Fighting Cybercrime and Fraud: A Treasury Imperative
By Eleanor Hill, Editor
As instant payments grow, digital commerce spreads, and artificial intelligence rises, staying a step ahead of the cybercriminals is increasingly tough. But with access to highly sensitive data, and as guardians of the company’s cash, treasurers can no longer hide behind the IT department when it comes to cybersecurity and fraud, writes Eleanor Hill, Editor.
Levels of corporate fraud are at an all-time high, largely because of the growing sophistication of cybercriminals. As such, fraud and cybercrime are no longer one-off instances of bad behaviour. They are front and centre risks for every business, 24/7/365.
In fact, according to the 2017/18 Kroll Annual Global Fraud & Risk Report, 84% of companies surveyed worldwide experienced a fraud incident in 2017, 86% reported at least one cyber incident, and 70% reported security incidents. The impacts of such attacks are well documented – from financial losses and reputational damage through to loss of competitive edge and low staff morale.
If all this wasn’t worrying enough, corporate treasury departments are now prime targets for cybercriminals and fraudsters. “Treasury’s trove of personal and corporate data, its authority to make payments and move large amounts of cash quickly, and its often-complicated structure make it an appealing choice for discerning fraudsters,” says a 2017 report by the Economist Intelligence Unit, sponsored by Deutsche Bank, called Third-Party Risks: The cyber dimension.
“These sophisticated cyber-criminals use social engineering and inside information gleaned from lengthy reconnaissance within a given company’s systems to execute high-value thefts. They understand that the ability to access payment infrastructures and bank communication channels is extraordinarily powerful. They know that treasurers rarely control the IT security infrastructure they use. And given the nature of some successful attacks, hackers also seem to understand that most treasuries contain junior staff who can be pressured into infringing rules,” the report notes.
This is precisely why treasury professionals can no longer afford to pass the buck when it comes to cyber and fraud defences (it is worth nothing here that the two go hand-in-hand even if fraud is not always committed through cyber channels). As Jean-Marc Servat, Chair of the European Association of Corporate Treasurers (EACT), notes: “Treasurers are not only accountable for the largest payments in the group, they are also perceived as trusted risk-managers, so they absolutely have to be on top of cybercrime and fraud.”
Servat concedes, however, that attack vectors and targets are constantly changing, which makes it tougher for the treasurer to stay one step ahead of the criminals. While it is undoubtedly true that the criminals are getting more creative, Nadya S Hijazi, Global Head of GLCM Digital, HSBC, says that there are three main types of cyberattack that corporate treasurers should be on the lookout for.
Top tip: Keep ransomware at bay
“Ransomware often targets weaknesses in operating systems, such as Windows, which is why it is vital to install software updates as soon as they are released,” notes Hijazi.
Threats to treasury
The first such threat is business email compromise, which is typically where the cybercriminal sends emails purporting to be from someone within the company – often the CEO or CFO – by compromising or spoofing company email accounts. These attacks are extremely common and highly successful, she says.
“There is a tendency to think that business email attacks are still very crude and therefore easy to spot. But that couldn’t be further from the truth. Cybercriminals, especially those targeting corporates, are extremely sophisticated. They will have undertaken thorough reconnaissance on the company, current deals being undertaken, and the people in key positions within the organisation. As such, they will also know who has the authority to sign off on payments,” explains Hijazi.
The second attack vector that is a particular concern for treasurers is phishing, in particular voice phishing or ‘vishing’. This involves using social engineering techniques over the telephone, leveraging information in the public domain to either impersonate an organisation, such as a bank, or an important person within the company. The aim, says Hijazi, is typically to get employees to reveal sensitive information, unknowingly make urgent payments to fraudulent accounts, or change data within the company’s system – such as bank account details for a supplier.
“Again, these attacks are very sophisticated,” she cautions. “The cybercriminals can often replicate the phone numbers of the banks when calling, so that it looks like a genuine call. Because they are so convincing, and hit all of the right trigger points, the success rate of vishing attacks can be as high as 85-95%.”