Reducing Fraud Risk: Easier than You Think

 

 

by Milton Santiago, Portal and Treasury eCommerce Executive, and Stephanie Wolf, Head of North America Financial Services Companies & Canada, Bank of America Merrill Lynch

Most treasurers are concerned about the impact of fraud and other forms of cybercrime on their businesses. But there is much that companies can do to help protect themselves from the risks – and often the cheapest and simplest strategies are the most effective.

As technology evolves, so too do the capabilities of the cyber criminal. Every year, consumers and businesses are purchasing faster, more user-friendly technology to try to stay up on all the latest advancements. But the old adage ‘buyer beware’ takes on new meaning in this new age of cyber warfare, because not only are systems and devices becoming more sophisticated, but so are cyber criminals who always seem to be one step ahead of the latest technology. Even relative newcomers to fraud can pull off major cyber attacks with the techniques available today.

Not long ago, cheque fraud was the primary threat faced by companies, but as technology continued to advance so did criminals intent on perpetrating fraud. So while cheque fraud is still a concern for companies, it is by no means the most significant threat they face today. For banks and consumers alike, keeping up with new fraud techniques is hard work – especially when the cyber criminals’ toolkit and targets continue to evolve.

Wire payments are an obvious area of concern for corporates since the dollar amounts are higher and loss is immediate, so many corporations are focusing their fraud prevention efforts here. But fraudsters have caught on to the fact that wire fraud is easier to detect than ACH fraud, and they are increasingly turning their attention to ACH payments. Although the value of ACH payments is usually lower, some companies do use the ACH network for large dollar amounts. In any case, it all adds up – and fraudsters are becoming more patient.

Indeed, cyber criminals may go to great lengths to make a fraudulent transaction look genuine – whether that means making a fake login screen look real, or making a fraudulent transaction look like a genuine one by matching the value of typical transactions. As a result, a significant percentage of fraudulent transactions get approved by companies legitimately.

Fraud impacts companies of all sizes, from small and fledgling businesses to the largest multinationals. But while companies rightly expect robust security features from their banks, they do not always realise that the greatest power to safeguard the company from fraud lies with the company itself.

What to do

With so many threats to contend with, protecting the company from fraud might sound daunting. But the most effective fraud prevention measures are often the simplest and, in many cases, they cost nothing to implement. Here are just a few precautions every company should take:

Segregate duties

Segregating duties within an organisation is a well-established fraud prevention technique. For example, it is never prudent to allow the fox to watch the hen house – meaning no single individual should be able to initiate, approve and release payments. Those activities should always be carried out by different people, with separate reporting lines and separate computers. Segregation of duties should also be used to combat external fraud. Many companies do not realise the risk for fraud on the other side of the transaction and leave the complete payment execution process in the hands of a single individual. Aside from the risk that the person in question may act fraudulently, that’s not the only danger. If that individual’s computer is compromised, or their identity stolen, the perpetrator will have access to all the information needed to complete the payment.

All too often, companies do not enforce this type of control until they have already been the victim of fraud – but there’s no time like the present for companies to improve their fraud resilience, and this is a good place to start.[[[PAGE]]]

Host-to-host payments

Host-to-host payments present an additional dilemma. Not all enterprise platforms offer the flexibility to implement the segregation of duties: if a company sends a host-to-host file it also needs to be able to be sure that the file arrives at the bank intact. Limit human access to the file that is being sent to the bank for processing by leveraging your host system to speak to the bank. If a manual import or upload is required, you should adopt a review and release process.

Aside from the processes involved in initiating and authorising payments, companies should also pay particular attention to the fraud implications of some of the newer technologies the company may be using – such as cloud computing and mobile technology.

Cloud

Cloud technology, which is computing resources delivered as a service over a network, is on the rise – but when it comes to fraud, this technology, particularly public clouds, have not been fully vetted from a security standpoint. Different types of models are in place and some of these are more segregated than others. The security implications of the different models can vary significantly.

