Published: January 01, 2000
Most treasurers are concerned about the impact of fraud and other forms of cybercrime on their businesses. But there is much that companies can do to help protect themselves from the risks – and often the cheapest and simplest strategies are the most effective.
As technology evolves, so too do the capabilities of the cyber criminal. Every year, consumers and businesses are purchasing faster, more user-friendly technology to try to stay up on all the latest advancements. But the old adage ‘buyer beware’ takes on new meaning in this new age of cyber warfare, because not only are systems and devices becoming more sophisticated, but so are cyber criminals who always seem to be one step ahead of the latest technology. Even relative newcomers to fraud can pull off major cyber attacks with the techniques available today.
Not long ago, cheque fraud was the primary threat faced by companies, but as technology continued to advance so did criminals intent on perpetrating fraud. So while cheque fraud is still a concern for companies, it is by no means the most significant threat they face today. For banks and consumers alike, keeping up with new fraud techniques is hard work – especially when the cyber criminals’ toolkit and targets continue to evolve.
Wire payments are an obvious area of concern for corporates since the dollar amounts are higher and loss is immediate, so many corporations are focusing their fraud prevention efforts here. But fraudsters have caught on to the fact that wire fraud is easier to detect than ACH fraud, and they are increasingly turning their attention to ACH payments. Although the value of ACH payments is usually lower, some companies do use the ACH network for large dollar amounts. In any case, it all adds up – and fraudsters are becoming more patient.
Indeed, cyber criminals may go to great lengths to make a fraudulent transaction look genuine – whether that means making a fake login screen look real, or making a fraudulent transaction look like a genuine one by matching the value of typical transactions. As a result, a significant percentage of fraudulent transactions get approved by companies legitimately.
Fraud impacts companies of all sizes, from small and fledgling businesses to the largest multinationals. But while companies rightly expect robust security features from their banks, they do not always realise that the greatest power to safeguard the company from fraud lies with the company itself.
With so many threats to contend with, protecting the company from fraud might sound daunting. But the most effective fraud prevention measures are often the simplest and, in many cases, they cost nothing to implement. Here are just a few precautions every company should take:
Segregating duties within an organisation is a well-established fraud prevention technique. For example, it is never prudent to allow the fox to watch the hen house – meaning no single individual should be able to initiate, approve and release payments. Those activities should always be carried out by different people, with separate reporting lines and separate computers. Segregation of duties should also be used to combat external fraud. Many companies do not realise the risk for fraud on the other side of the transaction and leave the complete payment execution process in the hands of a single individual. Aside from the risk that the person in question may act fraudulently, that’s not the only danger. If that individual’s computer is compromised, or their identity stolen, the perpetrator will have access to all the information needed to complete the payment.
All too often, companies do not enforce this type of control until they have already been the victim of fraud – but there’s no time like the present for companies to improve their fraud resilience, and this is a good place to start.[[[PAGE]]]
Host-to-host payments present an additional dilemma. Not all enterprise platforms offer the flexibility to implement the segregation of duties: if a company sends a host-to-host file it also needs to be able to be sure that the file arrives at the bank intact. Limit human access to the file that is being sent to the bank for processing by leveraging your host system to speak to the bank. If a manual import or upload is required, you should adopt a review and release process.
Aside from the processes involved in initiating and authorising payments, companies should also pay particular attention to the fraud implications of some of the newer technologies the company may be using – such as cloud computing and mobile technology.
Cloud technology, which is computing resources delivered as a service over a network, is on the rise – but when it comes to fraud, this technology, particularly public clouds, have not been fully vetted from a security standpoint. Different types of models are in place and some of these are more segregated than others. The security implications of the different models can vary significantly.
Companies should, therefore, take the time to ask questions and fully understand any associated risks. In particular, they should ask the following questions:
The use of mobile technology to initiate and approve business-to-business transactions is growing and showing no signs of leveling off. In addition, more and more people are casually storing personal data on those devices without taking proper precautions. As with other technology, mobile devices, and smartphones, are a ripe target for fraudsters.
Employees should therefore manage their mobile identities in the same manner they do their personal computing identities. Anyone with a mobile device should apply the same level of vigilance and control by having antivirus software installed on their smartphone or tablet device.[[[PAGE]]]
Making sure that the company is using the most secure technology is an important part of fraud prevention – but systems are only as secure as the people who use them. Any fraud prevention programme should therefore also focus on user education.
Employees, especially those that manage sensitive company data, should be educated about best practices around the proper use of banking systems, password management and the use of personal devices. This education should be enforced regularly in order to remind employees of the correct procedures and to avoid complacency.
- Do not reuse banking portal passwords for other websites
- Change passwords every six months
- Do not use automatic login features for banking or other sensitive platforms
- Know when and how banking systems and other sensitive systems should appear during the login process
- Know how and when the systems prompt you to authenticate – and if you see prompts that appear out of sequence, do not enter your data
- Use notification features to alert you of transaction status changes
User education has become even more important as consumer technology has become a more common feature of the workplace.
The line between business and personal technology has become increasingly blurred in the last few years – and this has created the need for additional levels of security and vigilance. For example, companies need to assess the risks arising if employees access personal emails from a work computer. The growing popularity of the bring your own device (BYOD) model poses additional questions: if people bring their own devices to work and use them for business purposes, what safeguards are in place to protect the company’s systems?
Fraud suffered by the individual can have an impact on the corporation. Employees should be educated about the steps they can take to protect their personal data, such as:
Companies face numerous threats from cyber criminals, and keeping up is made all the more difficult by the rapid rate at which the threats evolve.
That said, there is a great deal that companies can do to mitigate the risk of fraud, from implementing the proper controls in the payments process to educating employees about the use of business and personal devices.
Fraud is a concern for individuals as well as companies. By encouraging employees to adopt best practice habits, companies can help to create a culture of fraud awareness which will bridge the gap between personal and business activities.
CYBER SECURITY WORKSHOP Concerned about cyber threats to your treasury? Join TMI and 8com for an intensive 1-day workshop designed to give treasury professionals the skills to protect their company and their department from the dangers of modern cyber crime and fraud. Leave the session armed with a cybersecurity action plan - able to immediately implement progressive security measures in your business. |
How Thought Leadership Can Reduce the Cost of Sales by Patrik Havander, Havander & Partners A focused attention on the costs incurred by the global sales and marketing processes is becoming increasingly important for corporate banks and their transaction banking departments. While the client/bank relationship remains vital, research has shown that in fact relationship selling […]
