Treasury’s authority over a broad range of cash management, payment and bank account operations is keeping it firmly in the sights of fraudsters, says a new global survey.
Treasury is one of the functions most susceptible to fraud, says a new global survey. When asked to select the three departments (out of nine choices) that were most likely to succumb to criminal intent, the vast majority of respondents (90%) listed accounts payable as their number one. But treasury was in second spot, chosen by 61%. Some 41% selected payroll. The least susceptible were procurement, AR and C-Suite executives.
The results of the fourth annual Treasury Fraud & Controls survey, conducted by Strategic Treasurer and Bottomline Technologies, also show that of the corporate partner network, the most susceptible to fraud (with 71% of practitioners placing it in the number one position) were suppliers and vendors. This compared to 23% who listed their bank, and just 4% who cited their technology providers.
Rising threat
Some 275 respondents, drawn from a global mix of businesses, were questioned between October and December 2018. Of these, 73% believe that the threat of fraud has increased in the past year. Despite this, over one third (36%) do not train their employees on security at least annually. “Untrained employees represent a large exposure,” the survey warns.
The survey digs deeper into the types of fraud most prominent today. Top of the list is business email compromise (BEC). This has been the most common criminal tactic used against treasury for several years now, the survey reports. However, it is noted that whilst the frequency of attempts in this area remains high, the level of success experienced by criminals is relatively low (10% of those that experienced attempts actually suffered a loss).
The number two threat is data theft (also referred to as cyber fraud). Phishing attempts, use of malware on company servers and software persist. Although criminal success rates for this type of fraud also appear low (7% of those that experienced attempts), the report warns that not every organisation may be aware that it has been breached.
High-tech methods may be more frequent, but old fashioned cheque forgery (the third most common type of fraud) has a greater success ratio than either BEC or data fraud, with around 18% of those who experienced attempts suffering a loss. However, average losses associated with cheque fraud appear to much lower than for other forms of fraud, at around US$2,000 in 2016.
Questioned on commonplace security mechanisms, 11% of companies said they did not leverage dual controls, and 15% did not have antivirus software. With only 12% of corporates currently leveraging biometrics as a more advanced form of security, the report suggests that the threat of corporate fraud remains “significant”.
Take action
Analysis of the survey outcome delivers some basic advice for corporates:
- Apply the principle of least privilege: limit the level of information employees can obtain to what is needed and no more.
- Formally train personnel: covering a greater breadth of topics and including tests and follow-up procedures to ensure that employees are fully aware of their security situation is highly recommended.
- Deploy multi-factor authentication: this drastically increases the difficulty for criminals to steal credentials.
- Vet suppliers prior to onboarding: establishing proper due diligence, KYC and other screening/onboarding steps prior to conducting business with a new partner can minimise the risk of an external breach.
- Monitor anomalies: systems and software that can monitor user behaviour can help quickly identify and log suspicious or anomalous activities.
- Consistently encrypt data: ensuring that data both at rest and in transit is encrypted across all business processes can significantly limit the impact that a cyber breach has on a company.
- Reconcile bank accounts daily: recognising a fraudulent charge on the day it occurs increases the chance of blocking the transaction before funds are withdrawn, helping also to ensure that losses do not occur repeatedly through the same breach or exposure.
- Automate bank account processes: 60% of organisations manage bank account operations manually; having a clearly defined and secure process for managing this data can help reduce the odds of a successful attack.