“Payment fraud and cyber risks have become a real plague for corporates,” says Matthieu Perret, Project Manager on Fraud Prevention and Cyber Risk at BNP Paribas. “Mostly for the accounting and treasury departments. We face a lot of different risks.”
Fraud by impersonation is the most frightening kind of payment fraud for corporates. This is where the fraudster impersonates someone else – such as the company CEO – and tricks the victim into paying money to a fraudulent account. “We have tools in place to identify our clients when connecting to their eBanking platform,” Perret says. “We can make sure that it’s our client that is asking for the transaction.”
Awareness around those topics is key, while there is generally a good knowledge of risks like malware and ransomware, Perret also wants corporates to take data theft seriously as well. “Companies sometimes don’t realise that the data itself has a real value,” he says. “Any data can be valuable – individual data, corporate data – everything can be sold. And it can be used to perform payment fraud.”
Perret has seen a sharp jump in fraud since the Coronavirus pandemic. “We have noticed a tremendous increase in fraud attempts since the beginning of the crisis,” he says. “Especially fraud schemes involving social engineering,” he says, referencing the type of hacking whereby hackers manipulate and deceive people to obtain private data that is then used against them and that could lead up to hackers gaining control over their computer system. The hacker will use phishing or even spear phishing technics through all channel available: phone, email, snail mail or direct contact to gain illegal access and commit CEO Fraud, Perret explains that hackers use the fear and curiosity that spiked during lockdowns and COVID to get people to click on malicious links. For example, someone might receive an email inviting them to find out about who has been infected by Covid in their company or local area – or perhaps offering free masks or coronavirus tests. They just have to register to get more information. But by doing this, they are actually giving their information to fraudsters and hackers.
“We witnessed a lot of phishing attempts that played on the Covid crisis,” he says. “They try to trick people into giving out information. And that information was then used to perform scams and fraud attempts.”
Payment fraud
Since November 2020, BNP Paribas has partnered with a French fintech Sis ID, a specialist in combating payment fraud. “Sis ID helps you check if you’re paying the right beneficiary, whether it’s a supplier or an employee, and that you’re paying into the right account and not a fraudulent account.”
The process is supported in three main ways, he continues: a common database, confirmation-of-payee schemes and call-back procedures.
Perret explains the common database is a way to fight collectively against fraud by sharing known accounts. “The process involves sharing historical transactions (anonymised and secured) between every client of Sis ID,” he says. “If not only my company, but also my competitors and other companies, have been paying in the same account for a long time, I can be almost certain that the banking details are correct.”
A confirmation-of-payee (COP) scheme is based on a network of banks who can interrogate each other to verify whether an account is correct.
“COP schemes are not yet present everywhere,” he says. “Which is why this shared or common database is still quite useful. But once they are available, we work with SisID to help them connect to those COP schemes in order for them to get the most up-to-date information directly from the bank.”
The final method SisID employs is the most straightforward: inviting the third parties to directly register their account into SisID’s platform. SisID will then ensure data provided is correct with many different controls, including picking up the telephone, aka the call-back procedure. Instead of clients having to constantly call back their suppliers to double check the information is correct and the invoice legitimate, it can be outsourced to SisID.
“Making sure that you’re paying the right person is key in the fight against fraud,” says Perret.
Insurance
Another start-up BNP Paribas have partnered with is a French InsurTech called Stoïk. Stoïk provide insurance coverage for cybersecurity threats, but it also takes steps to ensure that clients won’t need to make a claim in the first place.
“Stoïk is very tech-oriented,” says Perret. “Two-thirds of the employees of the company are cybersecurity technicians. They do regular checks on their clients’ tools. They help them in case anything happens, and this is, I think, is a great approach.”
At the moment, BNP Paribas is testing this approach at a local level with smaller companies – and Perret sees promise. “We may expand to other geographies and maybe increase the size of the companies that are targeted by the solution,” he says.
In the fight against fraud, Perret believes in a multi-layer approach. He puts it like this: “The more layers you’re wearing, the more protected you are against those risks. The first layer will be making sure that you are working in a safe environment. But the second one is the human factor.”
And it’s the human factor that is critical. “Studies say that 75% of fraud or cyberattacks can be detected by humans,” says Perret. “Humans are efficient at stopping them, so it’s key to train and ensure awareness on those topics. It will help all employees detect the patterns of potential fraud.”
Support
BNP Paribas provides support material to clients to help on this front – including regular webinars on fraud and cybersecurity, news articles, and even dedicated training sessions for major clients’ treasury teams.
“We have a 30-page document on fraud and cyber risk that contains all the fraud cases and cybersecurity threats that we face,” says Perret. “We have some tips on how to detect them, and how to avoid them.”
Perret also reveals that BNP Paribas has developed a new anti-fraud tool that scores every outgoing transaction for potential fraud patterns, alerting the client if it’s too high.
How this works remains top secret – the bank cannot risk fraudsters finding out its precise methodology. But Perret explains that it is based on big data and machine learning.
“BNP Paribas is the number one bank for cash management in Europe,” he says. “We have a lot of data on payments made by our clients. And thanks to this, and thanks to machine learning, we have developed this tool that has proven to be quite efficient in detecting payment outliers.”
Of course, not every outlier is necessarily fraud, and the bank is fine tuning the tool to reduce the number of false positives while ensuring high detection rates.
“It’s great for all the clients that are trusting us with their flows, because eventually every payment made through BNP Paribas will go through this tool, and we will have a chance to stop fraud.”
While Perret is conscious of the possibility criminals will develop new fraud schemes, he is also aware that the environment is changing, and this will impact the cyber fraud space in the coming years.
For example, payments are getting faster. “Clients are asking for transactions to be increasingly quick,” he says. “And a quicker transaction means that if it is fraud, there is a high chance that the money will move faster to another account. It will then rebound to another account and we will lose the money very fast.”
“Our tools will have to adapt to the swiftness that is required by our clients, and to be even more efficient, even faster, to detect that potential fraud – and if possible do so ahead of making the payment, because the payment will be too fast to recall.”
Legislation is also having an impact. In particular, the European Union is encouraging instant payments by ensuring they are trusted by consumers and corporates alike – meaning that account verification checks could well become mandatory.
“We don’t know yet when it will be officially published and what will be the deadline to implement such tools,” says Perret. “But we are very happy that we already have a solution, thanks to our partner Sis ID.”
Perret thinks solutions will evolve quite quickly and there will be new confirmation-of-payee schemes that emerge as a result. “We don’t know yet exactly where or how,” he says. “But we are ready to welcome them because I think they will be one of the key tools to identify and to avoid fraud by impersonation.”
“The risk is that fraud by impersonation will evolve to other types of fraud that we don’t know about yet,” he concludes. “But if banks have Beneficiary Account Validation tools, good data quality and a very strong KYC, and our clients are well informed, I think we should be on our way to reducing fraud.”