Phishing isn’t a new phenomenon, and almost all of us have received an email purporting to be from a financial institution, asking us to log onto their website for some spurious “security check.” However, in the world of business banking and finance, with all of its checks and balances, it’s less common for fraudsters to attempt such a daring raid.
I saw this recent posting about a payment fraud attempt on the AFP Discussion Board.
It was interesting for two reasons:
1) It highlighted a creative attempt at phishing to mimic a company’s somewhat unstructured payment initiation and approval process. What’s particularly unusual is that whoever was trying to commit the fraud had obviously done their research, and at the very least looked on a site such as LinkedIn (and the corporate website) in order to work out the CFO’s name and their email format.
2) I can’t think of a better advertisement for a more robust, centralized payments approval process, as this clearly shows the risks associated with email approvals. Luckily, the person who posted this was experienced and knew how their system should work. However, were they new to the role, it’s quite possible that the error wouldn’t have been noticed until it was too late.
Most treasury and risk professionals reading this will immediately recognize the opportunities for improving the process. To name just a few, some examples are:
- Payment initiation or approval should never be via email. It’s fraught with hazards, both internal (someone gaining access to the person’s email), and external (email masking, as outline above).
- There should always be a single system of record, so that all wire transfers have a thorough audit trail and can easily be traced.
- Payment approvers should be authenticated using the proper electronic safeguards such as strong password controls, two factors of authentication, digital signatures, etc.
While these suggestions may seem obvious, many organizations have yet to standardize their payment workflows across the entire organization and, as a result, when fraud attempts become more creative, the opportunity for financial loss becomes more likely. Fraudsters realize that both consumers and organizations are becoming more savvy in identifying potentially illegal activity, and are, in turn, upping their game in terms of the sophistication of their approach.
Through use of a treasury manangement platform
– such as Kyriba – organizations can choose to centralize some or all corporate payments (Kyriba interfaces with every ERP), implement standardized yet flexible separation of duties for any scenario (even special rules for the summer intern who needs that extra set of eyes each time), and offer secure, encrypted connectivity to your bank