Frauds that use emails to trick company employees into making unwarranted payments are proliferating, underscoring the importance of businesses’ having procedures in place that not only guard against such frauds but allow them to respond effectively if frauds occur.
Last month, the FBI warned of a “dramatic rise” in the frauds, known as business email compromise (BEC) scams, after previously issuing warnings last August and January. And the Association for Financial Professionals’ 2016 survey on payment frauds and controls found that 64% of the more than 600 treasury and finance practitioners surveyed had experienced actual or attempted BEC scams in 2015.
The survey noted an increase in fraud overall, with 73% of respondents having experienced fraud or attempted fraud last year, up from 62% in 2014. And there was a sharp increase in wire transfer frauds, which could be linked to the BEC scams, with 48% of respondents saying they experienced wire transfer fraud in 2015, up from 27% in 2014 and 14% in 2013.
While the scams often involve wire transfers, the AFP survey indicates that BEC perpetrators are open to other types of payments. More than half (56%) of respondents who experienced BEC fraud said the scam involved wire transfers, but 29% cited checks, 18% corporate or commercial credit cards, and 16% ACH debits.
Magnus Carlsson, manager of treasury and payments at AFP, suggested that scammers adapt to the payment method that’s typical of the company they’re trying to defraud.
“If you target smaller organizations, they may not even use wires,” he said. “So in that case, the payment method is most likely going to be checks.”
Complexity Facilitates Fraud
Paul DeCrane, global treasury services lead for Ernst & Young, said the complexity of many treasury organizations is a factor that facilitates payments fraud.
He cited companies that, perhaps as the result of global expansion or a number of acquisitions, have multiple groups around the globe that make payments while relying on mismatched systems or outdated technology. Treasury organizations may have multiple treasury management systems and general ledgers or different payment processing centers.
“The criminal organizations take advantage of those disparate communications between treasury centers across the globe,” DeCrane said.
“What we’re seeing happen is that a lot of this fraud takes place at the shared-services level,” he added. When tasks such as wire transfers and payments were always handled inside the treasury group, companies had “better background knowledge about the money movements,” DeCrane said. “Now that those responsibilities have moved out to other locations, there’s less connectivity, less transparency.”
He noted that some sizable scams are broken into multiple payments over a period of time. If a company’s welter of systems means it’s only able to reconcile on a monthly basis, those frauds can go undetected for some time. Companies should focus on achieving daily visibility into cash movements to be able to detect payment fraud, DeCrane said.
How Scammers Access Corporate Information
BEC frauds take various forms, but a common denominator is the amount of information that scammers deploy about a company and its internal workings to convince an employee to make a payment. For example, a treasury employee might get an email from the CEO or CFO asking that a wire transfer payment be made right away. Or someone in accounts payable might get an email from a vendor asking that future payments be made to a new bank account. In each case, scammers identified which employees in the company were responsible for certain tasks and produced emails that were worded correctly and appeared authentic.
“It’s very critical that companies begin to look at how they can protect their data,” said Araldo Menegon, global managing director for financial services at Fortinet, which provides cyber security solutions. “The main problem is that you’ve got a multitude of digital channels, external partners, employees that are online in the firm, employees using mobile devices, employees working externally.”
Guy Bunker, senior vice president of products at Clearswift, a U.K. information security company, said social media is a source of information for cyber criminals, as is the information hidden in a company’s PDFs and Word documents and on its website. Such metadata could include “user names, machine names, IP addresses, [and] departments,” and that information allows for the crafting of a more personal email, he said.
Cyber criminals also collect information about a target company by deploying computer viruses and by phishing—sending emails with seemingly innocent questions to gather data. Bunker noted that criminals can purchase tools to help them put together attacks.
“Viruses and phishing kits, you can now buy them off the shelf, and they get updated with the latest ways and means in which you can gather the information you need,” Bunker said. “So the tools which help you gather that information have become much more widely available and easy to use.”
Bunker cited three levels of technology used to defend against cyber criminals. Companies try to stop “bad stuff from coming in” with a whole range of technologies, including antivirus software, white-listing, and sandboxing, he said.
The second line of defense involves working within the organization to try to detect odd behavior on the network with behavioral analysis. “The last line of defense is to prevent the good stuff going out,” Bunker said, for which companies employ data loss prevention technology.
“Understanding what is your critical data is also something people need to do,” he said. “Then you can apply the appropriate defenses around that data.”
Menegon noted that large banks, and some companies, are starting to isolate their most valuable data and build additional safeguards around it. “Now they’re saying, ‘We’re going to put some firewalling and cyber tech inside the firm to segment that data,’” he said. “So even if someone breaches from the outside, they’re going to run into another wall on the inside they can’t break into.”
Educating Employees About Cyber Scams
Companies should have policies and procedures in place that are designed to thwart BEC scams, such as requiring two approvals for payments and confirming vendors’ requests for changes in payment instructions. But it takes more than policies and procedures to defeat cyber criminals, given their social engineering skills.
Bunker compared companies’ efforts to prepare for cyber scams with their fire-prevention procedures. “We know what to do in the event of a fire because we practice fire safety on a regular basis,” he said. “Organizations need to drill into people that the threat is real, the impact of falling for a scam is very real.”
In addition to reminding employees regularly about policies and procedures meant to deter cyber frauds, companies should be keeping employees up to date about the types of fraud they’re seeing and educating them about the telltale signs of a BEC scam, like an email address that differs by just one letter from the email of an executive or vendor, or a callback number that doesn’t match the phone number in the company’s files.
Given fraudsters’ tactic of assuming the identities of top executives, companies should also train their employees that they can “question without recourse,” DeCrane said. “If [they] get a request from the CEO, it’s OK to question whether a $5 million or $10 million payment should go out, even if they’re told it’s a top-secret project. It’s instilling a culture that enables them to be rewarded for questioning suspicious activity.”
Bunker suggested that companies should also make it clear that employees won’t get in trouble if they open an email or click on a link that leads to trouble, in order to encourage them to report such problems as quickly as possible.
When an employee clicks on something dangerous, they “feel embarrassed they’ve done this and try to fix it themselves,” Bunker said. That’s wasting valuable time. “The sooner you tell us about it, the sooner we can sort it out. So there should be a ‘don’t shoot the messenger’ type of approach that will encourage people to say, ‘I clicked on something.’”
Certainly the tendency to click on links is hard to eradicate. Menegon noted a 2015 Verizon study showing a scammer who sends just 10 emails has a 90% chance that at least one of the recipients will click on the email. According to Verizon, almost a quarter (23%) of recipients open phishing emails and 11% click on attachments.
“That’s one of the biggest sources of concerns most companies have right now around phishing and cyber scams,” he said. “Really creating an awareness in the firm is probably step one.”