Cybercrime and fraud are on the rise and new attack vectors are emerging with alarming frequency. Nicolas Trimbour, Head of Fraud Prevention and Chief Data Officer for Cash Management, BNP Paribas, and Laurent Sarrat, CEO at payments security fintech Sis ID, explore the latest tools and best practices for treasurers as the fightback against cybercriminals gains ground.
Cyber-attacks are a rising threat to organisations of all sizes, in all industries, and in all geographies. In readiness for the onslaught, every part of every business needs to be tuned to the shifting landscape.
For Trimbour there are four clear trends that must be observed. The first is that the push for digitalisation and the pandemic-driven emergence of homeworking is making unwary companies more vulnerable than ever. Uncoordinated implementation of new systems, and now means of access, can introduce uncharted systemic complexity. This state of confusion poses a wonderful opportunity for cybercriminals. And they are opportunists par excellence.
Indeed, Trimbour’s second trend is the increasing scale of impact of financial cyber-attacks, exemplified during the pandemic as homeworking became the norm for many. During this period, cybercrime has risen by 600%, with costs increasing 15% year-on-year. This figure could reach $10tr. by 2025.
A third trend is the ever-evolving nature of strike vectors. Criminals persist with tried-and-tested measures but their repertoire expands continually. Today, says Trimbour, the most prevalent form of attack is ransomware. And finally, with effective cyber-security’s reliance on an ecosystem approach, he states that businesses must now recognise that they are not safe unless and until their suppliers and business partners are also properly protected.
Cyber-attacks and fraud are clearly on the rise, with many companies facing multiple weekly attempts, notes Sarrat. While methods may differ in complexity and between geographies, he notes that the objective is the same, and that criminals are becoming better prepared to execute that objective, some even setting up real companies to mount their attacks.
Unfortunately, notes Trimbour, the pandemic has given fraudsters a new impetus, leveraging lower levels of vigilance among employees and deploying even relatively simple models of fraud and cyber-attack. “But they are also becoming more sophisticated; they really are now organised crime gangs,” he warns.
There is a strong correlation between the rise of cyber-attacks and greater incidences of fraud, notes Trimbour. “Hackers will steal data or they can buy it on the dark web, enabling them to commit ever more realistic fraud. It’s still social engineering, but the social engineering has become so much more realistic, fuelled by cyber-attacks.”
The salary scam is a good example, he says. An employee’s personal and professional mailboxes are hacked enabling a fake personal account message to be sent to HR confirming a change of bank account into which the victim’s salary should now be paid. “If HR doesn’t carry out the necessary security controls, the fraud will not be noticed until it is too late.”
The new models of attack can make some of the older methodologies for picking up fraud redundant, says Sarrat. Where social engineering was previously executed by what he refers to as “audacious salespeople”, now he notes that attacks are performed by “technical hackers”, many using ransomware.
The stolen data – such as emails, voice messages, planning details and customer communications – are often partially distributed on the web, or dark web, as a proof of their theft. This evidence can be used to force the company to pay the data ransom, continues Sarrat.
“Leakages frequently contain information – phone number, emails and so on – not only about the targeted company but also about their suppliers, customers and employees. What we’ve seen during the last year is that two worlds are combining efforts to perpetrate more sophisticated fraud.”
The conventional methodology to counter fraud has mainly relied on human analysis, usually carried out by people not dedicated to this process, explains Sarrat. With fraudsters managing to create increasingly realistic approaches, he says it has become almost impossible to detect. “Hiring extra people makes little, if any, difference. Control now should be automated and industrialised as much as possible.”
Banks play a big part in protecting customers, and BNP Paribas has a range of solutions that is helping to keep its corporate customers safe. “When asked about better protection against fraud, I like to present a seasonal analogy,” says Trimbour. “When winter is coming, you know to wear several layers of protection against the cold and rain. Now you can take the same measures with fraud: the more layers of protection you have, the better you are protected.”
The first line of defence is the corporate employee; it is vital that each is made aware of, understands and adopts the right approach. To assist, as a bank, we provide training materials and share best practices with our clients, says Trimbour.
“A basic protection against cyber and fraud risk is to not open links or attachments in suspicious emails, and then to be aware of tricks such as email spoofing, where a message can look almost exactly like the real thing,” he suggests.
A four-eyes process is also useful, where a second person is required to validate a payment. Even simple actions help, like calling back a supplier before changing bank account mandates. Process automation tools are another vital weapon in the armoury for corporates. And when mitigating cyber risks, it’s good practice to have a business continuity plan (BCP) to call upon, says Trimbour. “When an attack happens, it will ensure at least strategic payments can continue.”
On the bank side, where attacks are regular, many defensive solutions to protect clients are offered. Banks also rigorously test those systems to detect any weak links or irregularities. “We have strong certifications, so that we are sure that it is the right client connecting to our systems,” says Trimbour. “We will also apply AI-based filtering technology, using actively shared intelligence to detect outlier payments. And banks are now enabling clients to detect suspicious activity before making a payment, one of which is Sis ID’s account pre-validation solutions.”