Companies should, therefore, take the time to ask questions and fully understand any associated risks. In particular, they should ask the following questions:

• What type of cloud does the company subscribe to – private, public or hybrid?
• What types of controls are in place and are they sufficient to protect the company’s data?
• Is there a Statement on Standards for Attestation Engagements No. 16 (SSAE16)?

Mobile

The use of mobile technology to initiate and approve business-to-business transactions is growing and showing no signs of leveling off. In addition, more and more people are casually storing personal data on those devices without taking proper precautions. As with other technology, mobile devices, and smartphones, are a ripe target for fraudsters.

Employees should therefore manage their mobile identities in the same manner they do their personal computing identities. Anyone with a mobile device should apply the same level of vigilance and control by having antivirus software installed on their smartphone or tablet device.[[[PAGE]]]

Employee education

Making sure that the company is using the most secure technology is an important part of fraud prevention – but systems are only as secure as the people who use them. Any fraud prevention programme should therefore also focus on user education.

Employees, especially those that manage sensitive company data, should be educated about best practices around the proper use of banking systems, password management and the use of personal devices. This education should be enforced regularly in order to remind employees of the correct procedures and to avoid complacency.

• Never share a password. Everyone knows this, but the message still needs to be reinforced. Likewise, passwords should not be written down and left where someone else can find them. Other password-related best practices include:

- Do not reuse banking portal passwords for other websites
- Change passwords every six months
- Do not use automatic login features for banking or other sensitive platforms

• Be selective about logging in remotely. Do not access bank platforms using public computers in libraries, internet-type cafes or through public wi-fi networks. Public computers and networks are often targeted by fraudsters.
• Do not leave computers unattended. While logged in to a banking system or other sensitive system, exercise caution at all times.
• Be attentive during online sessions. By remaining observant, users should be able to notice any discrepancies which could indicate a system has been compromised.

- Know when and how banking systems and other sensitive systems should appear during the login process
- Know how and when the systems prompt you to authenticate – and if you see prompts that appear out of sequence, do not enter your data
- Use notification features to alert you of transaction status changes 

Make it personal

User education has become even more important as consumer technology has become a more common feature of the workplace.

The line between business and personal technology has become increasingly blurred in the last few years – and this has created the need for additional levels of security and vigilance. For example, companies need to assess the risks arising if employees access personal emails from a work computer. The growing popularity of the bring your own device (BYOD) model poses additional questions: if people bring their own devices to work and use them for business purposes, what safeguards are in place to protect the company’s systems?

Fraud suffered by the individual can have an impact on the corporation. Employees should be educated about the steps they can take to protect their personal data, such as:

• Keep track of what’s in the cloud. Did you know that if you have books and music in a cloud, such as on a tablet device, your contact database and photos may also be in the cloud? Consequently, information included in the address book may be vulnerable to hacking. People should avoid storing information such as password, reward card numbers and other sensitive data in this way.
• Protect your personal data. Social hacking may sound relatively harmless – but if someone gets into your Facebook account, for example, they will not only be able to see who you like, but also might be able to access a whole range of personal data, such as the name of your dog, your children’s birth dates and the names of the schools you attended. Since many people use personal information for their passwords, this information may enable the hacker to guess your passwords or answer security questions.

Taking control

Companies face numerous threats from cyber criminals, and keeping up is made all the more difficult by the rapid rate at which the threats evolve.

That said, there is a great deal that companies can do to mitigate the risk of fraud, from implementing the proper controls in the payments process to educating employees about the use of business and personal devices.

Fraud is a concern for individuals as well as companies. By encouraging employees to adopt best practice habits, companies can help to create a culture of fraud awareness which will bridge the gap between personal and business activities.

 

CYBER SECURITY WORKSHOP Frankfurt - 18th April 2018 Concerned about cyber threats to your treasury? Join TMI and 8com for an intensive 1-day workshop designed to give treasury professionals the skills to protect their company and their department from the dangers of modern cyber crime and fraud. Leave the session armed with a cybersecurity action plan - able to immediately implement progressive security measures in your business. Learn more here