As long as there has been currency, there has been fraud. Today’s fraudsters are technologically savvy, creative and patient. They’ll sit at your back door for some time studying and waiting. What can we as financial professionals do to protect our organizations?
In one of our most popular sessions at AFP 2022, “Fighting Fraud: The Next Frontier in Protecting Payments,” experts in payments fraud prevention and treasury spoke about their experiences with fraud and the tools they are engaging to fight it.
“We've been seeing a lot of executive-style fraud,” said one payments professional. “I've received a plethora of texts from someone spoofing my CEO. He is not legitimately asking me at midnight for Apple gift cards or to quickly send him some funds.” The company has also seen a lot of account takeover fraud, which they’re working diligently to mitigate.
“We're constantly getting emails, and in some cases phone calls, purporting to be an executive of the company,” said a treasury professional. “The message that we in treasury have given on a consistent basis is: Don't even think about sending us an email. Don't even think about calling us up. We have procedures in place.”
That said, the treasury professional once received a legitimate phone call from his company’s chairman during an emergency asking him to pay $50,000 for a truck to fuel emergency vehicles to restore customers’ power. “The only reason why I moved forward with it is I knew his voice,” he said, “and we wired $50,000 to a supplier, bypassing every control in the book. But those should be the rare exceptions, not the norm.”
The treasury professional explained that his company utilizes a procurement system when they need to make any type of payment. They go through the normal channels and have dual controls (and in some cases triple controls) to make sure that the payments are going out correctly.
Synthetic Identity Fraud
Synthetic identity fraud — wherein fraudsters stitch together different elements of multiple people’s identities to create one — is a primary focus of many organizations right now, and with good reason. There are many bot and hacker scams that try to use that method to open fake accounts.
“The fraudsters are in for the long haul,” one treasury professional said. “They go through great means to establish a credit profile. By the time they apply to us, even if we validate them against known sources, they're going to look like a decent risk.”
The treasury professional explained that to combat synthetic risk his team is working with auditing to develop techniques to evaluate the data in their system, looking for anomalies. Additionally, his team instituted additional policies such as document verification at onboarding. They achieve this by looking at public records, such as a driver's license, social security information or other publicly available data. There are also some third-party sources that can do multi-layering validation.
Multi-layered systems, along with human creativity and critical thinking, seem to be the best protection we have at the moment.
Reconstructing Org Charts
Fraudsters are also using social media to reconstruct your organizational chart. In some cases, they figure out who is in the treasury department and try to get those people to give up information such as passwords.
A treasury professional explained that at his company, to access the bank systems, there are secondary controls where you need a handheld device or a token/dongle to log in to the bank account. That way, even if an email address or password were to become compromised, the fraudsters still wouldn’t be able to get into the bank account.
Back Door Attacks
Attacks don’t just come from the direct route; sometimes they can come through the back door as well. One treasury professional explained that his company lost $80,000 on a subsidiary where a supplier’s system was hacked. The fraudsters played possum within their system for a number of weeks, looking at the company’s patterns. Finally, when they felt comfortable, they intercepted invoices that were incorporated within emails and changed the payment instructions.
Another way fraudsters sneak in is by getting into the corporate website. In one case, the fraudster found the form to change the payroll instructions on a direct deposit for a retiree’s pension.
To mitigate these kinds of risks, one treasury professional advised having something, such as a phone number, of someone who can validate the change in payment instructions, and, as a general rule, to never take payment instruction changes from an email.
Educating your organization and supply chain is crucial, as is knowing your company, your customer and your supplier.
“You need to make sure that every single person in your organization understands what the fraud schemes are so they can apply that knowledge to their daily tasks,” said one treasury professional.
If your people don't truly understand how the schemes work, they're not going to understand the instructions you give them regarding validation. Too often we simply say, ‘Here's the rule,’ and we don't ever tell them why. If we start telling people why, it becomes ingrained in their minds and a natural part of the way they think.
Do you want to learn more about payments fraud along with a multitude of other interesting and timely topics? Join us this October in San Diego for AFP 2023.