Unlike mass phishing scams, which target individuals indiscriminately, BEC scams are highly-sophisticated ‘spear phishing’ attacks that target specific individuals who are known to hold the purse strings at large corporations. The fraudsters will lie in wait, choosing the right moment when they know their victim will be fooled into thinking their superior is asking them to make an unusual transfer. The criminals may only proceed when they know the chief executive officer (CEO) is on holiday, with intermittent access to email and no phone reception, for example. So, when the treasurer receives an email from them – the address seems genuine – they think it is natural for the CEO to communicate in this way, it is understandable that the transfer is urgent, and they don’t double check because they know the CEO is otherwise uncontactable. They go ahead and make the transfer, not realising they are sending money right into the criminals’ hands.
Unfortunately, BEC attacks like this are becoming more commonplace, and Paquette says the figures are getting more alarming. As a former treasury practitioner himself, Paquette comments that he would hear about BEC attacks on a weekly, even daily basis. Now what is different, he says, is the frequency of the losses. “We conducted a partner survey and we found that the actual losses from BEC attacks have doubled over a two-year period. So even though there is greater awareness of these attacks, the success rates are still double. That’s a really scary thing for treasurers,” says Paquette.
What is also frightening is the use of cutting-edge techniques, such as deepfake technology. With deepfakes, it is possible to take an audio recording and make it seem like someone you know is saying something they haven’t actually said. Deepfakes have gained prominence for their use in political disinformation campaigns, and one video made by BuzzFeed in 2018 shows how realistic they can be. The video records actor Jordan Peele speaking, mimicking Barack Obama’s voice. His mouth is then merged with a real video of Obama talking. Through the use of artificial intelligence and video editing software, the end result is a video of Obama speaking words he has never spoken. Although this technology is not being used widely in fraud attacks against corporates at the moment, it gives an indication of the kind of threats that are coming.
At a basic level, audio clips of a CEO could be spliced together and left as a voicemail instructing a treasurer to make a large transfer. But as the technology becomes more sophisticated – with natural language processing, artificial intelligence (AI) and machine learning – a bot will be able to learn how to have a natural conversation in the style of the person it is mimicking. This kind of fraud is beginning to hit the headlines. In 2019, there was a case where a CEO’s voice was mimicked and a ‘fake Johannes’ instructed a subordinate to transfer US$240,000 urgently – which they did. It was so realistic the managing director really believed it was their CEO making the request. This voice cloning attack was reportedly the first of its kind, or at least the first attack that has been reported by the media. “This brings the threats to a whole new level,” says Paquette of deepfake fraud.
These new threats also come at a time when cybercrime more generally has been on the rise. Fraudsters have pounced on the change in work patterns – of working from home and more online interactions – due to the COVID-19 pandemic and ensuing lockdowns. In 2020, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), received a record number of complaints – an increase of 69% to 791,790 – from the US public. The reported losses from cybercrime were more than US$4.1bin. And of these losses, the BEC attacks were the costliest. IC3 reports that there were 19,369 BEC-related complaints in 2020, which totalled a loss of approximately US$1.8bn. IC3’s Internet Crime Report 2020 also notes that the attacks are becoming more sophisticated and are no longer just targeting the email accounts of CEOs or chief financial officers (CFOs). Now it may be vendor email accounts, or lawyers’ accounts, for example, that are being targeted.
This trend of moving downstream from the CEO, CFO or treasurer is also occurring with fake invoice attacks, notes Paquette. In the past, it may have been just the treasurer who was targeted. Now the attacks are being pushed further down an organisation and it may be the procurement or accounts payable teams that are being targeted with fake invoices, he says.
And it’s not just the corporate that is being targeted – it could be their suppliers as well. “We're seeing instances of supplier accounts being hacked and then the fraudster sending in what looks like a legitimate request to change the instructions,” says Paquette. These attacks can target the users of the enterprise resource planning [ERP] systems – either through hacking or social engineering – and the internal master-data such as beneficiary bank account details are changed. Once these details are changed, the fraudsters can then send legitimate-looking invoices with the new bank account details. The first the supplier hears about it is when they call up to ask why their last few invoices haven’t been paid. The corporate thinks they have been paying the supplier; they have been making payments – just into the wrong account. With corporates typically handling thousands of invoices every month, it is impossible to scrutinise the details of every invoice or wire instruction change request. And as their organisations become more complex, larger, and more international, their exposure to this kind of fraud increases exponentially.
So, given these trends of increased BEC losses, greater automation, more scale, more sharing of information among criminals, what can be done in the face of these growing – and worrying – threats? There are two things, says Paquette. “You can prevent it, or you can detect it,” he explains. In preventing such fraud, an organisation can invest in all the controls and technology to stop it from happening. However, in the face of the increasing threats, and the growing automation – as well as the increased sophistication of the attacks – it is becoming a lot harder for organisations to prevent everything that comes their way. Awareness of the problems and training to spot attacks is not enough. “The attacks target people and manual processes. The fraudsters are always looking, assuming control gaps are there. And they will find them,” says Paquette.
The other approach, explains Paquette, is to detect the fraud and use a safety net for when it does happen. That is where the Payee Community Screening (PCS) tool comes in, which can detect fraud before the payment is actually made. PCS uses a community-based network of trusted beneficiaries, vendors and bank account information so that payment instructions can be referenced against a vast pool of data. This data comes from the payment volumes of existing customers who are using TIS’s global payments solution.
