The COVID-19 pandemic is increasing risks for treasurers across myriad areas, not least payments fraud. We spoke with an expert to find out how the risks have changed, and what treasurers can do to mitigate them.
The current global situation has caused a “second Christmas” for fraudsters, according to cyber-fraud expert, Ilan Shiber. Indeed, cybercrime is on the rise as hackers and criminals look to take advantage of the stress and confusion that many individuals are feeling. Data gathered by Google and analysed by Atlas VPN, indicates that from January to March 2020, the number of active phishing websites increased by more than 350%.
And of course, it’s not just the scams offering personal protective equipment for a heavily discounted rate (likely to be poor quality and offer no protection), or even emails to businesses offering financial compensation. Sophisticated fraudsters are also capitalising on the likes of supply chain disruption to launch attacks.
With export restrictions and sudden changes in customers’ demand, organisations need to rapidly change their supply chains and find new channels and alternative suppliers. Fraudsters thrive in such a chaotic environment. Shiber, CTO at corporate payment security company nsKnox, explains that it’s often the case that when doing things under pressure, as so many businesses currently are, people have a tendency to cut corners. “It’s easier for you to be fooled by someone who pretends to be a supplier,” he says. It’s happening more frequently, and it’s not only because customers are working from home, but that their suppliers are as well. Being unable to get hold of your regular contact or perhaps receiving a call from an unknown number is now something that’s not completely unusual. “People are a bit less on-guard these days.”
For Shiber, the best way to mitigate the risks is through a combination of technology, processes and people. The first thing a company should do is identify the key processes that need protecting, for example vendor management, bank account changes or releasing payments. Once these critical things are mapped, the next important step is to not rush into anything. “For example, if they’ve signed a new supplier, it would be a good idea to have a grace period before paying them, and maybe even extend that to seven or even 14 days.” The extra time could help in identifying fraud attempts, he explains.
Another protective measure is to centralise where possible. For global organisations, Shiber suggests temporarily limiting the access of subsidiaries. This will allow the treasury department to keep track of things more easily. Lastly, it may be worth implementing a zero-trust policy, automating as much as possible and taking the human factor out of the equation. “This is one of the things that we always recommend when people are signing up a new supplier,” he explains. “Don’t rely on regular manual procedures to validate data correctness when taking down details such as bank accounts. If something goes wrong, it translates very quickly into payments fraud so it’s necessary to automate these checks. This way the whole process is more visible and auditable.”
Other, more generic protections include education and basic cyber-security systems, such as VPN access and multi-factor authentication. These aren’t the main focus of treasurers, but it means that treasurers need to work hand in hand with the CIO to ensure that their organisation is protected. This isn’t to say that treasurers need to become technological experts, and Shiber points out that treasurers aren’t supposed to know these things, but that it’s important that they are aware of the gap in their knowledge and that they actively work with their CIO or CTO and explain what needs protection.
As of March 2020, confirmation of payee (CoP) began rolling out in the UK. This new process checks the name on the bank or building society account before a new CHAPS, Faster Payment or Standing Order is set up. The aim of this process is to reduce the same type of fraud that is picking up in volume now.
For example, if a fraudster phones to impersonate a customer or supplier and asks to change bank accounts, the payment – providing it’s a CHAPS, Faster Payment or Standing Order – will be blocked unless the name they give matches that on the account.
The challenge with CoP though, Shiber points out, is that it’s only in the UK and provides only partial coverage. “The bad guys can still slip between the cracks,” he says. There needs to be a full and global solution. Therefore, it’s even more important that treasurers take steps to mitigate these risks.