I was listening to NPR while I was stuck in traffic on my way to work this morning, and there was an interesting story about cyber fraud and banks’ responsibility – or lack thereof – to reimburse organizations for payments fraud committed against them1.
While the story focused on small to medium businesses, several of the scenarios described could quite easily be replicated with any size of organization. Here’s one alarming example from the NPR story about a complex spear-phishing incident, from the CEO of a medium-sized business in the Pacific Northwest:
(…) Cyberthieves hacked his email account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China. (…)
(The victim) says one of the most unsettling things was realizing that once the cyberthieves had accessed his email, they had vast and intimate knowledge of his life and business practices.
“They knew exactly how I had communicated with our bookkeeper,” he says. “They knew exactly what kinds of things that I said” in emails to her authorizing transfers. He made another disturbing discovery: When he looked back at the transfers, he found that when they were authorized he always seemed to be in business meetings.
That’s because the thieves also had access to his Outlook calendar. It meant the cyber crooks could safely impersonate (the victim) and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from (the victim’s) bookkeeper and then delete all those communications from the account before (the victim) returned from his meetings and checked his email again.
And what was his bank’s response? “Sorry that this happened, but we can’t help you.” In fact, companies often have very few options in this situation, aside from what can often be a very expensive lawsuit. As long as banks can convice the courts that they offer security process that are “commercially reasonable,” they aren’t obliged to reimburse corporate victims of payments fraud.
Although this may seem like it couldn’t happen for a larger business, if you replace the CEO in this story with a large organization’s CFO, and the bookkeeper with a member of the treasury team responsible for payment processing, the situation could easily apply to countless organizations across the world. As spear-phishing attacks are becoming both more commonplace and more sophisticated in their execution, it’s critical for treasury teams to implement strong authorization processes for payments, and not simply rely on an email from a supposedly trusted source. It’s therefore critical that more robust processes and solutions are put in place to stop the fraud from taking place. While education plays a major role in combating cyber-fraud, there are also a number of technical solutions within treasury management solutions that treasury teams can take to minimize the risk to their organization. These include:
Creating a randomly generated one-time password using the user’s smartphone, a token, or a SWIFT 3SKey digital certificate.
A security feature that allows clients to restrict login to a pre-defined set of IP addresses – or ranges of addresses – which are set up and maintained by the system security administrator.
Virtual Private Network
Ensures that users can only access their treasury solution through a dedicated network.
Single sign-on with a client’s internal security environment, meaning that all password controls are managed internally by the corporate IT team and policies.
Personal identity tools that allow the user to digitally sign messages and electronic documents, as well as approving transactions within the system.
For more information about the risks that treasury teams face from payments fraud, as well as some of the steps that organizations can take to protect themselves, check out some of the articles below.
Six Ways to Prevent Financial Fraud with Kyriba
The Business Case for a Payment Hub
1. When Cyber Fraud Hits Businesses, Banks May Not Offer Protection – NPR, September 15, 2015