- Ben Poole
- Editorial Team, Treasury Management International (TMI)
- Matt Luzadder
- Managing Partner, Kelley Drye & Warren LLP
- Ruud Grotens
- Head of Fraud and Financial Crime Solution Consulting, Bottomline
- Thomas Gavaghan
- Vice President, Kyriba
As payment technologies advance, so too do the tactics of fraudsters, forcing corporates to confront an array of increasingly sophisticated threats. With an alarming 80% of US firms reporting fraud attempts, treasurers should review tech-enabled fraud prevention strategies and foster a culture of vigilance across their organisations.
Corporate treasurers face an increasing tide of fraud threats, with scams growing more sophisticated due to evolving technology. Despite efforts to boost protection, the growing success of fraudsters continues to have a serious impact on corporate bottom lines.
Matt Luzadder, Managing Partner, Kelley Drye & Warren LLP, points to the rapid growth of business email compromise (BEC) fraud: “Losses reached nearly $3bn in 2023,”[1] he notes. “That’s a 7% increase from 2022, and a staggering 1,000% rise since the FBI [Federal Bureau of Investigation] began tracking it in 2015.”
The rise of technologies including AI and increased access to personal data through social media have given scammers unprecedented tools with which to carry out social engineering attacks.
Fraudsters often exploit public information. For example, if a company’s CFO is speaking at a conference, publicity will alert fraudsters. They know when the CFO will be unavailable and possibly who is also on their panel, potentially a client or business partner.
“Scammers can use this information to create a sense of urgency among employees back in the office to authorise transactions,” explains Luzadder. “This could be something as basic as purchasing gift cards that the scammer, posing as the CFO, says they want to give to attendees at a dinner they’re hosting that night.”
AI is also taking scams to new levels of sophistication. Thomas Gavaghan, Vice President, Kyriba, recalls how AI was used to impersonate the CFO of a treasury client in 2018: “In a meeting with their CFO, they saw a call come in and declined it. When they listened to the voicemail, it was the voice of the CFO asking them to wire money. If the CFO hadn’t been sitting across the table from them, they said they absolutely would have wired the money.”
The threat from AI has become more tangible, as a case in Hong Kong earlier this year highlights. Scammers used deep fake technology to impersonate a company’s CFO during an online meeting, which led an employee to transfer the equivalent of $25m without realising it was a scam.[2]
Ruud Grotens, Head of Fraud and Financial Crime Solution Consulting, Bottomline Technologies, explains: “These AI-driven scams build on older techniques like BEC and authorised push payment [APP] fraud but have become far more convincing, making it harder to spot.”
Fraud and threats – as a service
Fraudsters are becoming increasingly professional. They have marketing, finance, and technology departments all working together to crack open bank accounts. This has also led to fraud-as-a-service emerging as a trend.
“They offer ransomware and malware kits with user-friendly interfaces and even customer support,” Grotens reveals. Another worrisome development is insider-threat-as-a-service, where employees leak sensitive information to outside fraudsters. “It’s becoming more common, and it’s particularly hard to detect and prove,” he adds.
Equip the team, thwart the criminals
As payment technologies evolve, corporate treasurers face increasing vulnerabilities. Real-time payments, while offering plenty of advantages, can also pose significant risks.
Gavaghan elaborates: “With real-time payments, once a payment goes out, the money is technically gone – and if you want it back, it’s a stringent process you’ll need to work on with your bank. There’s no time to catch an issue and stop the transaction. If the money has been sent to a fraudster, it’s virtually impossible to get it back.”
This speed of transaction gives fraudsters an advantage. Gavaghan recalls a case where the head of HR at a company received fraudulent instructions to change an “employee’s” bank details. “HR didn’t have the processes or awareness in place to catch it,” he explains. “Treasury wasn’t involved, so the fraud went undetected. This underscores why it’s critical to work with the right partner to implement fraud detection tools in every aspect of your business.”
The UK’s Payment Systems Regulator reported that 98% of APP fraud in 2023 was tied to Faster Payments,[3] illustrating the severity of the issue. Measures such as Confirmation of Payee (CoP), which verifies the recipient’s account name before executing a transaction, are a step in the right direction but they have their limitations.
Grotens points out: “CoP protection currently applies only to local payments. Fraudsters know this and often move funds across borders where these safeguards don’t exist.” This underscores the need for international collaboration to extend protections across borders and prevent fraud in cross-border transactions.
Insider threats also remain a challenge. According to the Association of Certified Fraud Examiners (ACFE),[4] banking, financial services, and manufacturing, are the industries most affected by insider fraud.
“The conditions faced by manufacturers create opportunities for insider fraud in areas such as invoicing and inventory theft,” asserts Grotens. “More advanced technology is needed not just to detect and prevent fraud but also to gather evidence regarding insider fraud. Often there’s a suspicion but no evidence, and then no action is taken.”
The human element is critical here. Treasurers need to ensure everyone on their team – and across the company – is equipped to spot fraud. Clear communication and sharing of experience is essential, as this issue impacts every company. For example, in 2023, 80% of US companies were hit with fraud.[5]
Gavaghan posits: “When 80% of firms have been hit with fraud, it’s not a reflection on your business. What matters is how you respond and prevent it from happening again.”
Two halves of the same coin: internal versus external issues
While internal and external threats may seem distinct, they are becoming increasingly intertwined, demanding a more holistic approach to prevention.
