Fraudster, Fool or Financier? Who’s Controlling Your Cash?
by Helen Sanders, Editor
There is a saying that “if a man defrauds you once, he is a rascal; if he does it twice, you are a fool.” As the media headlines and crime statistics reveal, fraudsters seeking to steal our own – or our customers’ – cash or data, organisations from around the world are being made a fool of every day. Treasurers can only control some elements of the growing and changing threat posed by external fraud, particularly cyberfraud, but treasury has an important influencing role, and some aspects remain squarely within treasurers’ area of responsibility. So how can we as treasurers prevent fraud and mitigate the impact?
What’s on your Monday morning list?
Looking back over 2015 so far, there are three, or perhaps four words that have dominated the treasury media: ‘fintech’, ‘disruptive’, ‘cyberfraud’ and also ‘regulation’. There are connections between all of these, a conversation for another time; however, the immediacy of these issues are not equivalent. While fintech and disruptive business models will impact on treasurers over time, they remain issues to occupy an idle discussion on a Friday afternoon for now. Similarly, the implementation of financial regulations is subject to a clear timeline so treasurers can plan ahead. In contrast, fraud, including but by no means limited to cyberfraud, is a Monday morning issue that every treasurer needs to explore, prioritise and address.
While cyberfraud is the ‘buzzword’, it represents only a subset of the fraud risk of which treasurers need to be aware. As Marc Espagnon, Head of Payments and Cash Management, BNP Paribas comments,
“Fraud is undoubtedly becoming more technology-driven, but fraudsters will use all channels: phone; mail; email; malware; hacking; remote administration tools etc.”
Furthermore, internal fraud remains as pertinent an issue as it has ever been, so the issue for treasurers is not simply to be addressing the rather glamorous, Doctor Who-esque sounding cyberfraud, but fraud, whether internal or external.
Who are you looking at?
Treasurers who have managed the same team for a number of years are often particularly complacent about internal fraud; however, according to KPMG’s report 'Who is the typical fraudster' published in 2011, the typical (internal) fraudster is:
- Male
- 36 to 45 years old
- Commits fraud against his own employer
- Works in the finance function or in a finance-related role
- Holds a senior management position
- Employed by the company for more than 10 years
- Works in collusion with another perpetrator
Looking round the treasury department, and the wider finance function, there are likely to be a number of people that fit the profile of a potential fraudster. Obviously, the answer is to recruit more women, and over 45s, but that it is a statement that could probably be considered facetious. A more serious point is that fraudsters seeking to defraud their companies are likely to collude with someone else.
The risk of internal fraud is not new, and the risk that an employee or external party could misdirect the company’s funds has been a longstanding priority for treasurers. Controls such as segregation of duties and ‘four eyes’ controls on payment instructions and counterparty bank instructions are as valid today as at any time in the past, in tackling both internal and external fraud. However, for smaller companies in particular with lean treasury and finance functions, it can be difficult to enforce multiple levels of approval. Using specialist treasury and payments technology to enforce approvals is essential, not only for control reasons, but to accelerate and streamline workflows and connect a larger number of approvers into the process, such as by alerting them via email or SMS message, presenting transactions for approval on mobile devices and allowing remote approvals and so on.
In addition to preventing fraud via ‘traditional’ methods, treasurers need to be aware of how fraud techniques are evolving, and the additional measures that they need to take to combat these attempts.[[[PAGE]]]
What types of fraud attempt are treasurers experiencing?
Marc Espagnon, BNP Paribas explains,
“The most common form of fraud which our corporate customers are experiencing continues to be impersonation fraud, such as fake CFO/CEO, fake supplier and fake technician scams.”
Matthew Dewsbury, Global Head of Fraud Risk, HSBC describes one example of this,
“One of the most common types of fraud we’re seeing at the moment is known as ‘business email compromise’, which is very effective and difficult to detect. For example, a fraudster may hack a legitimate email address or phish for sensitive information in order to send a payment request or change supplier account details via email. This appears to the target to come from a recognised business partner or senior executive, and can be very convincing because genuine internal information is often used in the email, which adds credibility.”
Most treasury departments have already been subject to impersonation fraud of some sort at least once, and some treasurers say that they receive multiple attempts every day: the problem is that it only takes one to cause serious financial and reputational damage. So what form does impersonation fraud take?
