Steps to Combat Payments Fraud and Cybersecurity Threats
February 16, 2017
The continued digitization of the financial services industry has led to a boon in electronic payments technology. Even as the transition to electronic receivables and payables improves efficiencies and reduces costs across financial institutions and corporates, the switch to automation and digitization increases the speed of funds movement and may increase the risk of payments fraud and cyberattacks if financial professionals don't remain vigilant.
In fact, financial professionals and corporate treasurers identified this threat as the no. 1 challenge to their organization in 2017, according to a recent TD Bank survey of more than 350 financial professionals at the 2016 Association of Financial Professionals conference. Despite their warranted concern, not all corporate treasurers are making proactive steps to combat it, with just 31 percent of those respondents planning to invest in cyber and fraud security protections this year. This complacency is troublesome as the intensity and frequency of cyberattacks is rising as more companies bring their payment systems online.
Cyber criminals are growing increasingly clever and have a widening toolbox of tricks, from Phishing scams and electronic payments fraud, to "smart" device and computer hacking. Another rising threat is “social engineering”– a practice of posing as a trusted source to deceive people to give out sensitive information. For example, this could involve a perpetrator posing as a known vendor and saying they updated their banking systems and need the company to update their records to remit all future payments to a new bank/account controlled by the cyber criminal. Other times, this may involve someone posing as a CFO or corporate treasurer who sends an email to a member of the finance team directing them to either redirect an existing wire payment to a new account or to execute a one-time wire transfer related to a purported confidential transaction. Because these types of requests are commonplace for a large organization, it might not raise an immediate red flag and allows a perpetrator to steer funds into an illegitimate account without much alarm.
The costs of these attacks add up, and can range from hundreds to hundreds of thousands of dollars in losses. Check fraud losses, for instance, average $1,000-$2,000, according to American Banking Association numbers, while wire fraud losses average over $130,000, reports the FBI. Those amounts don't even cover indirect costs to a company for investing in technology security, reimbursing affected parties or reputational costs in the event of a high-profile event.
Companies need to step up their defenses, and while there is no one, guaranteed solution, every player– financial institutions, payment/wire service firms and other companies – must do its part to help prevent and minimize cyberattacks.
Here are steps companies can take now to combat the threat of payments fraud and cyberattacks:
1. Designate a computer or computers to be used exclusively for banking transactions. Keep these machines offline by restricting both Internet and email access, thereby taking away the most common entry point for cyber criminals.
2. Develop and maintain a control framework for all banking and treasury activities. Communicate this process to all staff to minimize the potential for errors or confusion.
3. Authenticate any and all payment orders issued by company executives, customers or vendors via phone or in person, instead of relying on email confirmation. Although slightly more time-consuming, this approach is more secure.
4. Conduct background checks on all new hires, including contractors and temporary workers. Many successful cyberattacks leverage someone with intimate knowledge of a company’s systems.
5. Perform a daily review and reconcilement of bank accounts to check for discrepancies. That way suspicious or missing payments or wires can be flagged almost immediately.
6. Mandate a segregation of duties in between accounts payable, accounts receivable and payroll. This added layer of protection helps prevent anyone except senior executives from seeing the full financial picture.
7. Use fraud mitigation services offered by banks, including but not limited to: positive pay, debit blocks/filters, alerts, etc. While some services may be fee-based, they will likely pay for themselves in the long-term, especially in the event of attempted fraud.
8. Form and maintain a risk and fraud management committee. Cyber criminals are constantly innovating their techniques and executives need to meet the challenge head-on by staying up-to-date on the latest technological and security solutions.