Collaborative Strategies to Stay Ahead of Cybercriminals
Cybercrime is now an international, professional enterprise teeming with cunning, tech-savvy digital lock pickers – adept at unleashing sophisticated attacks on banks and corporates alike. Nicolas Trimbour, Head of Fraud Prevention and Chief Data Officer for Cash Management, BNP Paribas, and Laurent Sarrat, CEO, Sis ID, highlight the greatest cyber and fraud threats confronting organisations today, together with best practices to avoid being compromised. They also outline how to deal with screening technology that flags too many false positives, which can result in ‘The Boy Who Cried Wolf’ situations.
Cybercrime and fraud are the subjects of perennial concern for banks and corporates. And as the world continues to digitalise rapidly, opening up new avenues of attack for increasingly sophisticated cybercriminals, their worries are only intensifying.
The costs associated with fighting – and recovering from – cybercrime and fraud are rising are fast too. In fact, a report published in June 2023 by ACI Worldwide, Prime Time for Real Time, predicted that the global cost of fraud for businesses will reach $40bn by 2027.
Trimbour, is not in the least surprised by such findings. “There is no doubt cybercrime and fraud are continuing to grow rapidly. Corporates globally, whether big, medium, or small, are all having to grapple with these evolving challenges, and are collectively facing millions of cybercrime attempts every month.”
Furthermore, digitalisation, specifically developments such as real-time transactions, adoption of cloud services and the rise of remote working, are opening up new weak points for fraudsters to target. Trimbour points to supplier scams and senior executives being compromised as being especially concerning.
Corporates globally, whether big, medium, or small, are all having to grapple with these evolving challenges, and are collectively facing millions of cybercrime attempts every month.
Supplier fraud has become especially prevalent and occurs when a cybercriminal swindles a company by posing as a legitimate supplier but changing their bank account details and/or issuing fake invoices in order to collect illegitimate payments. In some instances, perpetrators of supplier fraud will even join forces with each other to steal money from multiple companies.
Senior executives being targeted, meanwhile, include CFOs and CEOs. Broadly speaking, CxO fraud seeks to compromise an organisation’s security by duping members of finance teams into wiring cash to cybercriminals or divulging sensitive information. The technique typically involves
using fake emails to trick employees, but increasingly also includes telephone calls as well – sometimes using voice spoofing technology – and is regarded as a highly efficient means of attack. Indeed, a 2019 report by the FBI found that between June 2016 and July 2019, CFO/CEO fraud cost US businesses $26bn, with fraudulent transfers sent to at least 140 countries.
Trimbour is in no doubt that the problem is becoming even more serious as time passes. Fraudsters are also increasingly targeting the salaries of highly paid executives, he says. In this type of attack, an employee’s personal and professional mailboxes are hacked enabling a fake personal account message to be sent to HR confirming a change of bank account into which the victim’s salary should now be paid. “If HR doesn’t carry out the necessary security controls, the fraud will not be noticed until it is too late,” he warns.
The industrialisation of cybercrime
Adding his thoughts on the rapidly shifting cybersecurity landscape, Sarrat says that one of the most worrying developments over the past few years has been the increasing sophistication and organisation of cybercriminals.
He says: “Cybercriminals are becoming more and more professional and technically capable. We spend a lot of time trying to figure out their methods, which of course are evolving all the time. They’ve become experts in capturing the mobile phone numbers of specific company employees and phishing targeted employees to steal their passwords or other sensitive, personally identifiable information. This information can be used to access, for example, email accounts and even bank accounts in some cases.”
Cybercriminals are also becoming much more organised and co-ordinated. Sarrat notes: “They have dedicated teams of technicians with specific responsibilities, for example. One team will be tasked with securing mobile phone numbers, for example. Another might be dedicated to social engineering attacks, which involve communicating with the intended victim – a company employee – by claiming they are from a trusted organisation, for example, a supplier. In some cases, they will even impersonate a person the victim knows.”
More broadly, Sarrat observes that financially motivated cybercrime is now generally dominated by organised crime gangs. “The rapid professionalisation of the cybercrime industry by organised crime is extremely concerning,” he admits. “Especially since that has been accompanied by the growth of marketplaces – in underground environments such as the dark web – full of products and services for easily committing fraud.”
