Defending Corporations against Payment Fraud
January 24, 2019
Defending the organization against fraud, whether from within or outside the organization, is a huge but growing challenge for every treasurer and finance manager. The risks posed by cyberattacks have never been higher, at an expected cost of $6 trillion per year by 20211 , double the figure of 2016. Fraudsters and cyberattackers are indiscriminate and will attack any organization.
While security and control has always been a treasury priority, it now tops the leader board. According to FIS’ recent Payments and Connectivity Market report, 59 percent of respondents emphasized that reducing fraud risk is their primary objective when implementing a payments or connectivity project. While the choice and implementation of technology is one factor in the success of these projects, organizational and human elements are just as important.
Centralize wherever possible.
Targeted attacks on treasury and finance departments are frequently directed at subsidiaries and local offices where controls may be less rigorously enforced than in treasury or shared service centers. Centralizing sensitive functions, such as payments and bank communication, is one way to reduce this vulnerability by reducing the number of touchpoints. In addition, a single, cloud-based payments and bank connectivity infrastructure ensures that controls are applied and enforced consistently across all locations.
Learn and test.
People learn best by doing and seeing for themselves. In addition to providing training modules, manuals and online tutorials, simulate attacks of different types, including using social hackers. This can help to identify weaknesses and emphasize the importance of user behavior in protecting the organization. Results can inform improvements in processes, controls, alerts and education.
Look within the organization.
Fraud is not only an external phenomenon. In addition to enforcing and testing controls such as dual-level authorization, staff need to be alert to, and feel comfortable reporting suspicious behavior. This can be more difficult than uniting a team against a common external enemy; however, internal fraud is just as significant a risk as externally initiated fraud attempts and cyberattacks.
Look beyond the business.
Treasurers operate in a complex ecosystem that extends beyond the banking, supplier and customer community. It is important that this community understands and plays its part in tackling fraud. For example, make sure that banks know that only payment instructions that are transmitted through electronic channels are valid, and that suppliers are aware that only verified invoices or requests to change bank account instructions will be acted upon. Ask banks, suppliers and customers to advise of any attempts to operate outside the guidelines you have set. This is a two-way process. For example, alert your banks of emails or invoices that may contain fraudulent bank account details, so they can verify or block these accounts, potentially protecting other organizations that have been targeted.
There are signs that these efforts are proving successful. Although cybersecurity attacks continue to increase, only one in eight focused attacks got through in 2018 compared with one in three a year before . Detection is also faster today compared with a year ago: more than 40 percent are detected within seven days, compared with 10 percent a year ago.
However, only one attack or fraud attempt needs to be successful, whereas defense mechanisms need to work 100 percent of the time. The sophistication of fraud and cybersecurity attacks is also continuing to grow. Treasurers and finance managers cannot afford to be complacent, but should continue to review and refine their controls, and work with their technology providers and banks to understand, anticipate and respond to changing risks.
1 Top cybersecurity facts, figures and statistics for 2017, Cybersecurity Observatory https://www.cybersecobservatory.com/2017/06/15/top-5-cybersecurity-facts-figures-statistics-2017/