A new study from Payments Canada reveals that Canadian businesses have a higher rate of payment fraud compared to Canadian consumers at 20% versus 13%, respectively, although the types of fraud were similar for both segments. Impersonator fraud, originating from a phone call, message or email that appears to be from a trusted business source (25%), intercepted business e-Transfers (22%) and credit card fraud (20%) were the most common types of fraud. The amount lost was $3,000 or less for the majority of these businesses (63%). The rate of payment fraud remained consistent from 2023 at 19%, despite 63% of businesses who report that they feel confident in knowing how to protect themselves against payment fraud and cybercrime, and 61% who said they are more aware of how to recognize potential threats.  

"Addressing fraud risks is a central focus for the payment ecosystem. It requires a multifaceted approach that leverages technology, system innovations, evolving regulations and education through continued industry collaboration," said Donna Kinoshita, Chief Payments Officer at Payments Canada. "Looking to the future, biometrics, multi-factor authentication, confirmation of payee systems, AI learning for fraud detection, centralized fraud systems, in addition to enhanced reporting and data sharing, are just some of the cross-industry innovations and initiatives that will play a role in helping protect Canadian businesses and consumers."

Larger commercial businesses report a higher rate of payment fraud than small businesses. The study reveals that while businesses of all sizes are vulnerable to payment fraud scams, larger-scale commercial businesses experienced the highest rate of fraud at 26%, compared to large (23%) and small (16%) businesses.

While impersonator fraud was most common, businesses experienced a diverse mix of fraud scams. The most common type of payment fraud is an impersonator making contact by either email, phone, call, text or social media to request money (25%). Other types of payment fraud included:

• Someone intercepted a business' e-Transfer (sending or receiving) to deposit the money into a different bank account (22%).
• Fraudulent charges on their bank or credit cards (20%).
• Purchase made from stolen credit card information (19%).
• Purchase made from stolen debit card information (18%).
• Payment made by a fraudulent cheque (15%).
• Purchase made from a fraudulent website (15%).

Nearly half (45%) of businesses have noticed an increase in fraudulent, cybercrime or suspicious activity directed at them through email over the last 12 months. Businesses also noticed an increase in activity directed at them via their smartphone (42%), social media platforms (39%) and retail merchant sites, including e-commerce sites or apps (34%).

Businesses are taking steps to protect themselves. Close to 7 in 10 businesses (69%) indicate that they usually limit the amount of sensitive information about the business they share online and only provide it when required. Over two-thirds of businesses (67%) make the effort to check the safety of an e-commerce site and go with trusted sites only when buying online. Sixty-five percent of businesses enable two-step authentication for accessing their accounts whenever it is available.

The majority of businesses practice fraud prevention measures, but there is room for improvement, including better password management. Overall, 39% of small and medium enterprises (SMEs) and 41% of commercial businesses store their passwords on a smartphone, personal computer or laptop. One in three (33%) commercial businesses and one in four (25%) SMEs tend to use the same password for all their business-related accounts. 

Despite the prevalence of fraud, businesses feel protected by their financial institution; 7 out of 10 businesses were fully or partially reimbursed. Despite concern over fraud risks, 65% of businesses feel protected by their bank, credit union or credit card provider when it comes to making payments. Of those who lost money through payment fraud, 32% said they were fully reimbursed by their financial institution, versus 39% who were partially reimbursed and 29% who were not reimbursed. Overall, 57% of businesses report being satisfied with the outcome, with 25% who were neutral about the outcome and 18% who were dissatisfied.

Just over 2 in 5 businesses (44%) say that fraud and cybercrime concerns impact their payment preferences and behaviour. Many businesses expressed concern with sharing their business identity and payer information as well as performing other online activities including:

• Opening unsolicited emails, texts or SMS messages (30%).
• Opening social media messages from unknown senders (26%).
• Downloading and using social media mobile apps for business purposes (22%).
• Sharing business and payer information online with e-commerce sites and apps (20%).
• Downloading and using lifestyle mobile apps for business purposes (19%).
• Making an online or in-app purchase (13%).

Almost 2 in 3 businesses (65%) would be willing to take extra steps to make an online transaction if it meant they were better protected. When transferring money online, 3 in 5 businesses (61%) would be willing to better protect themselves from scams, even if the process called for more time-consuming steps.

"Businesses face the challenge of ever-evolving and increasingly sophisticated payment fraud and cybercrime threats", said Jon Purther, Director of Research at Payments Canada. "Our study reinforces there is no room for complacency around measures to protect against and detect fraud risks for Canadian businesses regardless of size and industry, and that businesses are willing to take extra steps to make an online transaction if it meant they were better protected."