In part two of a two-part article, experts from a companion webinar to the 2023 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan, answer treasury professionals’ questions about payments fraud.
Our experts are Holly Olson, Corporate Treasurer, AFL, and Erich Kron, Security Awareness Advocate, KnowBe4.
Missed part one? Read “Far from Over, Payments Fraud Keeps Pace with Modern Tools and Methods.”
Business Email Compromise (BEC)
Q: Would charging for bulk emails slow down email fraud?
Kron: While the idea is good, there is no way to enforce a rule like that due to how the internet is designed. Anyone can run an email server if their ISP does not block the needed ports, and since much of the traffic comes from countries outside the U.S., coordinating this is not practical. In many ways, some of the bad actors are already paying to send emails through PhaaS (Phishing-as-a-Service) providers that manage the email servers and message distribution.
Deploying controls such as DMARC and DKIM on your own email servers can help filter out some of these phishing attacks though.
Q: Our wire requests are sent by email, and we recently got hit by a fake email where the wire went out but was luckily questioned by the bank and proven to be fake. Now we are using Teams as a second verification tool to confirm that the emailed request is genuine. Can Teams be hacked too?
Kron: Most anything can be hacked, but the question is, how can we make it tougher for them, while not making it too tough on the employees? Email is the most common thing for most bad actors to try to get access to, so anything outside of that can be helpful. Simply having some extra layer of approval in place can go a long way here, but nothing will ever be “unhackable.”
Best practices for payment verification
Q: Any suggestions for verification of international payments? We are only domestic, and it has become more difficult to do these verifications as Europe has stopped accepting checks.
Olson: International bank validations present multiple challenges such as a time zone differential, a language barrier or a simple misunderstanding of the objective for the call. In these situations, we leverage our buyers who speak the local language and operate in these countries. We have also leveraged subsidiaries in the country whenever possible, and use a code that is shared with the vendor verbally and must be used when communicating with us via email.
Q: What is the best practice to verify bank account changes when you only have the vendor email?
Olson: We take the approach that all bank accounts must be validated, and we do experience challenges from time to time connecting to a live person who can validate the banking instructions. Once we exhaust our preferred channels (e.g., call the main company number, make numerous attempts, etc.), we go to procurement or the original internal associate who maintains the relationship with the vendor and ask for their known contact name and phone number. Our known contact with the vendor may not be the right person, but they can usually get us to someone who can help. In the end, if we are not able to validate banking details for a domestic supplier, we convert future payments to a check until we are able to validate the instructions.
At the end of the day, your company will need to determine how much risk it is willing to take. Obviously, zero tolerance can extend the time it takes to onboard a vendor or update their banking details and increase the level of effort to achieve; therefore, it is important to assess the risk appetite within your organization. Things to consider as you develop your own procedures are:
- Available resources – Do you have the resources internally to validate banking instructions?
- Time – Is it critical to onboard/change banking instructions immediately that it will cost dearly if you don't, or can you afford to wait a day or two?
- Exposure – What is the exposure if you were to send money to a bad actor?
Fraud protection while traveling
Q: What are some good ways for our employees to protect their credit cards when traveling?
Olson: We recommend our associates carry their cards in an RFID sleeve or wallet when traveling. Another deterrent is for travelers to load their corporate credit card into a digital wallet, such as Apple Pay or Google Pay, which is more secure than the physical card. The transaction details should still feed to an expense reporting tool. Something else to be forewarned of is business partners that have a practice of writing your credit card number on a piece of paper and storing it in an unsecured location.
AI and ChatGPT
Q: Do you know of anyone who has had to deal with AI voice copying?
Kron: I haven't seen a confirmed case of that yet; however, with the advances that we're seeing in AI and how things are exploding right now, it's definitely going to be an issue.
Q: How can we mitigate fraud involving AI voice copying? Is there something that we in the treasury department can do when we're trying to validate? Maybe ask a specific prearranged question that only the person we're talking to knows the answer to?
Kron: If you're going to ask a question or have a code word, you're going to have to change that on a regular basis. I have seen in some situations where people have had arrangements with their bankers where they plot out a passphrase, and every time they do something, they confirm with that. Every month it changes. Now that's a lot of effort. It depends on how much you're talking about here. I'll say on the technical side, there are controls coming in place to look at AI-generated voices because they'll often make sounds that are impossible for our own mouths to make.