Partnering power
Banks are increasingly working with fintechs like Sis ID on fighting cybercrime and fraud, rather than working alone, because both have something to offer, notes Trimbour. “Banks have the trust of the client, and fintechs have focused expertise and more agility than banks. By combining our strengths, we can deliver more efficient and immediate solutions for our clients.” For its own security, BNP Paribas naturally subjects every potential fintech partner to a meticulous validation process, states Trimbour.
In this respect, Sis ID has strong provenance. It was formed in 2016 when 15 treasurers and CFOs were brought together as part of a community initiative tackling wire transfer fraud. “BNP Paribas was the first bank to understand that community spirit was the best solution in the fight against fraud,” recalls Sarrat. “At that point, we were no longer a fintech disrupting banking, but one being accelerated by a bank.”
The importance of making a collective effort to fight fraud is a powerful driver for Sis ID’s continuing relationship with BNP Paribas. Indeed, in tackling an increasingly sophisticated threat, a finance department first needs to strengthen connections and processes with its suppliers. This can be time consuming, especially for companies with many relationships to manage.
Companies may also need to respond to the threat at a global level if their supplier base is geographically fragmented. There can be no selective approach to this, warns Trimbour, but adds “currently many solutions offer protection only at a national response level and do not collaborate with each other on a global level”.
However, he is optimistic that the lack of viable global anti-fraud solutions will be addressed soon, believing that a will to collectively realise international controls will see the emergence of reliable automated solutions capable of limiting financial losses linked to cyber and fraud.
“Keep in mind that outside of the security industry, no company dedicates all of it’s time to fighting fraud. Even BigTech companies are victims. But for the fraudster, it is their absolute focus. There is no way to fight it alone; we are stronger together. This is why we’re working with Sis ID to build a community of companies to fight against wire transfer fraud.”
Sis ID: strength in numbers
Sis ID provides a platform giving member organisations a real-time view into the security status of all suppliers on its network. It creates a single, global, shared source of information that can be integrated with each member’s business applications such as an ERP or TMS. “We have more than 20,000 member companies on our network, each choosing not to act alone but to share the information necessary for the collaborative fight against fraud,” comments Sarrat.
The entire community, which now includes banks and other financial institutions (FIs), is able to see when a fraud attempt is raised on the network by a member. By integrating that shared information into their own systems, members use a traffic light system to decide whether or not to proceed with payment to a specific supplier, in a specific country, and on a specific account number. It is, in effect, a community-based early-warning system.
From a bank perspective, Trimbour stresses the importance of being able to check accounts before treasurers make payments in order to avoid supplier fraud. “In countries where such schemes have been implemented, the level of fraud has drastically reduced,” he notes. “This is why we believe that getting a solution like Sis ID is now a ‘must-have’ for corporates that care about fraud prevention.”
For very large corporates which have a huge number of suppliers, and that communicate with their banks in host-to-host mode, Trimbour suggests entering into a direct commercial relationship with Sis ID, enabling the solution to be integrated directly with their ERPs and TMSs, and leveraging existing bank connectivity. For those using e-banking channels, he says BNP Paribas is currently working on delivering in 2022 “a seamless experience, directly within our own BNP Paribas portal”.
In the UK there already exists a confirmation of payee system, where banks check the payee details before a client initiates a payment. While Sarrat wishes more systems of this kind were in use, citing it as “a great initiative” he notes that in this case, and others in Europe such as Spain, they are limited to domestic coverage, and even then, not always 100%. “Fraudsters won’t waste time on the 80% where accounts are covered by confirmation of payee, they will go directly to the 20% that are not covered.” For a corporate that is perhaps based in the UK but making payments in multiple other countries, it is a challenge to connect and integrate confirmation of payee across all territories into a TMS or ERP, and then maintain these connections.
Shifting patterns
Keeping up the pressure on fraudsters is essential, warns Trimbour. “Fraudsters are innovative and we need just to be smarter,” he states. Initiatives such as open banking and the roll-out of APIs are good for business, but they can be misused.
It’s vital to keep developing defensive technology, including using AI to detect outlier payments, but leveraging the power of the community, and the value of humans in creating system rules, also remains absolutely key in the fight against fraud. “This is why BNP Paribas invests heavily in systems but also in a diversity of people to bring different thinking,” explains Trimbour. “There will be a lot of job opportunities in this space in the years to come because the threat is not going away.”
For Sarrat, there is a discrepancy between how people collaborate in their private lives and in their professional lives that should be addressed as fraud increases. “People willingly disclose information in their personal lives. They will, for example, rate a product, offering opinions that are shared with friends and the wider community, but this is not the case from a business perspective,” he notes. “Businesses should be collaborating too, especially on cybersecurity, because it’s only way to fight the criminals.”
Ultimately, while the problem of cyber and fraud is global, many current payment processes and systems are disconnected. “Only by making connections will controls be systematised and industrialised,” urges Sarrat. “This really should become the norm.” Of course, he adds, the strongest connection comes from working together to tackle this problem.
A box of defensive tricks
Sign up for free to read the full article