Luzadder emphasises that internal controls are critical in preventing criminality from within. “It is vital to ensure access to sensitive information is strictly limited.”
Dual controls, where no single individual can execute transactions or access information unchecked, are a must. “For example, rotating roles in processing vendor invoices brings fresh eyes to the process,” Luzadder advises. It’s often during these role changes that irregularities or suspicious payments are spotted.
This approach extends to managing employee access when staff switch roles or leave. Cutting off or adjusting access for new responsibilities helps prevent employees from “poking around” in systems they no longer need.
Grotens agrees that internal and external fraud are distinct but closely connected, pointing to insider threats as a key link between the two. “Insider threats aren’t just about financial theft,” he stresses. “They can involve leaking sensitive company or customer data to external fraudsters.”
Companies can treat internal and external fraud as separate issues, which leads to problems. “There’s no exchange of information between these silos,” Grotens notes. With an integrated approach, companies can detect patterns that indicate collaboration between insiders and external actors. “Corporates need to view these threats as interconnected to strengthen their overall fraud prevention strategies,” he advises.
Due diligence during hiring and onboarding is a key first step in preventing internal fraud. Companies have authority over who they let through the door, and which technologies they use to enforce access controls and validate employee actions.
Gavaghan elaborates: “Single sign-on and tight controls can prevent people from accessing areas they shouldn’t.”
But the very technology designed to protect companies can create vulnerabilities. As firms acquire new solutions or merge with other entities, a patchwork of systems can surface, especially at the subsidiary or business unit level, creating weak points that internal bad actors may exploit.
“Centralising and standardising technology is incredibly important,” Gavaghan emphasises. This is just as vital whether using internal systems or external portals such as those provided by banks.
Safeguarding tech
Corporate treasurers must stay proactive in protecting their systems. AI is one emerging tool in the battle, although it is a double-edged sword.
“AI is heightening fraud threats, but it can also be part of the solution,” says Gavaghan. AI can be deployed to monitor treasury payment activities, identifying trends and flagging anomalies. “AI can spot what’s abnormal based on its own learning,” he adds, underscoring that this technology, while still evolving, will become a norm in detection.
Grotens echoes the need for embracing technology while staying vigilant with basic security practices. “One simple but critical step is keeping software updated – whether it’s an operating system or treasury application.”
Regular updates patch security gaps that hackers could exploit, particularly within systems handling financial transactions or sensitive data. Implementing multi-factor authentication (MFA) ensures that employees use more than just a password to log in, adding another layer of security.
As noted, employees should have access only to the systems and data necessary for their roles. Separation of duties, where no single person has control over an entire process, is another safeguard treasurers should implement in partnership with other business areas.
“Treasurers must work closely with security teams,” Grotens advises. “For example, if a treasurer notices suspicious payment activity, it could be linked to broader security issues such as cyberattacks or failed log-in attempts. By teaming up with security experts, treasurers can better identify and mitigate potential fraud.”
Conducting regular audits, both internal and external, can help to assess how well the software and controls are functioning. Testing those controls is crucial, such as by running “tabletop exercises” to simulate scenarios that help employees think through their response to potential fraud or security breaches.
Luzadder notes: “These exercises don’t have to be all-day events. Sometimes, a lunch-and-learn session can make a big difference by walking staff through recent cyber-security incidents in the news and reviewing how the company would respond.”
Ultimately, preventing fraud in treasury operations is an ongoing process. “It’s a wash, rinse, and repeat exercise,” Luzadder says. “Technology evolves, and so do scams. Treasurers need to keep up with both.”
Encourage vigilance and responsibility
As fraud threats advance, treasurers must stay ahead by focusing on three key pillars: people, process, and technology. Each plays a critical role in strengthening a company’s defences against both internal and external fraud.
Gavaghan emphasises the importance of managing these elements in tandem. “With people, it’s about awareness,” he says. “Investing in training is essential to maintaining the company’s fraud protections and reinforcing muscle memory.” Fraud prevention starts with employees, who are often the most vulnerable target.
A strong, fraud-aware culture is vital in arming employees adequately. Empowering employees, particularly those in treasury and finance, to speak up can make a tangible difference.
Luzadder enthuses: “Fostering a culture where employees feel comfortable raising concerns is crucial.” Fraud is everyone’s responsibility, and employees should feel supported when they question suspicious activity – even if it’s a request from the CFO on a Friday afternoon. Encouraging this vigilance can prevent fraudsters from succeeding.
On the tech side, treasurers need to assess their current systems and stay aware of evolving tools. “Modern solutions have fraud prevention functionalities that are easy to access,” Gavaghan notes. Ensuring vendors have the right certifications and encryption standards is also vital “It might be a really slick user experience, but if the underlying technology is poor, it leaves you vulnerable,” he adds.
Technology may also impact fraud-prevention strategies, particularly in relation to legacy banking and payments relationships.
Luzadder encourages: “Treasurers should review items like their ACH origination agreements and banking controls. These could have been set up years ago and may no longer be sufficient in an era where fraudsters use tactics like SIM-card jacking.”
Successful fraud prevention requires collaboration and vigilance across the organisation. Often, fraud is just the beginning, leading to much larger issues such as money laundering or terrorist financing. This emphasises how vital it is that treasurers have the right fraud responses in place.
Grotens concludes: “Without reporting, broader criminal activities may go unchecked. Communicating fraud to law enforcement isn’t just a legal requirement – it’s the right thing to do.”
