An ongoing scourge to corporate treasury since 2014, payments fraud and business email compromise (BEC) scams are at an all-time high. According to the 2016 AFP Payments Fraud and Control Survey, wire fraud increased 27 percent from 2014 to 2015, likely due to the surge in BEC scams. In a similar study conducted by my firm, Strategic Treasurer, we learned that 77 percent of companies that participated in the survey had experienced a fraudulent payments attempts. Yet despite FBI warnings, fraud seems to show no signs of stopping.
It’s time for both corporate treasurers and treasury system providers to step up and proactively protect themselves from these scams and attacks.
Recognizing the signs
In August 2015, the FBI issued a “How-To” list for corporations to avoid being victims of BEC scams. The list was part of a larger article focusing on BEC as an “emerging global threat. In the article, FBI Special Agent Maxwell Marker warned that BEC fraudsters “know how to perpetuate a scam without raising suspicions. They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
So when dealing with this level of expertise and precision, what are some things treasurers can watch for to catch and prevent being scammed? In talking with many practitioners, here is what we uncovered:
- Undue urgency with a payment request
- Non-standard channels used to communicate funds movement instructions
- Warnings of employment loss and unreasonable confidentiality.
Protecting your organization against fraud is a shared responsibility between the company, the TMS, the payment hubs, and the banks. However, we are seeing many more corporate treasurers take on the lion’s share of the responsibility, and rightly so.
Treasurers’ TMS partners should provide clear guidance about the best methods of establishing connections and transferring data, providing payment capabilities with restricted access, enforced segregation of duties, reporting on exceptions and relevant leading practices for ensuring effective control and compliance. True TMS partners will be not passive about issuing security and fraud prevention guidelines.
Penetration testing is another area of proactive responsibility for treasury system providers. In this high-crime environment, service providers need to establish and maintain an elevated posture. As many TMS are essentially portals for large payment origination, regular testing to check for vulnerabilities is required, and not just occasionally. Penetration testing should be always on—always open so that designated third parties can perpetually run tests and identify any weaknesses before they are exploited.
As for banks’ responsibility, the areas of offensive focus are similar to that of the TMS provider—always on penetration testing, education and guidelines around leading practices and control tactics. Additionally, with the rise of online payment and portal access, many bank providers are revamping their authentication protocols to ensure they have the right levels of user and identity authentication to prevent unsanctioned, fraudulent transactions.
However, beyond working with your TMS providers, banks and payment hubs, there are a number of key areas treasury groups can focus on as they create their treasury security framework.
- Structural: How does your bank account structure support security? What controls exist to limit opportunities for fraud? How does this support your ability to identify fraud or irregularities?
- Staff: What are the background checks performed? Are they only at the point of hire? Are they only conducted on permanent employees? How are the proper people informed and trained about controls and fraud?
- Perimeter/exterior security: Start asking questions. What type of device access methods do we allow? What timeframes are allowed? What types of firewalls and security do we have on the perimeter? Is hardware and software threat management integrated? How are we staying current? Do we monitor for intrusion detection?
- Interior security: How secure are our internal drives? Who has access to them? How are they monitored in lockdown? How do we not only monitor network activity but normal and anomalous behaviors? What systems do we have in place to detect, monitor and prevent activities that fall outside the norm?
When taking a more muscular stance against fraud, treasurers must think about protection as a series of layers. You may not need every possible layer, but every layer that you have must be current, strong, controlled, and activated. If any single layer is weakened or compromised, it can create an impairment to another layer leading to a security failure and significant or catastrophic loss. Just ask the Central Bank of Bangladesh.
Craig Jeffery, CCM, AAP is managing partner for Strategic Treasurer.