Fake CEO/ CFO
Typically, a member of staff will receive a call or email purportedly from the CEO or another executive asking for an urgent payment to be made, such as for an acquisition. This may be followed by multiple calls or emails, in which the fraudster demonstrates significant knowledge about the company, the person they are impersonating, or indeed the person they are calling, particularly given ready access to such information via social media. These calls can appear to be from the correct number or email address, and the fraudster may become aggressive or ‘pull rank’ if they are refused. Additional calls may also be made from a second ‘executive’ by way of validation of the request.
While some of these attempts may be crude and unconvincing, some are not, and I know treasurers who have been very close to making a payment as a result of this type of scam, and at least two senior treasury professionals of major corporations who have done so.
Fake supplier
A letter (or other communication) that appears to be from a supplier, landlord etc. with a change of bank account information. These can often be very convincing, and take a long time to detect, as Matthew Dewsbury, HSBC emphasises,
“This type of fraud can be very difficult for banks to detect, particularly when the company has a large number of suppliers or other payees across multiple countries. Payments go through the proper channels and bank security, as users believe they are initiating or approving a correct transaction. Similarly, it can also take companies days or even weeks to identify the fraud, which makes it far more difficult to recover the funds than if it is discovered immediately.”
Fake technician
Many people are familiar with these scams, in which an email or phone call is received with an ‘update’ or ‘maintenance’ to an application. On opening the attachment or giving the details requested, these applications can be hacked or malware introduced.
Are treasurers taking the risk seriously?
Recent high profile cyber attacks have raised public and corporate awareness of data - and cash - protection. In the UK, while a recent hack of telecoms provider Talk Talk’s website that potentially affected four million customers was found to be less serious than first thought, the reputational damage is enormous, particularly as it was not the first significant security breach at the company this year. In addition, the company faces legal claims from customers, an enquiry by the Information Commissioner’s Office on breach of data protection and financial costs estimated at £75m, as reported in the Sunday Times. This type of cyberattack would appear to be more of an IT than a treasury issue, and the severity of the issue is more pronounced given the risk to a large number of customers rather than simply the target company itself. However, treasury is particularly vulnerable to attacks given the value of cash that it controls, and its payment initiation and authorisation responsibilities. As Marc Espagnon, BNP Paribas suggests,
“While treasurers are taking the risk of fraud and cyberfraud seriously, our impression is that the level of attention is far greater if they have already experienced a major fraud event or attempt.”
What should treasurers be doing?
While network, hardware and software tools implemented by IT departments play a critical role in combatting fraud, implementing rigorous treasury processes is equally important. Segregation of duties, multi-level approvals, controls on data input and amendment and full auditability of every system action are as important for tackling external fraud attempts as they are for internal fraud prevention. Marc Espagnon, BNP Paribas urges,
“Treasurers and finance managers need to review their processes in detail to ensure that potential security loopholes are addressed. This includes segregation of duties on every financial transaction, without any exceptions, and authentication of counterparty account details, particularly changes to these details.”
Matthew Dewsbury, HSBC agrees,
“Treasurers’ own procedures around dual control on making payments, confirming any email requests to send payments to new accounts as well as keeping your software and IT security up to date are critically important.”
[[[PAGE]]]
At the most basic level, treasurers need to put in place:
Fraud training
Regular training for every treasury and accounts payable staff member on fraud, whether internally or externally initiated. This includes new team members, temporary or seconded staff. Marc Espagnon notes,
“Staff training needs to be extend far beyond treasury, and anyone handling calls, involved in purchasing or indeed using company systems or devices needs to know how to recognise and respond to potential fraud attempts. This is not a one-off process, but new staff or temporary staff members need to be trained, and training for existing staff refreshed regularly.”
Payment controls
Clear processes, without exceptions, on payment initiation and approval, including at least one and potentially multiple approvals. Additional approvals may be required if, for example, a payment is above a certain threshold, or payable to a new counterparty.
Management validation
Senior management confirmation that they will never request a payment outside the normal processes.
Data management controls
Clearly documented processes, again without exceptions, on handling changes to settlement instructions by suppliers, landlords and other counterparties. This should include contacting the normal contact, using normal contact details, to verify details. Some companies are asking for a bank certificate of settlement instruction changes, but this can become complicated and labour-intensive.
