Debit order fraud prevention and security measures for South African small businesses

Debit order fraud is a massive problem affecting small businesses, consumers, and the payments industry as a whole. It happens when an unauthorised entity takes money from your account via debit order without a signed mandate.

These unauthorised debit orders are usually of a small amount (e.g., in the case of the R99 debit order scam), which makes picking up on them unlikely. Why, you may ask? Well, it’s because the amount is low enough to not trigger a payment notification from the account holder’s bank. The result is that the transaction occurs over several months before it is eventually identified.

Depending on who you ask, R99 may not sound like much. But when you factor in that over 40 million South Africans have bank accounts, you’re looking at billions of rands.

All is not lost, though, as there are a few measures you can put in place.

Before you dive into establishing what you can do to prevent fraud, it’s important to understand who is committing these acts.

Unsurprisingly, debit order fraud is commonly thought of as being committed by unauthorised parties. And while this is true, it has also been found that clients themselves partake in this type of fraud.

Before DebiCheck was introduced, some third parties would get hold of client information (e.g., identification numbers, cell numbers, email addresses, etc.) and use this information to enter debit orders in the client’s name.

This was commonplace with fake call centres, with agents calling to “confirm” a client’s identification number. From there, they would then sign up for a debit order and send it through to a debit order clearing house that would process the debit order.

Due to financial constraints, some clients would put in a debit order dispute for legitimate debit orders as a form of cash flow management. Unfortunately, this debit order reversal not only puts financial strain on the business they legitimately entered into a contract with, but it also exposes clients to not being covered by the terms of their contract (e.g., an insurance contract).

By implementing robust security measures, you’ll be able to safeguard your business’s financial interests, as well as maintain your client’s trust.

So, how do you protect your business against debit order fraud?

As mentioned earlier, DebiCheck was introduced to curb debit order fraud. This secure debit order system involves getting your electronic confirmation when you sign up for a new contract with a service or credit provider.

With a DebiCheck mandate, you (as a sole proprietor or individual) will be sent a notification via your banking app requiring you to give once-off permission to the bank to debit your account on your service or credit provider’s behalf. Obtaining specific consent from you with an electronic mandate ensures the business you’re trading with  has your correct information and banking details.

Note: It’s important to keep in mind that a business bank account cannot accept a DebiCheck mandate. This is because it requires an individual to log into the app personally to accept it. So unless your business is a sole proprietorship, it cannot accept DebiCheck debit order mandates.

Note to PM and/or Client:

This refers to the business’s service or credit provider (i.e., the entity they are paying debit orders to).

DebiCheck is automatically a type of 2FA, as it requires you as a sole proprietor to log into your business bank account and then authorise the mandate. With two-factor authentication, you can add an additional layer of security. So, what exactly is two-factor authentication?

2FA verifies a user’s identity (that would be you, the sole trader) by requiring two separate forms of identification to access your account. In the case of DebiCheck, this identity and access management security method will either send you an SMS or a banking app notification on top of the contract you signed.

If you confirm the details of the debit order supplied to you and accept the DebiCheck, then the bank will process your debit order. You can reject it too, which would result in the debit order not going through.

Here are a few benefits of DebiCheck, a form of two-factor authentication:

• Better control: You’ll know exactly which debit orders will go off your sole proprietorship’s bank account. This knowledge helps you manage your budget and cash flow better.
• Peace of mind: Knowing that only the debit orders you agreed to will be processed at your confirmed amount and date gives you peace of mind.
• Security: Enable secure access via biometric verification. By scanning your client’s unique fingerprint and facial features, they are able to securely approve transactions.
• Ease and convenience: Approve debit orders via your banking app, SMS, USSD code or through a call initiated by your bank’s call centre.

Carrying out verification processes can help you confirm whether transactions are legitimate. In addition, it can assist you in preventing unauthorised transactions from going through.

As a small South African business, you may carry out the following to protect yourself:

• Electronic mandate (E-mandate): In the case of a non-DebiCheck debit order, you can sign an electronic mandate to ensure you give authority to the right service provider at the agreed date and cost. You can sign it on any web-enabled device.
• Two-factor authentication (or multi-factor authentication): This works, as mentioned earlier, only for DebiCheck debit orders. Just bear in mind that a business bank account cannot accept a DebiCheck mandate. This is because it requires an individual to log into the app personally to accept it. So unless your business is a sole proprietorship, it cannot accept DebiCheck debit order mandates.

Speaking of noticing irregular debit orders, monitoring can help your business identify unusual patterns or suspicious activities as they relate to its debit orders. Here are a few strategies you could employ in your company:

• Regularly check your bank statements: Monitor your bank statements regularly for unauthorised debit orders that may have slipped through the cracks.
• Keep records of the debit orders you have: And compare these to the ones that go off your business account. Common examples include utilities (for electricity and water), insurance, etc. If you find that these significantly differ from your recorded debit orders, it may be a sign of debit order fraud. Unfortunately, some companies don’t practice this and only discover unauthorised debit orders much later on.

