Upsurge in Fraud
Just one of those things, a sign of our times or an extra risk for treasurers?
by François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman of the European Association of Treasurers
Over the last few months we have seen a worrying increase in the number of attempted frauds, including the famous CEO impersonation fraud. Large groups, SMEs and especially finance departments are being targeted by phishing attacks. How do we explain all these types of scam; how can we counter them effectively; where do we currently stand; these are the questions that we will try to answer. A treasurer on guard is worth two, so let us be on our guard.
Security is the biggest challenge for businesses in adopting mobile technologies, cloud and the internet of things. Around 23% of companies surveyed said they have suffered a security breach in the past 12 months.
Source: The Technology Industry Outlook Survey 2015, AFP
Why are there more scams today than before?
We are sticking our necks out in daring to claim that there is more fraud today than there used to be. However, that does actually seem to us to be the case. So what should we be doing about this new threat? The difficult economic environment, the global financial crisis and its traumatic aftermath explain this upsurge in fraud. This makes an ideal breeding ground for scams of this type. The emergence of new methods of payment also opens up new vulnerabilities, at least at the start, with areas of insecurity, lack of knowledge and possible flaws. It gives those wretched computer nerds just the sort of opportunity that they are likely to grab with both hands. So what do we do about it? As always, unfortunately, if one fraud succeeds many others follow, and creativity is not always directed to good causes, far from it. It is therefore this particular climate and these economic difficulties that explain the new situation of increased risk. We need to keep this in mind and redouble our vigilance. It is often in adversity that we are able to put ourselves to the test, to improve our internal control procedures and to ‘sell’ security projects, particularly in IT. Bandy about the spectre of the risk of fraud, and you will find the whole of C-level management listening to you, ready to allocate budget to prevent it.
Wolf in sheep’s clothing
France and other countries have recently seen a renewed upsurge in attempted scams of the ‘CEO impersonation fraud’ type. This type of fraud is a very special variant of phishing which is targeted at large and small groups indiscriminately, and particularly at their finance departments. The fraudsters try it on over and over again to increase their chances of hooking a victim. Statistically this works well, and sooner or later a company that is not careful enough will be caught out. Police criminal investigation departments in various EU countries show that millions of euros have been lost. These techniques need patience, conviction, acting talent, IT skills, and careful prior research together with a great deal of brass neck. All these elements in combination can lead to large losses.
CEO impersonation fraud is a specialist type of fraud based on the workings of our social structure. The fraudsters delve into the environment and innermost recesses of the target company and go through them with a fine tooth comb, and then do the same for the company’s people. They take in internal communications, official job functions, bank accounts, organisation charts, AGM minutes and the minutes of various committees. In short, anything that might be of use is collected and put together to set the trap. Even though statistically only 1% of scams work, that is enough to make it worth turning them into a business. Success and practice help make the scenarios more credible.
The idea is to tap into the business’s philosophy, its language and its codes to make the fraud look credible. The principle of this fraud, totally and completely stupid though it may be, lies in the fraudsters successfully passing themselves off as the CEO of a company to persuade employees to act in a way that runs counter to best practice and internal procedures because of exceptional circumstances. They might imitate voices, signatures or gestures, come up with an unnervingly plausible set of background details that lulls the victim into a false sense of security (for example the CEO’s mobile number will display on the employee’s screen, the CEO’s voice is imitated perfectly, he tells you he is at a place that you have officially been told he is at, to raise doubts in the mind of the person he is speaking to, etc.). The aim is to have an urgent funds transfer to an unknown foreign beneficiary approved, with the CEO providing the required documentation for the transaction in the near future. It is based on psychological pressure deriving from the hierarchical relationship. And unfortunately, sometimes it works and some people fall into the net.[[[PAGE]]]
How do you spot ‘fake CEOs’ and their gangs, as in Point Break?
To prevent such nasty attacks, the recommendations are that (1) companies should run regular training courses to tell their employees about security and ensure that they know about this type of scam; (2) telling people about it will be enough to prevent it in many cases. Companies need to ensure that (3) accounts department applies payment approval procedures to the letter and with no exceptions, particularly for international payments. They should go as far as to (4) insert a clause into the company’s internal procedures guaranteeing that any employee refusing to carry out an order that runs counter to internal procedures, even one given by the CEO or CFO, can under no circumstances be dismissed.
Three-quarters of technology executives expect their company to spend 1 to 5 % of their revenue on IT security over the next 12 months.