As such, “It is critical for all organisations to appreciate the sophisticated level at which cybercriminals operate now, so that there can be no mistaking the true breadth and depth of the challenge businesses face,” he says.
BOX 1 | Insider Threats Intensify
In tandem with the rise in external threats, another of the fastest-growing concerns for organisations is the increasing prevalence of attacks by malicious insiders. These actors typically comprise an organisation’s current or former employees, contractors or trusted business partners who misuse their authorised access to critical assets.
A 2022 World Economic Forum report on cyber-security found that after ransomware and social engineering attacks, malicious insider attacks now rank third among the greatest concerns for leaders across organisations. Yet many organisations remain reluctant to discuss them.
Sarrat explains: “We know insider attacks occur, but they aren’t something that executives or treasurers want to talk about. It’s obviously a sensitive matter – and worrying when a trusted employee seeks to deliberately undermine the organisation. There is reputational damage to consider, too. But being aware of such threats is vital.” And the growing occurrence of such attacks is all the more reason for businesses to make sure they implement the four-eyes principle rigorously (see box 2 for more information).
Multiple lines of defence
While robust internal controls will always remain the cornerstone of fraud and cybercrime prevention, technology is also evolving to help combat increasingly sophisticated scams, especially automated push payment fraud (APP). A good example, says Trimbour, is payment pre-validation services. These essentially check that the name and bank account details of the beneficiary match – thereby providing a level of comfort that funds are being transferred to the correct, legitimate, counterparty.
A case in point is the confirmation of payee (CoP) service first introduced in the UK and adopted by its six biggest high street banks in 2020. As a name-checking service for UK based payments, CoP aims to provide individuals and businesses greater assurance that they are sending payments to intended recipients. As such, CoP helps customers avoid making accidental, misdirected payments to the wrong account holder, as well as providing another layer of protection in the fight against fraud and scams.
While CoP has been widely welcomed, its impact in a world where cybercrime is a truly international enterprise has so far been limited because the service does not yet have a global footprint. To date, similar schemes to CoP have been rolled out in just a handful of other countries, notably the Netherlands and Italy.
Trimbour explains: “At the moment, because of its very limited footprint, CoP cannot realise its full fraud prevention potential. For a corporate that is perhaps based in the UK but making payments in multiple other countries, it is a challenge to connect and integrate CoP across all territories into a TMS or ERP, and then maintain these connections. It remains to be seen if a more harmonised approach to CoP will be adopted internationally, but BNP Paribas is certainly keen to see this happen.”
Fintech collaboration
To help work towards this goal, the bank has joined forces with Lyon-based Sis ID, which has developed a novel solution for institutions to check bank details of beneficiaries and customers in real-time and throughout the entire payment chain. In other words, a service which acts like a global CoP solution – but without the need to wait for worldwide co-ordination.
Trimbour stresses the importance of being able to check accounts before treasurers make payments in order to avoid supplier fraud. “In countries where such checking schemes have been implemented, the level of fraud has drastically reduced,” he says. “This is why we believe that getting a solution such as Sis ID is now a must-have for corporates that care about fraud prevention.”
It is critical for all organisations to appreciate the sophisticated level at which cybercriminals operate now.
Indeed, for very large corporates that have a huge number of suppliers, and communicate with their banks in host-to-host mode, Trimbour suggests entering into a direct commercial relationship with fintech players such as Sis ID, enabling the solution to be integrated with ERPs and TMSs, while also leveraging existing bank connectivity.
For Trimbour, the partnership between banks and fintechs to combat cybercrime also makes perfect sense. He says: “Banks have the trust of the client, and fintechs have the focused expertise and more agility than banks. By combining our strengths, we can deliver more efficient and immediate solutions for our clients.”
Ramping up protection
Of course, BNP Paribas also has a range of its own solutions and value-added services to help safeguard its corporate clients. One of the most important of these is ongoing education.
Our advice to treasurers is not to wait for the silver bullet solution. The true magic is in taking action today.
Trimbour elaborates: “Company employees are essentially the gatekeepers of corporate cash and information. It is therefore vital each employee is made aware of, understands, and adopts the right approach to protecting their organisation. As a bank we can, of course, provide assistance to corporates in building up that awareness. We frequently share training materials, best practices we have identified across our clients, and any other specialist advice needed to establish the foundations of successful protection.”
