As Cybersecurity Awareness Month ends, it’s a good idea for treasury and finance departments to do a quick health check on their infrastructures and ensure that their protections are up to par—particularly when it comes to payments fraud.
Last week at AFP 2022, I led a presentation that detailed several fraud attempts and how companies can better protect themselves. One message proved true—if you have strong, consistently executed processes protecting your payment from its initiation all the way to its receipt, you significantly reduce the chances of a successful payments fraud attack.
The Threat of Impersonation
Payments fraud in 2021 was as bad, if not worse, than the year before, according to the 2022 AFP Payments Fraud and Control Survey. But even though business email compromise (BEC) scams dropped substantially last year, many organizations are still falling prey to them and incurring significant losses.
At the heart of BEC scams and more recent developments like deepfake fraud is impersonation. Cybercriminals use social engineering tactics to develop profiles on company employees or routine vendors, which they then impersonate to dupe unsuspecting people into making critical mistakes.
To identify an impersonator, it’s helpful to know the telltale signs. More than likely, the payment request will be urgent and will attempt to exploit unique circumstances, such as a specific time when employees are out of the office. Additionally, if your organization is making a lot of payments to contractors for a project, fraudsters might attempt to exploit that.
For example, Philabundance, a Philadelphia food bank lost about $1 million due to a successful BEC scam. The food bank was in the process of building a $12 million community kitchen. The accounts payment (AP) team received an invoice from what they thought was a construction company supplier and made a payment.
The Government of Carrabus County, N.C., also found itself victimized by a vendor BEC scam. The county intended to send money to a contractor it had been working with for the construction of a new high school. Through a series of emails that began in late 2018, the fraudsters made requests to update bank information. The county didn’t do its due diligence and ultimately sent more than $2.5 million to the fraudulent account. While over $776,000 was ultimately recovered, about $1.7 million remains unaccounted for.
Common Fraud Myths
When it comes to payments fraud, many treasury and finance departments still get lulled into thinking they are more protected than they are. Organizations may assume that their procedures are infallible or that any lost funds will be reimbursed, but they quickly get a wake-up call when a successful attack happens. The following myths are common.
“We have an approval process in place.” Even the companies with the strictest policies in place can still have a breakdown in processes. Employee ID/password combinations can be stolen. Regional treasury/shared service centers may require fewer numbers of approvals due to limited in-country staff. And companies with multiple ERP systems might have different approval processes—a scenario that is ripe for fraud.
“My bank will cover me.” There is no obligation for a bank to cover any client for payments fraud, unless the bank itself has been breached, like in a bank employee scheme. The bank may still reimburse corporate clients on a case-by-case basis, but don’t bet on it.
“We have cyber insurance.” Many companies assume that if they purchase cyber insurance, that they are covered in the event of a loss. However, if an organization can’t prove that it took all the right steps to protect itself, it’s very likely that the insurance policy won’t cover the loss. Many plans don’t cover BEC scams, for example, because they involve an employee making an error. There have been several legal cases where insurance firms have refused payment and the courts sided with the insurers. Furthermore, even if cyber insurance does agree to pay out, you might still have to pay a high deductible. For some plans, that cost can be tens of thousands of dollars.
What Can You Do?
Fortunately, there are many ways to protect your payments and your data. The following tips can help.
Embrace the cloud. Organizations should embrace cloud technology to secure payments and systems. IT teams know that payments data and connectivity are more secure when hosted externally. However, not all cloud solutions are alike. Solutions like Kyriba Enterprise Security ensure that treasury, payments, and risk data meet internal security policies and international security requirements while providing 24/7, global support.
Align all departments. Your internal IT department, as well as any key areas that touch payment processing areas such as treasury, accounts payable, shared services, etc. all should be aligned with your security policies. With more and more companies allowing remote work, companies must ensure that all employees are using effective protections such as strong passwords, policy controls, multifactor authentication, IP filtering, single sign-on and data encryption.
Automate payment processes and standardize controls. Automation allows organizations to standardize the payment journey from the initial request to the receipt of the payment. Risk lies in the exceptions to a standardized process, i.e., payments made outside of this typical format that provide fraudsters with opportunities. Again, these are usually one-time, urgent payment requests that can come in for things like mergers and acquisitions, legal settlements, emergency payroll, etc.
Enable real-time screening, alerts, and notifications. The rise of same-day and real-time payment systems has increased the need for real-time responses to fraud attempts. Modern fraud detection software uses artificial intelligence (AI) and machine learning to screen payments against historical payment data, pinpointing any anomalies.
Implement fraud prevention workflows. Modern payments fraud modules support fully automated, end-to-end workflows for the resolution of outstanding suspicious payments. Users can determine how each detected payment should be managed, enforcing the separation of duties between the initiator, approver, and reviewer of a detected payment.
Know your vendors. Vendors can be a major liability for your company. In some cases, vendors are granted access to their customer’s network credentials. If that vendor’s security protocols are lacking, they can become an unknowing backdoor into that customer’s systems. This is what happened in the infamous Target breach in 2013. Therefore, it is imperative to have a detailed information security questionnaire that can provide confidence in the governance and risk programs that a vendor has in place. Additionally, with vendor BEC scams proliferating, organizations need to make sure that requests for payment instruction changes are verified directly with the vendor before any transactions are completed.
Safeguarding Your Payments
To mitigate the risk and safeguard your payments, organizations must have a unified solution that connects ERPs, internal and external systems that allows for a secure, end-to-end payment journey. Furthermore, when exceptions occur, protocols can’t be abandoned no matter how urgent the request. Any departments that touch payments need to understand that one slip up can be catastrophic, not only leading to loss of funds, loss of job and reputational risk for the whole organization.
Kyriba is here to help you protect your organization against payments fraud. Learn more here.