Source: The Technology Industry Outlook Survey 2015, AFP
Some CEOs send out messages along these lines, stressing that their employees should not accept any instructions from them that run counter to internal rules and procedures. This can reassure accounting staff and prevent the panic reactions that lead to poor judgement, which is often what the fraudster is trying to produce. Companies are advised (5) to check the electronic signatures on bank transfers and increase the level of security and control over payments. You can never be too careful when it comes to risks. It is worthwhile (6) checking the originators’ email addresses and the ‘reply to’ addresses. In the event of doubts or suspect emails, employees should (7) contact the company’s IT security department and transfer these dubious emails to the appropriate person in IT department.
If the harm has been done, the advice is different: try to intercept and stop the bank payment, if that is still possible, file a complaint with the local police criminal investigation department, and contact your IT security department and your internal auditor. When it comes to fraud, the time factor is crucial. Letting time go by is a huge risk, because it works against you. Companies need to home in on atypical behaviours and exceptions. Paperless processes should be used whenever possible.
Who is lurking at the other end of the line – that is the crucial question. For example, the following has been tried: “I am your CEO. I am trusting you to carry out this sensitive and urgent transaction. Keep it secret until I announce the takeover deal, it will be in the company’s best interests. ( …)”. Hijacking someone’s identity is not as difficult as it might seem. The fraudster will make full use of the workings of a subordinate hierarchical relationship to try and make the fraud succeed. The fraudster is often a really persistent and persuasive manipulator (for example “ I’m giving you an order (…) Stop arguing, we’re wasting time (…) Do you want to lose your job? (…)”).
Typical scenario
1. They make contact;
2. Exceptional and urgent demand;
3. Very persuasive;
4. Manual payment order;
5. They try again.
To prevent this risk, companies need to stick to established procedures and withstand temptation and pressure. Use critical judgement, even though the pressure and the stress of the CEO’s call might tempt you lose it. Never forget that pressure can lead to poor judgement! As Bruno Lussato, the late professor of Systemics at the Ecole Nationale Supérieure des Arts et Métiers in Paris. so rightly said: “The improvement in fraud techniques is much less costly in time and money than that of the means of prevention”. So it is not because of the high cost of prevention that we try to do without it, on the pretext of cost and on the principle that ‘that sort of thing happens only to other people’.
You would be better listening to your intuition, and if the request looks suspect, it is a fair bet that it is not genuine. Checking that the request is genuine, by calling back to an officially listed number, has never done any harm. Develop good instincts: keep down the amount of information posted on social networks, it could do you a disservice sooner or later. Put secure procedures in place based on the principles of four eyes and double checking, limit access points, make your employees aware of the risks and be very vigilant about any unusual request. Frauds often occur during holiday periods or when the company is understaffed.
The techniques use any available channel and try to penetrate any point of access (telephone, fax, messaging or the web) to trick employees who naïvely think that they are zealously rendering a valuable service to their hierarchal superior. Amongst the targets mentioned in the French newspapers are Michelin, Vallourec and Intermarché, in particular. The French employers’ organisation MEDEF has started to exchange information on frauds that have taken place to make their details widely known and forewarn people. Some people come up with a figure for a fraud by itself amounting to as much as €23m for a single payment. We also read that it is believed that fraudsters are very often based in Israel or in China, or in countries from which they cannot be extradited. A name has even been mentioned, that of Gilbert Chikil, a French pioneer in scams and corporate swindling. This now well-known fraud has become the CEO’s nightmare (for example “Hello this is your CEO on the telephone, can you do a confidential and urgent payment for me? … I am relying on you! …”) in France, a country that has seen a lot of this type of scam. The perseverance and patience of the fraudsters, in combination with their ingenious methods, means they sometimes achieve their purpose. The array of tricks is such that it can sometimes give the illusion that the request is indeed real. You feel honoured to have been chosen for this confidential and strategic job to the point of forgetting basic caution.
Protecting yourself
Cyber attacks in general, and more traditional types of fraud in particular, require procedures to be strengthened – procedures and internal controls. IT departments have been beavering away over the last few months reminding users of IT resources of the basic security steps that can help protect them against harmful attacks of this type. Phishing/spear phishing is a very widespread technique that crooks abuse. According to the Trend Micro Research Paper, 91% of targeted attacks use ‘spear phishing’ emails, which leads us to think that this is the method that cyber crooks favour for penetrating networks to plunder information or hack into them. They ask you to click on a cyber email sent to millions of people, all potential victims, who are then encouraged to click on a link to a malware site, to open an infected or contaminated attachment or simply to obtain information that will help the crooks in a subsequent attack. These messages appear to come from a trustworthy source such as your bank or haulage company, or even from an acquaintance or even worse a colleague. The messages can be personalised by reading the content of the LinkedIn or Facebook accounts of innocent victims, in which case they are called ‘spear phishing’.[[[PAGE]]]
Payment fraud evolves as rapidly as payment sector is developing. As new payment methods are being introduced there are increasing criminal attempts. 62% of respondents reported their organizations were targets of payment frauds in 2014.