Banks can also offer clients many defensive solutions that are rigorously tested before being deployed to detect any weak links or irregularities in client activities. And they are constantly keeping an eye on communications for anomalies: “We have very strong certifications so that we are always sure that it is the right client connecting to our systems,” says Trimbour.
“We will also apply AI-based filtering technology, using actively shared intelligence to detect outlier payments. Banks are now enabling clients to detect suspicious activity before making a payment, one of which is Sis ID’s account pre-validation solution.”
Indeed, many are hoping that AI will be the basis for a new generation of cybersecurity solutions. While Trimbour is optimistic about AI’s potential, he is also keen to reign in overblown expectations as to what it might be able to deliver.
“AI can help with early detection of threats and so help prevent attacks but it also relies on analysing and interpreting a vast and varied amount of data. That means the potential for generating false alerts is greater. AI-powered security systems rely on machine learning [ML] algorithms that learn from historical data. However, this can lead to false positives when the system encounters new, unknown threats that do not fit into existing patterns.
“The holy grail with AI in cyber-security is finding an optimal balance between the algorithms and detection setup used so that the system doesn’t generate too many alerts. Like Aesop’s Fable, The Boy Who Cried Wolf, having a glut of false positives will not only annoy clients but can also lead to genuine alerts being overlooked or ignored.
“It’s about finding the right chemistry and that more often than not requires constant innovation, not least to keep up with advances by cybercriminals. Always remember they too are continuously developing new tactics, techniques, and procedures to evade security measures, which adds more complexity to the data that AI needs to analyse. As a result, AI and ML algorithms may be unable to identify all potential security threats.”
Sarrat also stresses the importance of data for AI-driven cyber-security solutions, but cautions: “AI is nothing without data – that is an exceedingly important point to note first. If you want to be powerful with your AI, you need data. What corporate treasurers and organisations generally need to do to fight against fraud with AI is share data for the benefit of all. We can be much stronger working together. The less data you have to work with, the less efficient your AI-driven solution will be – and vice versa.”
BOX 2 | Keeping Safe: Internal Controls
To help avoid falling for a scam, or opening up a chink in the corporate armour, Trimbour suggests that basic measures all employees must follow include not opening links or attachments in suspicious emails. They must also be vigilant against tricks such as email spoofing, where a fake message can look almost exactly like the real thing.
He also strongly recommends organisations adopt the four-eyes principle where appropriate. This requires that certain sensitive decisions or transactions, for instance validating a payment, must be approved by at least two people. “The four- eyes principle can be very effective as protection. In a cyber-security setting, it is a vital control mechanism that facilitates delegation of authority and increases transparency.”
Even simple actions, such as calling back a supplier before changing bank account mandates, are also important contributions to the building of layers of protection. Process automation tools are another vital weapon in the armoury for corporates. And when mitigating cyber risks, it is good practice to have a business continuity plan (BCP) to call upon. Trimbour comments: “If you do succumb to an attack, a BCP will at least ensure strategic payments can continue.”
The risks of waiting for perfection
As the example of AI-based solutions suggests, the battle against increasingly sophisticated, cunning cybercriminals demands constant innovation from banks and fintechs. It also requires forward-thinking from corporates in terms of embracing these novel solutions. While it is understandable that treasurers and the C-suite may be reluctant to adopt innovations that cannot yet boast a track record as such, Trimbour says “always waiting for perfection” is not advisable.
He continues: “Organisations might think it best to hang on until the solution meets all their requirements in terms of, for example, functionality or coverage, but they could be waiting for a very long time if they want all the boxes ticked. This is a fast-evolving battle against cybercriminals and that means businesses need to compromise and adopt innovative approaches and solutions as soon as they become available.
“Certainly, we recommend our clients equip themselves immediately with existing solutions like Sis ID and become partners with us in developing and refining the solution. Our advice to treasurers is not to wait for the silver bullet solution. The true magic is in taking action today.”
That said, he also cautions that technology alone cannot solve all cybersecurity and fraud concerns. “It is just as important to invest in procedures and awareness raising – these are not optional considerations for strong, layered protection. Cybercriminals and fraudsters almost always exploit human weakness to reach their goals, not just technology loopholes. As such, a holistic approach to the prevention of fraud, cyber risks, and data breaches is critical.”
It’s about finding the right chemistry and that more often than not requires constant innovation, not least to keep up with advances by cybercriminals.