While payments fraud is always a top priority for treasury professionals, today’s business circumstances have only made it an even greater concern. During the AFP 2020 Payments Roundtable on Fraud and Control, sponsored by Kyriba, practitioners discussed the ever-present threat of business email compromise (BEC) scams and what organizations can do when they encounter them.
BEC CONTINUES TO THRIVE
The panel began by delving into the results of the 2020 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan. It came as no surprise that BEC scams were the largest reported source of attempted or actual payments fraud attacks last year. Fully 61% of treasury and finance professionals who experienced fraud in 2019 reported BEC as the source.
Frank Albano, senior vice president and treasurer for L Catterton noted that while BEC has its origins in the infamous “Nigerian prince” email scam—which amazingly still manages to dupe people every year—large companies are typically targeted with more sophisticated efforts that are much more difficult to catch. Fraudsters will deploy intricate social engineering tactics, infiltrating or spoofing email addresses and then engaging in conversations with real employees to get a better sense of how a business operates. That knowledge helps them immensely when they decide to strike.
“They're really just trying to understand how you communicate,” he said. “How do you end your emails? Do you use ‘best’ versus ‘thanks?’ They're actually getting an understanding of how you operate. So that six months from now, they’ll say, ‘All right, I know how the CEO speaks to the CFO and how the CFO then communicates to the treasurer. Let's put out an email that will actually follow the same framework that's been used previously, and see if we can extract some cash that way.’ That's been something that we've been trying to focus on and have really seen a significant increase in.”
To protect itself, L Catterton employs a third party to do an annual cyber review of its internal policies and updates the company on the latest threats. Additionally, the company has purchased all domain names that could be iterations of “lcatterton.com.” That way, fraudsters can’t create a domain of “catteron.com” or “lcaterton.com” and trick someone in an email. “Everything would be the same, but you'd only miss by one digit, right? Or one alphanumeric character. So what we're trying to do is be as proactive as possible and trying to keep up with what's going on out there,” Albano said.
CONTROLS AND LIABILITY
One treasury professional in attendance questioned the controls around Fedwire. “I thought banks verified the beneficiary on a Federal Reserve Wire before posting the deposit. But now I am hearing that this is not the case,” she said. “We are doing independent callbacks, but wanted to increase controls wherever we can.”
The practitioner added that a fraudster had posed as one of her vendors, and received a wire transfer when payments went out for invoices. “We had callback verification in place before,” she said. “I thought at one point a Fedwire was more secure in the sense that the bank would look at the beneficiary, but after more discussions with one of our particular banks, they said, ‘No.’”
Rue Jenkins, former treasurer at Costco and payments group lead for the AFP 2020 Planning Task Force, responded that generally, when a Fedwire payment is sent to a beneficiary bank, it will go through unless there is some type of issue in posting the transaction to the account. However, that might depend on how the beneficiary name is coming in and if it’s close or completely different than the account of record.
Albano added that while some banks are better than others in terms of flagging, banks tend to flag vendor payments due to transaction size more often than changes to the beneficiary. “I would say there's probably going to be more work that needs to be done on your side as opposed to relying on the bank or the Fed to prevent this because of the pure nature of how these things go about,” he said.
The treasury practitioner noted that fortunately, her company was able to recoup its funds because the bank questioned it. “But I think what they were saying is that they didn't have to check it,” she said.
She posited that in the future, perhaps it would be better to use ACH for vendor payments because it’s possible to do a reversal. However, Jenkins responded that ACH has its own challenges. “In between the time of the posting of the credit and when that reversal debit comes through, if the [beneficiary] account has had funds withdrawn and the balance is below the amount of your reversal, you may not get your funds back,” he said.
Steven Otwell, director of payments for Kyriba, noted that many treasury departments are under the impression that banks are responsible and will simply reimburse them when a fraud incident occurs. However, the truth is quite the opposite. “We've actually spoken with some of the very large banks here and from what we've heard, there really is little to no contractual obligation for the bank to reimburse you,” he said.
If your organization is a prominent enough customer, then the bank may simply eat the cost and reimburse you. But in most cases, the bank would be taking a loss, and they'll look for ways to recoup that cost, Otwell explained. “Whether it’s through a higher fee back to you or interest rates or some other model, the bank's got to get repaid to some degree,” he said.
Another treasurer in attendance noted that her company had received a change in payment instructions for one if its suppliers. About two weeks after an ACH payment had been sent, they realized that the payment had been misdirected by fraudsters. She tried to recoup the money through her banking portal, but the account had already been cleared out. However, she reached out to the receiving bank, who froze the account and has been working with her bank in an attempt to recoup some of the funds. “I feel the likelihood is quite slim at this point that we'll get anything back,” she said.
Even if there is little to no chance of getting your money back, it still worth reporting fraud incidents to the banks involved, as it might prompt them to take action. If they don’t, it could be costly. “A financial institution doesn't want to be brought into transactions that could be considered fraud,” Jenkins said. “And by not taking any action once they have been notified that there is potential fraud, then there could be some liability on the financial institution side.”
For further insights, download the AFP Payments Guide, Combating Fraud in a Remote Working Environment, underwritten by MUFG.