BETHESDA, MD -- Greg Litster, president of SAFEChecks, provided AFP’s Treasury Advisory Group with a look at some common fraud schemes that continue to plague corporate treasury functions. Of course, no discussion on fraud threats to treasury professionals would be complete without a look at business email compromise (BEC) scams.
Litster, who met with the TAG last week, began by stressing that practitioners watch AFP’s videos on the subject, featuring Magnus Carlsson, AFP’s manager of treasury and payments. He noted that the losses from BEC scams through May of 2016 total $3.1 billion.
One key way prevent unauthorized wire transfers, Litster explained, is to require two different computers and passwords to send money, with one of them being a computer that connects to the bank and nothing else. Multiple employees can initiate a wire or ACH transfer with their daily computers, but only the dedicated bank computer can be used to release transfers. “For the release, you don’t want to use a computer you use for email, because you don’t know if your computer’s been hacked and the keystrokes are being monitored,” he said.
Once the company adopts a two-computer policy for wire transfers, Litster advises treasury practitioners to update their electronic funds transfer (EFT) agreements with their banking partners to reflect those revised policies.
For any treasury professional who is traveling and needs to approve a wire transfer, Litster recommends carrying a small laptop that’s not used for anything else and logging onto the internet via the mobile hotspot in their smartphone. “That connection is secure, so you can log in and just release the wires,” he said.
Next, to shift liability for any cyber losses from you to your bank, practitioners must be sure to follow their banks’ internal controls and technology recommendations. “If you don’t implement what they tell you to do, and there’s a loss, they’re going to push it right back on you,” he said.
It’s also important to note that not all BEC scams result in dubious wire transfers. Sometimes, criminals will impersonate an executive or a routine supplier and request a check payment be sent to a new PO Box address that they control. However, when this happens, your company might not be on the hook for the loss, Litster explained.
“If you get hacked and you send a wire to a new bank they set up, that money is gone,” he said. “But if you get hacked and you send a check to a PO Box, all is not lost. In that scenario, you have what is called a forged endorsement. You sent a check made payable to a particular party that was intercepted by somebody who is not that party, they forced the endorsement and processed it through. That becomes the liability of the bank of first deposit. And the statute of limitations on a forced endorsement is three years past the date it was deposited, except in Florida and Georgia, where it is one year.”
Litster added that banks have a part to play here as well, especially when there has been a sudden change to the receiving bank of a repetitive wire payment. He recounted an incident in which a corporate client of a Texas bank was hit with a seven-figure BEC scam. In response, the bank changed its protocol so that it no longer allows wires to move immediately through its system if the payments are being sent to Eastern Europe or Asia and there has been a bank change. “They always stop it and call the company,” he said. “They say, ‘We see you’re sending this wire and there’s been a change of bank. Are you certain about this?’ A year after putting this into practice, they caught two wires—one going to Eastern Europe for $900,000, and one going to Asia for $1.4 million.”
Treasury professionals would be wise to carefully vet their banking partners on this issue. Ask them if they have any special procedures for sudden changes to payment instructions for repetitive wire transfers. If they don’t, then it might be time to find a bank that does.