Source: The Technology Industry Outlook Survey 2015, AFP
The apparent genuineness and credibility of these messages has unnerved more than one recipient. And if that happens, the trap is set. It would seem that 66% of successful cyber attacks were achieved by means of spear phishing. Even though prevention techniques are becoming ever more sophisticated, as with performance enhancing drugs, the miscreant is often way ahead of the policeman. We therefore always need to be wary of anything unsolicited. Any request to attach additional information should be avoided like the plague. The link’s destination URL is often different from that given in the email, which is the first sign of spear phishing. This is ‘wholesale’ phishing, and they use any means that comes to hand in the hope of catching someone or other who is not cautious enough. The sad thing is that it works very well. For instance, there are mandatory procedures to confirm suppliers’ bank account numbers.
Mergers and acquisitions, by their exceptional nature, are perfect traps for those who know how to use them. You can never take too many precautions in situations like that. A treasurer on guard is worth two, surely? There are simple and effective steps that you can take: use standard payment instructions (e.g., Standard Settlement Instructions), giving complete visibility over all bank accounts via an efficient system, using digital signatures and even adding keys such as the SWIFT 3SKey, for example, improving data security and cloud security with robust SLAs (Service Level Agreements) signed by your suppliers.
Other safeguards include regular intrusion testing, considerably strengthening passwords and making it mandatory to change them regularly (however much that annoys the average user), immediately cancelling signing authorities for people who have been dismissed or who have left the company, setting out clear and comprehensive policies of which everybody is made aware, and arranging prevention workshops, etc. As the Lebanese poet Gibran Khalil Gibran said: “If you tell your secrets to the wind, you should not blame the wind for telling them to the trees” (think about it). Success necessarily involves prevention and excellent communication. Treasurers and treasury associations need to get together to help fight fraud, the scourge of our modern times.
The role of banks and treasury associations
Both banks and treasury associations should help their customers and members by regularly issuing clear information on the subject of fraud. Some banks work very hard at this, for which we can only congratulate them. Treasury associations, too, with their ability to bring people together through their networks, should contribute to recommending best prevention practice, such as the practices described in this article’s illustrations. Since fraudulent behaviours have the weak point of being repetitive and systematic, explaining them openly can prevent some risks. A small example counts for more than a lengthy speech, to paraphrase Napoleon. Our associations should even use videos or recordings to show the types of fraud to which we are exposed in spite of ourselves. This should form part of basic treasury training courses and of the best practice that we try to disseminate throughout our community of members. Could we use unfortunate incidents that have actually taken place as examples of what not to do? Fraud should not be a taboo subject, even for the victims.
Work together to prevent risks
“Fraud is the homage that force pays to reason.”
Charles P. Curtis, former vice president of the United States
We can therefore only encourage treasurers and treasury associations to work together to prevent risks and to share their experience, however bad that experience may be. In adversity, everybody teaches everybody else. Fraud is a very sensitive subject. People prefer not talk about it and it is something that people usually keep to themselves, behind closed doors and away from prying eyes. This is a mistake and it means that many people never come to suspect the sad reality. Some banks, particularly BNP Paribas, along with others, have realised that it was also in their interests to combat fraud. Banks are also victims and their customers can make them pay dearly for it, even though it may not be their fault. If there are any problems, we always look for someone else to blame, that’s only human. But a CFO will never blame you for too much zeal and too much prevention. By contrast, any mistake will be paid for in cash, which is the treasurer’s nightmare! We would like to be able to say, like Sophocles (from Saccini’s Œdipe à Colone) that “Something obtained by fraud never does you any good for long”. However, that would be small consolation for the victim and it is a fair bet that you will never see the misappropriated funds again.
CYBER SECURITY WORKSHOP Frankfurt - 18th April 2018
Concerned about cyber threats to your treasury?
Join TMI and 8com for an intensive 1-day workshop designed to give treasury professionals the skills to protect their company and their department from the dangers of modern cyber crime and fraud.
Leave the session armed with a cybersecurity action plan - able to immediately implement progressive security measures in your business.
Learn more here
|