The importance of effective payment controls

By Bob Stark September 17, 2013

Phishing isn’t a new phenomenon, and almost all of us have received an email purporting to be from a financial institution, asking us to log onto their website for some spurious “security check.” However, in the world of business banking and finance, with all of its checks and balances, it’s less common for fraudsters to attempt such a daring raid. 

I saw this recent posting about a payment fraud attempt on the AFP Discussion Board. 

Attempted Wire Transfer Fraud

Had a pretty good attempt at wire transfer fraud yesterday, to the tune of $50k. Our Controller got an email from the CFO yesterday with an approval for a wire transfer. Within the chain of that email was an approval from the CEO. Wire transfer instructions were attached, and of course there was a noted sense of urgency.

One thing that struck us as odd was that the CFO wouldn't normally go through the Controller to get a wire transfer done. So I called the CFO and he had no idea what email chain I was talking about.

Turns out an outside party, most likely in Bermuda, used email masking to make all the emails look like internal emails. And they had all the main players names, most likely from our public filings. Pretty clever.

If you haven't dusted off your wire transfer approval via email guidelines in a while, I would suggest you do so now.

It was interesting for two reasons:

1) It highlighted a creative attempt at phishing to mimic a company’s somewhat unstructured payment initiation and approval process. What’s particularly unusual is that whoever was trying to commit the fraud had obviously done their research, and at the very least looked on a site such as LinkedIn (and the corporate website) in order to work out the CFO’s name and their email format. 
2) I can’t think of a better advertisement for a more robust, centralized payments approval process, as this clearly shows the risks associated with email approvals. Luckily, the person who posted this was experienced and knew how their system should work. However, were they new to the role, it’s quite possible that the error wouldn’t have been noticed until it was too late.
Most treasury and risk professionals reading this will immediately recognize the opportunities for improving the process. To name just a few, some examples are:
  • Payment initiation or approval should never be via email. It’s fraught with hazards, both internal (someone gaining access to the person’s email), and external (email masking, as outline above).
  • There should always be a single system of record, so that all wire transfers have a thorough audit trail and can easily be traced. 
  • Payment approvers should be authenticated using the proper electronic safeguards such as strong password controls, two factors of authentication, digital signatures, etc. 

While these suggestions may seem obvious, many organizations have yet to standardize their payment workflows across the entire organization and, as a result, when fraud attempts become more creative, the opportunity for financial loss becomes more likely. Fraudsters realize that both consumers and organizations are becoming more savvy in identifying potentially illegal activity, and are, in turn, upping their game in terms of the sophistication of their approach.

Through use of a treasury manangement platform – such as Kyriba – organizations can choose to centralize some or all corporate payments (Kyriba interfaces with every ERP), implement standardized yet flexible separation of duties for any scenario (even special rules for the summer intern who needs that extra set of eyes each time), and offer secure, encrypted connectivity to your bank(s). 


Activate Liquidity.

Transform how you use liquidity as a dynamic vehicle for growth and value creation

Find out how