In addition, while treasurers may not be responsible for maintaining the systems on which sensitive data resides or through which it can be accessed, they are often responsible for defining user profiles and processes, and have a duty to protect data. They therefore need to work closely with IT, internal audit and other departments to ensure that the organisation is taking sufficient steps to avoid fraudulent activities through treasury and payment systems. Treasury is often fighting with other business functions for this focus, particularly in organisations in the B2C space that also need to protect large volumes of client data, and/or those whose business information is particularly sensitive and vulnerable to theft or cyberattack. Marc Espagnon, BNP Paribas explains,
“One of the problems of tackling fraud is that it requires an integrated approach across the business, including treasury, IT, purchasing, accounting, HR, for example. Treasury often does not know if IT has performed an IT intrusion test, or specialist treasury technology may not be included in wider systems testing. Fraudsters can – and will – attack all of these departments, so there needs to be a consistent level of focus and a group-wide approach to tackling fraud risks.”
Most companies are now adopting a risk-based cybersecurity framework, and big data analytics, to help identify, prioritise, detect and mitigate security risks, as well as securing data and pinpointing areas for improvement. While treasurers are unlikely to lead these initiatives, it is important that they are familiar with them, and participate actively.
How are banks helping?
Preventing and blocking fraud attempts is a responsibility shared by banks and technology suppliers, and most take this responsibility very seriously. They also often have the greatest expertise in this area given that they themselves are prime targets of cyberattacks, both on their own systems and customer systems. Matthew Dewsbury, HSBC illustrates,
“At HSBC, we provide a great deal of support to customers on tackling fraud, not only around technology, but also business processes. For example, our electronic banking system HSBCnet is very secure, but the right procedures need to be followed to avoid fraudulent transactions reaching the system in the first place. We also offer free security software to clients to avoid malware.”
Marc Espagnon, BNP Paribas describes how the bank is supporting clients proactively in targeting fraud,
“We have a very ambitious client awareness programme at BNP Paribas with briefings, dedicated sessions with larger clients, and a diagnostic tool to identify fraud risks. This is a short Q&A process we go through with a client to identify potential risks and recommendations on how to address these risks. This is provided at no cost to our clients. We also provide free training materials and have a partnership with specialist trainers to provide in-depth training.”
Marc Espagnon also highlights how banks and their clients are collaborating more closely to tackle the growing risk fraud on one hand, whilst aiming to maintain payment efficiency and automation on the other. This is resulting in more sophisticated identification of fraudulent payments, as he explains,
“We are vigilant in handling customer transactions, and frequently contact clients to check on unusual transactions. This includes the ability to set up specific controls: for example, a client may inform us that they only work with suppliers in certain countries, and therefore we will automatically block payments to accounts in other countries.”
What should you do if you suspect a fraud?
In the words of one foremost cyber expert recently speaking off the record, “It is not a matter of ‘if’ a fraud attempt will be successful, but ‘when’”. Marc Espagnon, BNP Paribas advises,
“If you know, or suspect that a fraud attempt has been successful, you should call your bank immediately. The bank will issue a fund recall request to the beneficiary bank to block the funds. This is usually most successful when the bank is alerted within 24 hours of the payment being made, but it may be possible to block funds after this time, so it is essential to call as soon as the fraud is identified.”
He continues,
“In addition to calling your bank, you should report the fraud to the police, which will allow the company to ask for a fund recall, as the original bank action will block rather than recall the funds to the payee’s account. This would normally be in the payee’s country, but the police may also ask for it to be reported in the destination country too.”
[[[PAGE]]]
Matthew Dewsbury, HSBC also stresses,
“If you detect a fraud, not only do you need to contact your bank and the police immediately, but it is also important to make sure the risk is closed down quickly to avoid more payments being made. Involve the IT security team as soon as you suspect malware, phishing or other unusual activity.”
There may also be specific organisations within the relevant country that need to be alerted, particularly if there is a risk to customer data, such as the Information Commissioner’s Office in the UK.
What new forms of fraud are emerging?
What is clear is that fraud prevention and response is not a one-time activity but a constant and iterative process to analyse, anticipate and prepare for emerging risks. The Talk Talk example given above is one of a number of high-profile incidents where customer data has been stolen, as Marc Espagnon, BNP Paribas notes,
“A particular issue that concerns us is fraudsters hacking data or using malware to steal sensitive customer information from large corporations. These customers – often in huge numbers - are then vulnerable to attack with fraudsters often taking on the identity of the company that was subject to the original hack.”