Conducting regular audits and complying with regulations can help you protect your business and its clients from debit order fraud. This involves:

• Security audits: Carry out routine security audits to help identify any vulnerabilities in your business’s information systems. Also, make sure you assess how effective your existing security measures are. This entails ensuring that your client’s information is securely held and only authorised employees have access to such information. This can help minimise the risk that client financial information gets into the wrong hands and is used to commit fraud.
• Audits of your business bank account statements: Pick up any unusual or unrecognisable transactions by inspecting your bank statements. It’s important to do this frequently — doing so monthly is recommended. If you’d like to dispute a debit order, you need to follow up with your bank, as you only have 40 days to have the bank immediately reverse it. The 40-day period applies to non-DebiCheck debit orders.
• Complying with local regulations: Regulations, such as the Financial Intelligence Centre Act (FICA), require businesses to establish the source of client funds. If you find out that the source of your client’s funds is through unauthorised debit orders, you will be required to report them to the Financial Intelligence Centre (FIC). On your end, you would have ensured you’re legally compliant and are potentially protected against legal complications.
• Engage with third-party expertise: If your business doesn’t have security experts, you can employ the services of security experts who can assess your company’s security practices. In addition, experienced parties like cybersecurity experts can recommend improvements thereto.

You could consider your employees as the first line of defence against fraud. It is vital to hire employees who have integrity and are trustworthy. But it also helps to ensure they are educated and competent as far as debit order fraud is concerned. Here’s how you could train your employees:

• Improve familiarity with protocols: Give your employees the necessary training they need to be familiar with and understand security protocols, as well as how to appropriately respond to suspicious activities.
• Promote continuous learning: In addition to the above, you could ensure you provide ongoing training to your staff. This way, your employees will be up to date with fraud methods, including debit order fraud from external parties or even your clients.
• Have fraud awareness programmes: Regularly educate your staff on the latest tactics used by fraudsters and the common red flags they need to look out for.

Your business can play an important role in ensuring your clients are empowered to be active in safeguarding their financial interests. This includes:

• Being transparent with clients: Let consumers in. Provide them with information about the security measures you’ve put in place and how they protect your client’s financial data.
• Communicate best practices: Share informational content and tips on identifying scams, preventing debit order fraud, verifying their transaction details, and how to protect their personal information.
• Clearly communicate with your clients: Ensure your clients are aware of the various communication channels available to them and the procedures they must follow to verify transactions. Examples of communication channels include emails, a dedicated call line, a contact form via the web, and even social media platforms. If you are debiting other clients, it’s important that you inform them of when you are going to debit them and what to expect on their bank statement reference. This can help you mitigate the risk of them disputing your legitimate debit orders as fraud.

Preventing debit order fraud comes with numerous benefits for your business, including the following:

• Enhanced reputation: When you safeguard your business and its clients against fraud, your company benefits greatly. Your clients will feel that they can trust their financial information with you, resulting in enhanced credibility of your brand. This is especially crucial if you operate in the financial services industry, where the industry is small, and trust is key.
• Enjoy financial protection: It’s apparent that preventing debit order fraud financially protects you and your clients. By preventing it and implementing the security measures outlined above, you can help mitigate potential losses for your business and clients.
• Avoid legal issues: Adhering to regulations put forth by South African industry watchdogs like the Payments Association of South Africa can help shield your business from legal implications.
• Save on costs: While it may sound costly and time-consuming to prevent debit order fraud, the benefits outweigh the costs. Your company can avoid the costs associated with identifying, investigating, correcting, and recovering from fraudulent debit orders.
• Maintain client trust and loyalty: Linked to the first point above, by ensuring your transactions are secure, you’re essentially fostering trust with your clients. The result? Repeat business and referrals to your business.
• Maintain business operations: Debit order fraud disrupts your business operations. By preventing it in the first place, you help ensure operational continuity.
• Peace of mind: Running a company is stressful as it is. And while you can’t put a price tag on peace of mind, the security measure you’ve put in place will help you worry less about potential fraud. This is possible when you know your financial operations are secure. As a business owner, your time and mind will be free to focus on growing your business and its core operations.
• Have a competitive advantage: When clients and the market know your business for its stringent security measures, you can include this as a unique selling point. This can help you attract customers who are concerned about the security of their financial transactions. Think of the Swiss-based email service Proton Mail as an example.

Illegal debit orders pose a significant threat to businesses and their clients alike. Unfortunately, these fraudulent activities can have dire financial consequences and undermine trust in South Africa’s payments system.

By implementing robust security measures, including two-factor authentication and verification processes, you can ensure you stay ahead of this scourge and avoid being a victim. Proactively engaging with and educating your employees and clients is also an excellent way to prevent debit order fraud.

Explore the critical differences between debit orders and stop orders to better understand how each functions in safeguarding your transactions. Alternatively, read up on securely collecting debit orders with Netcash.