Cyber-attacks continue to make headlines around the world, and no matter what defensive measures security professionals put in place, organisations are increasingly at risk of payments fraud. What do corporate treasurers need to know, and how can they shield their organisations from today’s ever-resourceful fraudsters?
According to the Association of Finance Professionals’ (AFP) recent Payments Fraud and Control Survey, a record 82% of organisations reported fraud incidents in 2018. Large organisations were particularly vulnerable to payments fraud, with 87% of businesses with revenue greater than US$1bn reporting fraud attempts, up from 80% in the previous year.
Meanwhile, the Financial Crime Enforcement Network (FinCEN) said in its Financial Trend Analysis that the number of reports describing Business Email Compromise (BEC) has grown rapidly from a monthly average of nearly 500 incidents in 2016 to more than 1,100 in 2018.
This is hardly surprising. Cyber criminals are constantly adapting and finding new ways to target businesses. While traditional phishing scams, wire transfer and vendor payment fraud remain scammers’ preferred methods of choice, they are increasingly exploiting corporates’ IT vulnerabilities. These include software that hasn’t been properly updated, networks that have security exposures and not encrypting sensitive and personal data.
Should a fraudster’s exploits be successful, not only will a business lose out financially, its reputation may also be damaged severely – and the trust of customers, investors and suppliers may be lost.
Reducing the risk
In today’s digital world, what can treasurers do to protect their businesses? The following steps can help mitigate the risk of falling victim to payment fraud:
Review risks and policies. The first step should always be to hold regular risk review meetings with every department of the business. By monitoring and stress testing the application of their cyber-security policies, treasurers will be able to improve and adapt them at a moment’s notice. That said, recent research from the UK’s Department for Digital, Culture, Media & Sport notes that only 27% of businesses have a formal cyber-security policy in place.
Monitor supplier connections. Should a supplier experience a data breach, any company connected electronically to a supplier should immediately escalate the level of threat it perceives it poses to its network. Any access to said supplier should be either limited or closely monitored, and security controls should be adjusted accordingly.
Secure data. If cash is king, then data is president. As such, corporate treasury departments should always map and maintain the security of every piece of data. This could be anything from information tied to a customer’s account to a vendor agreement or company workflow. Any loan payment schedules, lists of professionals approved to authorise payments, investments and other transactions need to be secured, as fraudsters armed with this information could coordinate an attack by inserting themselves into any expected flow of payments.
It goes without saying that data that is no longer valuable to the company should always be destroyed. However, many businesses lack a routine and regimented process for disposing of even the most sensitive of data. Such a scenario is a jackpot for fraudsters looking to exploit data related to payments and cash flows.
Use alerts. When it comes to third-party suppliers or contractors, any software purchased or licenced from a third party should always be equipped with some form of alerting system whenever it detects strange behaviour. A typical example could be if two IP addresses log into one individual account over a short period of time.
Red flags could also be raised if there is a large volume of downloads or failed logins in a day, or if the software recognises irregular patterns in the creation of accounts for use of the software. These indicators are known as ‘indications of compromise’ or IOCs, and they are usually the first warning sign that your business is under a cyber-attack.
Review intelligence. Finally, regular updates, reviews, and meetings with senior managers are critical. Every executive needs to understand what is at stake and why additional protection may be necessary. Quarterly meetings should be held to review industry-wide threat intelligence and share information about the cyber threats competitors are encountering.
If the lines of communication are kept open with leaders throughout the company, corporate treasurers will be able to share the cyber-security burden in terms of intelligence, labour and other resources – ultimately reducing the cost and the risk of being targeted by today’s resourceful fraudster.