There are other more subtle but nonetheless damaging techniques evolving, according to Matthew Dewsbury, HSBC,
“Phishing via SMS to harvest information is also becoming more common in retail banking, such as querying a transaction, and asking the SMS recipient to call the bank on a number purporting to be that of the bank. Harvesting of information which can facilitate a fraud will then take place. This method is starting to emerge in the corporate environment too. Banks will never ask for security information or codes over the phone, by email or by SMS.”
Mobile payment fraud is also growing, and is clearly an area in which treasurers should engage. According to PWC’s recent report, Turnaround and transformation in cybersecurity: Key findings from The Global State of Information Security® Survey 2016, 57% of organisations are focused on risks related to malware and malicious apps in relation to mobile payment fraud. Forty-five percent are concentrating on risks related to hardware/device platforms and verification and provisioning processes to prevent fraud respectively. A similar number is looking at the protection of customer personal data (43%) and end user risks and vulnerabilities (42%). While many are taking a structured and specific approach to identifying and addressing risks associated with mobile payment fraud, these findings emphasise that there is still a large number of organisations that need to focus on mobile payments fraud in general, but also in specific areas of risk.
Are you realistic and systematic in your approach?
As fraudsters are becoming increasingly sophisticated, and indeed are sharing ‘best practices’ amongst themselves, target organisations also need to ramp up their efforts, both individually and collectively. Marc Espagnon, BNP Paribas warns,
“The first barrier to fighting fraud is the company itself and its employees. Banks can help, but internal training and procedures are essential. Some companies are targeted two or three times a day: one day, fraudsters will encounter someone who is not familiar with the process, perhaps a new employee, and they will succeed.”
He continues by emphasising the strength of a collective approach,
“Banks, corporations and regulators need humility in tackling fraud. No-one has all the answers, and we can work co-operatively to do things better. Sharing data can be difficult for data protection reasons, and regulations have not yet caught up to enable institutions to take legitimate steps to combat fraud.”
PWC’s 2016 cybersecurity report mentioned above also encourages co-operation, particularly for sharing and developing best practices, and improving threat intelligence and awareness. Some of these efforts are starting to bear fruit, at least at a country level if not yet more widely as Marc Espagnon, BNP Paribas describes,
“For example, clients frequently ask for a banking service to validate the counterparty name against the account number. In France, BNP Paribas will offer this service in Q1, 2016, and plans to extend it to other countries in the future. However, there are no immediate plans across the banking community as a whole to introduce this on a SEPA-wide basis.”
Cyberfraud (which we must take to imply all forms of external fraud risk) has been described as the risk of a generation, and this does not seem to be either an unreasonable or disproportionate description. Like every other risk, treasurers, along with other departments, need to assess the likelihood, impact and potential mitigation. Again like other risks, there is insurance available to lessen the impact, and many larger organisations are now insuring these risks.
However, given the speed with which fraud incidence is increasing and techniques are evolving, it is difficult to quantify how far these risks could extend, and insurance costs can be prohibitive. Furthermore, while insurance is available to protect against reputational damage that successful fraud attempts can inflict, this is difficult to quantify given that that the impact of evolving risks are not measurable. Insurance companies are also likely to push back on claims where the company has done everything in its power to prevent and mitigate fraud risk. Insurance is therefore by no means a reliable or comprehensive mitigation tool.
Treasurers are experts at managing risk, whether financial or operational, and this expertise, combined with the nature of their responsibilities, positions them as key players in tackling emerging fraud risks. The nature of these risks are changing more quickly, and have a greater number of touch points than many of the risks with which treasury is accustomed to managing. Treasurers therefore need to be vigilant, systematic and collaborative in their approach, both internally and externally, to understand, address and overcome the fraud risks to which they are, and will continue to be exposed.
CYBER SECURITY WORKSHOP Concerned about cyber threats to your treasury? Join TMI and 8com for an intensive 1-day workshop designed to give treasury professionals the skills to protect their company and their department from the dangers of modern cyber crime and fraud. Leave the session armed with a cybersecurity action plan - able to immediately implement progressive security measures in your business. |
