and hover.

Halting and hovering is the practice of simply taking the time to stop and hover your mouse over any sender addresses, attachments and links received via email to verify their validity.

Anytime you receive an email, it is a good idea to take a second to halt and hover prior to clicking any link, opening any attachment or fulfilling any payment requests.

  • Is the CEO requesting me to initiate this wire?
  • Does this link direct to where I expect it to?
  • Does this attachment contain executable files that can cause harm?

These are all questions that can be answered by halting and hovering.

People often feel pressure to forego practices like halt and hover because they believe taking the time to authenticate the request will negatively impact customer service with clients or anger their bosses, but this is not true. The best service is when professionals take the time to protect the assets of their customers.

Cybercriminals are aware of this pressure, which is why the emails often will be framed as “urgent” or in need of immediate attention. One thing to consider here is that if the request were so urgent that taking an additional minute or so to authenticate its validity would negatively impact the outcome, would a call not be a more appropriate medium than email? Remembering to resist those pressures and taking the time to halt and hover can protect you and your company from costly mistakes.

Internal controls

With social distancing creating more opportunities for digital and remote transactions — and thus the opportunities for online payment fraud as well — it is important to have controls in place to reduce fraud risk and limit a company’s exposure. It is also important for financial institution professionals to review their payment processing policy.

Wire callbacks or other “out of band” (outside a defined telecommunications frequency band) verification tools can help verify payment/wire requests.

At a time when communications are becoming less personal, be sure to remind employees to follow procedure and make contact with customers when policy requires it or when they have a gut feeling something is off.

This may be related to unusual transactions, more frequent spending behaviors, large dollar amounts or smaller, more frequent withdrawals. Another good reminder is to use the customer information on file and not any new contact information provided within a new or urgent request.

Configuring additional security when possible is also a good way to protect your customers and your business. If possible, implement multi-factor authentication upon login to payment processing applications. Require dual authorization with segregation of duties for small business/corporate cash customers.

There are also controls and practices organizations can implement at the entity level to protect against digital payment fraud. A common control put in place by banks to protect against payment fraud is implementing a system of dual control internally for all wire transfer approvals and releases.

Dual control is effective in limiting an organization’s exposure to payment fraud because it requires the verification of at least two separate individuals before any transactions are completed, which reduces the opportunity for false or illegal transactions to be completed successfully.

Another effective control businesses can implement is providing cybersecurity awareness training to all company personnel periodically to ensure employees are aware of their security responsibilities and are educated on common tactics used by fraudsters, such as social engineering and phishing to facilitate payment fraud against companies.

By being proactive about cybersecurity, individuals and companies can prevent themselves from becoming victims of payment fraud while utilizing digital and remote financial mediums to securely complete transactions even in the absence of the ability to be face to face.


Mary Beth Marchione, CPA, CISA, CISSP
Senior Manager
View Profile

Need help now?

Navigate the impact of COVID-19.


Fill out the form below and a member of our team will get in touch with you.

COVID-19 resource center | Wipfli

Video: Benefits of Co-Sourcing Your Internal Audit Plan
You don’t have to stress about making sure your internal audit plan is completed on time. Together, we work with you to identify risks, update processes and finalize your plan. Reinforce your team with the support you need to complete your annual internal audit plan with confidence.