BARCELONA -- What makes finance shared service centers (SSCs) attractive—a process-driven environment that rewards speed and volume—can create blind spots that fraudsters can exploit. During a panel session at the EuroFinance International Treasury Management Conference, experts provided insights into how practitioners can avert the risks.

Threat evolution

Tom Durkin, managing director of digital channels for Bank of America Merrill Lynch, began by stressing that cyber and fraud threats are constantly evolving. He touched on some of the most common fraud threats out there today, including business email compromise (BEC) scams and ransomware, both of which are explored in detail in AFP’s latest Treasury in Practice Guide.

Regarding BEC, the losses continue to grow, despite treasury and finance departments as a whole being aware of the methods criminals typically use. “It continues to grow, and it’s always going to be a topic that we have to address,” Durkin said.

Nico Bruno, senior treasury manager EMEA/APAC for Citrix, recounted two separate incidents in which his SSC was hit with the two classic versions of BEC scams. The first one was the “fake CEO email” method; a fraudster impersonated his CEO via email and attempted to have money transferred when the CEO was out of the office. In the second incident, the perpetrator pretended to be a routine supplier that sent new payment instructions to Citrix.

Fortunately, treasury realized what was going on before any money changed hands. However, Bruno acknowledged how easy it would be for an SSC to make a critical mistake. “Our shared service people have a lot of data that they process on a daily basis, and I’m not sure how often they would recognize that immediately, but that time we did,” he said.

While these are two examples of typical BEC scams, it is important to note that this type of fraud is evolving. By now, every treasury department should be able to identify a fake email, or at least be wary about any email request for a secret, urgent money transfer from an executive who is out of the office. However, clever fraudsters are now incorporating phone calls into the process to throw companies off.

As for ransomware, Durkin noted that the recent WannaCry attack “crippled” a number of companies’ systems. All of that could have been avoided, however, if companies kept their software up-to-date. They didn’t. “Keep up with the latest and greatest from your software provider,” he cautioned. “Ransomware continues to grow; it’s a relatively low-cost opportunities for the bad actors to also get into the space.”

Best practices

Unsurprisingly, Durkin’s advice for corporate treasury departments, whether they utilize SSCs or not, is to educate their staff members. Your banking partners should be able to help; financial institutions are under threat much more often than corporates and they should be able to provide the latest insights. Durkin noted that regulators are actually asking banks like BofA to educate their corporate clients, particularly about BEC scams.

Many SSCs today are taking the initiative and holding education sessions, automating manual controls and testing their employees as part of an effort to bring standardization to security at SSCs. “Even as an institution, at the bank, we will send test emails—fraudulent emails—to our employees to see if they are paying attention,” Durkin said. “Automating those manual controls and the testing aspect are probably the most important aspects of raising awareness for the employees. Also, continuing to evolve the dialogue as it relates to different employees who are on the front line—it’s very important to get the front line to understand.”

Durkin also recommends SSCs adopt the SWIFT Customer Security Program, a series of controls around a number of different principles to bring standardization that SWIFT implemented following the infamous Bangladesh Bank breach of 2016. “Corporate practitioners should look at those controls and make sure they are factoring into your IT processes and policies,” he said. “Most large companies have probably built that in, but certainly look at it in regards to the impacts on your SWIFT infrastructure and your SWIFT service bureau partners.”

Regarding service bureaus and cloud providers, it is important that treasury does its homework and reviews the logins, the mitigation capabilities, etc. “There are a lot of steps that go into that, and a lot of the practitioners that we spend time with didn’t envision their treasury job would encompass so much IT oversight,” he said. “But in order to create the best layer of protection, it’s certainly something we’re recommending.”

Lastly, it is incredibly important to make sure that if you are using latest version of your browser for online banking. “You wouldn’t believe how many companies lag behind in terms of upgrading different aspects of the browser,” Durkin said. “Companies like Microsoft remind us frequently about why you need to upgrade; it’s critically important. But you would see the amount of clients that we are pushing to get to the latest versions to protect themselves.”

Bottom line, the banks shouldn’t have to be reminding treasury to protect itself. Bruno added that treasury needs to be proactive, particularly in an SSC environment. “It should be treasury playing a bigger role in coordinating training and creating awareness in the different teams that have payment related access,” he said. 

Download the latest Treasury in Practice Guide, underwritten by Kyriba, Fraud in Record Numbers: Why Treasury Needs to Act Now, here.