The beauty of big data is that as the members and the community grows – and more transaction data is acquired – the more accurate and useful it becomes. PCS uses data from verified transactions that are transmitted by clients through the TIS platform to determine the legitimacy of new payments. As a specialised provider in the global payments space, TIS gives its customers access to over 11,000 banks in over 80 countries. This tremendous reach means that it can potentially identify more than 15 million unique beneficiaries.
The PCS solution uses a combination or rule-based and pattern-based technologies to detect anomalies, or flag when payment details could be fraudulent. PCS checks against an organisation’s own payment history to detect if beneficiary details have been tampered with. Also, a supplier’s bank account details can be checked against the transaction data of other organisations that are also paying them. If a corporate is paying a supplier to an account that does not match what the rest of the community is using, it will be flagged.
Paquette explains that the transaction data from this community of organisations – of differing sizes, industries and geographies – can detect many kinds of abnormalities. With these checks against the community data, it becomes easier to detect fraud and fake invoices. Also, “If someone has identified an account that is being used in fraudulent attacks, that information can be shared across the whole community,” says Paquette. By leveraging the community in this way, the criminals can be stopped in their tracks as the other member organisations anticipate and counter these specific attacks.
This community approach is how PCS differentiates itself from other solutions that are available in preventing payment fraud. Rather than solely being focused on technology capabilities and the rules and checks for detecting abnormal transactions, PCS’s strength comes from its focus on building the largest dataset possible. The value in the solution, and effectively fighting fraud, explains Paquette, is in the data. “The community data is a game changer,” he says.
Paquette gives an example of how community data is different from relying on conventional controls. If a spoofed supplier email is sent from the contact at the supplier – say, John Smith – the check may be to verify that John Smith is the trusted contact at that organisation. They may check, and find that John Smith is indeed the trusted contact, and therefore the request is deemed genuine, and so the bank details get changed. This may not be picked up as problematic if the usual check – of verifying the contact name at the supplier – is relied on. Where the community approach is really powerful, explains Paquette, is that it can detect anomalies. For example, there may be other organisations that also use the same supplier, with the same trusted contact. “With community data you can see within the entire community that 15 other organisations – for example – are all paying this vendor and everyone else is paying using the beneficiary details you previously had in your vendor master before the latest change,” explains Paquette. “That is really powerful.”
PCS’s value is also in its ability to reduce the number of false positives, and it overcomes a typical challenge that many organisations have with managing new solutions. Most organisations, Paquette explains, are concerned with the extra time that is taken up in weeding out the real positives from the false ones. “Having large amounts of data from various sources allows us to get really refined in the screening process, which results in few false positives,” says Paquette. “A common concern we have among the organisations that we talk to is about the false positive rate and how much work it will take to administer this tool on a day-to-day basis,” he says.
Creating a safety net
Even the best, most robust internal control issues may not be enough in the face of the increasing threats. And PCS is a solution that helps detect fraud, if – or when – it does occur. Even with the best controls, and training programmes in place, given the automation and scale of the attacks – and the persistence and increasing sophistication of fraudsters – organisations are coming under pressure to put a robust safety net in place.
In the case of attacks that target procurement, for example, there may be one fraudulent transaction that is buried in a batch of 250 transactions, Paquette says. “There’s just no way to detect it without intelligent fraud detection software,” he adds. “PCS acts as a safety net.” For organisations dealing with increasing volumes, it would be risky for them to not have something in place to detect fraud at the last stage of a transaction: “Without it you really don’t have anything to prevent an intrusion by the fraudsters into your procurement, accounts payable, or treasury processes from becoming an actual loss,” says Paquette.
Adapting to change
Also, the community-based approach means that the member organisations are staying on top of the latest trends and can adapt to the new threats that are emerging. Any fraud solution needs to be able to respond quickly and be flexible to the changing nature of the threats. “The threats are always changing, organisations are always changing,” says Paquette. “Organisations make acquisitions, they take on new systems, they change their banking relationships. The control gaps are constantly shifting, and screening needs to stay ahead of that”, adds Paquette.
The PCS solution is always benchmarking against the market, and by analysing the data from the community it can anticipate what kind of attacks could be coming an organisation’s way. “It is never a one and done thing for fraud detection,” explains Paquette. Another way that TIS is able to stay on top of the latest trends is through its partnership with Deutsche Bank. In March 2021, the German bank announced that it had joined forces with TIS to develop and offer multi-bank services. The cooperation started with developing fraud prevention software for corporate customers and the partnership was established so the two parties could also develop and distribute multi-bank services for treasury and finance. Through this relationship TIS is close to the frontline of what financial institutions are facing in the fight against cybercrime, and this insight informs the development of TIS’s products and solutions.
When it comes to developing cyber defences for the future, what will the cybercriminals be doing next? In this arms race between the fraudsters and their potential victims, what threats should corporates be preparing for next? “The truth is we just don’t know. And in some instances, I’m not even sure it would matter if we did,” says Paquette. He gives the example of BEC fraud, which treasurers are well aware of, and even though there are internal processes and training programmes in place to prevent it, the scams are still successful. The key to preventing payment fraud in the future, explains Paquette is to stay flexible and agile. “It’s not necessarily about predicting what is coming next but being prepared for anything,” says Paquette. “It is about having the right formula – we think we have that, and it is based on leveraging a foundation of good data,” he adds.
The criminals are also sharing this data across their networks, in criminal communities. “It only makes sense for the corporates to use data and communities and automate to defend against them,” says Paquette. “It’s a fight fire with fire approach to fraud detection,” he adds.