Digital Transformation » Cyber Security » Know all the weaknesses in your company? Fraudsters do

Ask a financial decision maker what keeps them awake at night and the answer is likely to be ‘ensuring payments are received on time and working capital is optimised.’ However, an additional worry should be how to protect cash once it is within the organisation.

A survey last year on the key trends impacting financial decision-makers highlighted the apathy surrounding financial fraud in the UK. Some 69% of financial decision-makers surveyed were confident in the robustness of the anti-fraud measures they had in place, despite the fact that, of the same group, half admitted that their own businesses had been negatively affected by fraud.

Encouragingly, the UK Business Payments Barometer 2017 report found that there is now greater concern around payment fraud, suggesting a higher level of vigilance and a significant focus on internal fraud. Those that have been impacted by payment fraud are being hit by attacks that manipulate existing processes, or fall below the radar of audit thresholds.

The Leonardo DiCaprio connection

In the film Catch Me If You Can, Leonardo DiCaprio’s character Frank carried out cheque fraud by manipulating the banking system and cashing counterfeit cheques before the banks could verify their validity – a manual process which took days in the 1960s. By continually moving around the US, DiCaprio’s character was able to avoid detection because banks and law enforcement couldn’t keep up with the scam.

This is a plot that’s similar to how fraudsters operate today, targeting weaknesses and downtime within existing systems and processes. Organisations that do not have full visibility of key records and activity throughout their lifecycle – including financial documents, such as invoices – are most at risk of being manipulated by fraudsters.

There are a range of tactics criminals can employ to exploit weaknesses, ranging from Trojan horses, altering supplier payment details, creating fake companies, to sending bogus invoices for goods and services that haven’t been ordered.

This is an area of growing concern and the report found a 15% increase (39%) in the amount of financial decision makers who are concerned over external exploitation of internal payment processes, compared to the year before.

Anti-fraud and compliance measures pointing in the right direction

It is important for organisations to have robust measures to prevent loss due to error and fraud, ensuring payments are being made to legitimate recipients, not fraudsters.

Bank account validation (62%) and verification (59%) appear to be the most popular measures employed to tackle the threat. The report found that only one in four organisations checked against a blacklist or used an electronic invoice portal.

It is encouraging that validation and verification measures are being used. However, it is important that organisations implement these measures against the vendor database and not at the point of submitting the payment or collection. This helps to identify errors and intentional payment frauds earlier in the process.

It is impressive to note that a quarter of corporates are using blacklists for anti-money laundering sanction to check payments. Currently, only regulated financial and payments institutions are required by law to screen their payments against such blacklists and often for due diligence. The practice of using such measures to filter payments is a new and growing trend.

Of course, threats can come from internal staff as well as external criminals. It’s tempting to focus only on protecting against external attacks, but if an external attack can be compared to a hornet’s sting, financial fraud from within is an organisational parasite.

Internal fraudsters are a growing concern

Compared with last year, the report found a dramatic shift in the level of concern around different types of payment fraud. Some 56% of respondents in this year’s survey named external cyber fraud as a concern – up from 37% in 2016.

Most astonishing is the concern over payment fraud committed by internal staff, which was listed by 31% respondents, compared with 13% in 2016 – a significant 138% relative year-on-year increase.

Driven, perhaps, by recent news stories, such as fraud committed by a treasurer at ABB’s South Korean subsidiary, there appears to be heightened levels of apprehension amongst financial decision makers.

The salami threat

Lurid headlines aside, the challenge for financial decision makers tackling payment fraud is spotting breaches for smaller amounts, which are likely to happen more regularly under the radar of audit checks.

This year, there was a fall in the level of large scale fraud and 17% of respondents estimated that over 10% of their organisation’s revenue had been subject to attacks by fraudsters – a figure which stood at 35% in 2016.

Despite a reassuring trend, 68% feared that up to 10% of their company’s revenue had been subject to small-scale attacks by fraudsters – a 28% year-on-year increase. This suggests that while large scale payment fraud is on the decline, more businesses could be falling victim to “salami fraud”.

Incorporating new technologies and services, such as advanced encryption, multi-factor authentication and password managers, as well as arming employees with the right education, are some of the best practices for companies to protect themselves with.

Finance Directors can’t be the forgotten siblings

In the battle against financial fraud, it is important that financial decision makers are at the heart of the planning process. Yet, one worrying trend when it comes to anti-fraud and cyber security response times is that financial decision makers are often an afterthought.

The threat of fraud can come from any angle. Financial decision makers are in a good position to identify payment processing weak spots and pain points.

Finance cannot become the forgotten siblings. Financial decision-making executives need to be fully aware of vulnerability risks and ensure these are covered in the cyber and fraud incident response plans.

 

 

Ed Adshead-Grant is general manager for payments at Bottomline Technologies.