Fraud, particularly cyberfraud, remains a huge concern for corporate finance executives. A recent survey conducted by TD Bank found that treasury and finance executives expect payment fraud and cybersecurity threats to be their top challenges for 2017; these threats were cited by 34% of the survey’s respondents.
The news earlier this year that the Bangladesh central bank was hit by a cyberheist totaling $81 million illustrated the potential cost of such frauds. And in June, the FBI reported that losses from just one type of fraud, business email compromise scams, had risen by 1,300% since January 2015.
With business email compromise (BEC) scams, fraudsters gather information about a company and its executives, either on social media or by penetrating the company’s systems. Then they use that information to trick employees into sending them a payment.
For example, cybercriminals might send an email that seems to be from the company’s CFO and orders an employee in corporate treasury to wire a payment to an account controlled by the criminals. Or they might pretend to be one of the company’s suppliers and ask an accounts payable clerk to change the supplier’s bank account information so future payments go to the scammers instead of the supplier.
According to the FBI’s June report, 14,032 U.S. companies, ranging from small businesses to large corporates, were victims of BEC scams between October 2013 and May 2015, and their losses totaled more than $960 million.
BEC “is a huge problem,” said Shirley Inscoe, a senior analyst at Aite Group. “Banks are seeing lots of attacks on their customers.”
Recently Guardian Analytics, which provides financial institutions with software to detect business email compromise and other cyberfrauds, rolled out similar software for corporates. The Guardian Analytics product Sentinel uses behavioral analytics and machine learning to sniff out fraudulent activity. The software is designed for companies’ supplier portals, which suppliers use to submit invoices and maintain their contact and bank account information.
Such B2B portals are Web-based, and Guardian Analytics’s software interacts with the server operating the portal, said Luis Rojas, vice president of product management at Guardian. The server sends Guardian information on its interactions with customers, ranging from the http header and user agent strings to device information.
“We can see what they’re doing in the portal,” Rojas said. “All that information is shared with us in real time, and there’s a feedback loop on how the risk is escalating or mitigating in the session.”
When a supplier interacts with the portal, triggering the flow of information, “what Sentinel is doing is looking at multiple dimensions of this interaction and assessing how normal it is,” he said.
The software might pick up evidence of malware or an unauthorized location or device. For example, “they’re coming in from Russia when they normally come in from Chicago,” Rojas said. “They’re coming in in the middle of the night or from a device that has foreign characters installed.”
He said scenarios that Guardian sees with B2B portals include account takeovers, where someone uses credentials in a way that they had not previously used them; business email compromise; fake invoices; and attempts to modify wire or ACH templates. Sentinel could also be used with companies' treasury management systems or ERPs, he said.
Guardian Analytics’s use of behavioral analytics and machine learning technology makes for a speedier system and avoids the false positives that can be thrown up by rules-based software, Rojas said.
“We focus on good behavior and learn that for every user,” he said. “We learn with every interaction what they do. We learn automatically without you having to train the system, and then we react. Any time the user deviates from normal, we raise the risk.
“Fraudsters, no matter how good they are, will never fully mimic a legitimate user’s behavior,” Rojas added. “There’s something they will trip up on.”
Sentinel is priced starting at $100,000, and Guardian Analytics says it is targeting Fortune 500 companies.
Rojas, pictured at left, puts that price in context. “Some of our research indicates that each [cyberscam] can be well in excess of $100,000,” he said. “All it takes is one for the system to pay for itself.”
“The damage to your brand, that’s huge and very hard to put a price tag on that,” he added. “The loss of confidence and seeing your name splashed across the trade journals in a negative context is fairly expensive to recover from.”
Aite Group’s Inscoe noted that it’s not only companies’ money that’s at risk.
“As we go into the holidays, the thing we saw last year that I’m sure we’re going to see again is where some employee who has access gets the same kind of email, purportedly from the president or CEO of the company, asking for a report with all of the W-2 information for that firm,” she said. “They send that report and it’s obtained by bad guys, who now have a complete listing of all the employees, their Social Security numbers, and also often other personal information, like addresses.”
“It really is an insidious crime that can affect far more people than you would think of with business email compromise,” Inscoe added.
“A lot of businesses, especially small businesses, think they don’t need to worry because no one is going to target them,” she said. “But any company connected to the Internet, or that has data, is attractive to these cyberthieves.”
The BEC scams currently being perpetrated usually involve payments made via wire transfers, which fraudsters like because they’re irrevocable. But Inscoe said that now that ACH payments can be made on a same-day basis, they’re likely to attract more criminal interest.
“Anytime a system moves money in real time or in faster time, you see an uptick in fraud, because the fraudsters know that there’s less opportunity to identify suspicious activity and investigate it,” she said.
As cyberthieves work to trick employees into sending them money, companies must work to train employees to avoid being tricked.
Ed Stroz, co-president of Stroz Friedberg, a cyber risk management firm, emphasized that thieves planning business email compromise scams are at work gathering information long before they actually steal the money.
“With business email compromise, the adversary is carefully studying the target,” Stroz said. “They want to know who handles the money, where’s A/P, how do they deal with things, can I get a copy of a wire transfer form out of their system.”
Companies should guard their information by using dual authentication for accessing email systems and for getting remote access to the company network, he said. “It’s a little bit more inconvenient to use, but it will help prevent the business email compromise that comes down the road.”
The company’s culture is another factor, Stroz said. “It’s important for companies to have an environment where people feel safe to challenge if they think something is amiss.”
One approach is for companies to try to trick their employees as a way to educate them about the possibility of being scammed. “For companies that allow a testing process where you try spear phishing, you’d be surprised how often the test is successful,” Stroz said. “It really makes an emotional impact on the individual who’s tricked and those around them.”
Inscoe emphasized educating employees about how BEC scams work. “I really do think a lot of it is about education and that education really starts with those people at the top of the company,” she said. “They need to realize this is a real threat.
“Every CEO, every CFO, they need to tell people, ‘If you get an email from me that instructs you to do something unusual, please verify; don’t take it at face value,’” Inscoe continued. “‘But don’t do that by sending
me an email back, because the bad guy has infiltrated my email account.’”