Cyber Fraud: A Growing Challenge for Proactive Treasury Managers
Cyber fraud is a booming business, costing companies and consumers billions of dollars annually. Although payment fraud is but one category of cyber fraud, when cyber criminals take aim, treasury departments often are in the cross hairs: Seventy-three percent of companies in 2015 were targets of payment fraud, including check fraud, historically the largest payment fraud category, according to the 2016 AFP Payments Fraud and Control Survey, conducted by the Association for Financial Professionals (AFP). Moreover,42% reported an increase in attempted or actual payment fraud that year.
However, there are effective ways to reduce risk and protect your company. Treasury managers can play a vital role in helping keep their organizations from sustaining potentially crippling losses. Doing so requires an understanding of how cyber thieves operate, effective countermeasures, and a systematic approach to sustaining and adapting a fraud-prevention campaign as threats and solutions evolve.
Financial institutions are allies in the war against cyber fraud, particularly since raids on corporate funds inevitably involve the target company’s banking relationships. Additionally, banks themselves are prime targets because, as suggested by the often-cited quote attributed to notorious bank robber Willie Sutton, “That’s where the money is.” Banks invest substantially in keeping themselves and their commercial and retail customers safe. They can serve as a valuable resource for treasury managers in their common defensive efforts.
Managing the threats begins with an understanding of their categories. Cyber attacks fall into three principal categories: external targeted attacks, external untargeted attacks and internal attacks.
As the category name suggests, targeted attacks focus on a specific entity, with a specific goal in mind. Of particular concern to treasury managers, of course, is the intent to steal funds. Other types of targeted attacks include theft of trade secrets and simply damaging an organization’s data infrastructure for ideological or competitive reasons.
Targeted attacks can result from a sustained effort to identify and exploit vulnerabilities. A common tool used in targeted attacks is the practice of spear phishing — sending emails to individuals within the organization, with malicious software attached or a link that, if clicked, will trigger the downloading of malware that will worm its way into the targeted system.
MASQUERADING AS THE CFO
Some cyber fraud thieves set up company manager profiles, then use altered email addresses to forward payment instructions to Accounts Payable employees that appear to be from senior executives.
In another ploy, fraudsters pose as vendors and request that their payment information be changed to conform to a non-existent change in a banking relationship. An indirect targeted attack involves an effort to penetrate your system by way of a supplier or service provider that interacts with your organization electronically.
Untargeted attacks seek opportunities for theft by casting a wide net, such as massively distributed phishing emails seeking sensitive information either directly or by luring victims to a bogus website designed to draw confidential information fraudulently. Once sufficient data is acquired to provide enough ammunition for an attack, the perpetrator will zero in on a promising target.
STAGES OF ATTACK
As summarized by the Communications-Electronics Security Group (CESG), the information security unit of the Government Communications Headquarters (GCHQ), Great Britain’s equivalent of the American FBI, the basic stages of targeted and untargeted cyberattacks are as follows:
- Survey: Investigating and analyzing information about the target to spot potential vulnerabilities
- Delivery: Reaching the point in a system where a vulnerability can be exploited
- Breach: Exploiting vulnerabilities to gain unauthorized access
- Affect: Carrying out activities within a system that achieve the attacker’s goal.
Internal attacks, simply an electronic form of embezzlement, represent a greater risk than many organizations recognize. Although fraudulent ACH transactions are relatively rare, when they do occur, accomplices within an organization are often to blame. A lack of sensitivity to this threat makes it all the more dangerous.
Establishing effective countermeasures begins by taking inventory of current enterprise-wide cyber fraud defense policies and procedures, as well as those specific to treasury operations. The review should focus on how recently they were put in place, given the rapid evolution of cyber fraud threats. In addition, the review should include analyses of any breaches that have already occurred and measures that were taken in response. Performing daily reconciliations is one way to safeguard against malicious attacks.
CONVENE A TASK FORCE
If current policies and procedures appear outdated or otherwise deficient, treasury managers can seize the initiative to convene a multi-departmental task force to address the situation. In addition to treasury, essential players include the IT, legal, security, risk management and finance departments.
BEST PRACTICES CHECKLISTS
Thoughtful policies and procedures can help to minimize an organization’s vulnerability to cyber fraud on a day-to-day basis. One set of best practices includes some that, while fundamental, are sometimes neglected after a long trouble-free period:
- Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Instead, call the purported source if you are unsure of its origin. If an email claims to be from your bank, call a client services representative before taking any action.
- Make sure all of the computers your staff members use for work-related business — at the office and at home — have the latest versions and patches of both antivirus and antispyware software.
- Install a firewall between your computers and the Internet.
- Restrict administrative rights to install programs to IT staff.
- Check your settings and select at least a medium level of security for your browsers.
- Clear the browser cache before starting an online banking session to eliminate copies of Web pages that have been stored on the hard drive.
The following treasury department procedures reduce both internal and external cyber threats:
- Dedicate and restrict one computer to online banking transactions; allow no Internet browsing or email exchange and ensure this computer is equipped with the latest versions and patches of both antivirus and antispyware software.
- Set up alerts to notify managers of payments initiated above a threshold amount.
- Use dual controls, requiring multiple users to initiate and release an online payment.
- Reconcile by carefully monitoring account activity and reviewing all transactions initiated by your company on a daily basis.
- Use separate accounts for electronic and paper transactions to simplify monitoring and tracking of any discrepancies.
- Set limits on vendors eligible for payment and dollar limits on those payments.
- Create customized alerts and security challenges.
- Encourage the safeguarding of user IDs and passwords, as well as the use of mobile tokens to reduce the risk of security credentials being left out in the open.
The following best practices are more inwardly focused:
- Segregate responsibilities among different employees by maintenance, entry and approval.
- Delete online user IDs as part of the exit procedure when employees leave your company.
- Assign dual system administrators for online cash management services.
- Periodically evaluate employee job functions and remove unnecessary access to online services.
- Establish transaction limits for employees who initiate and approve online payments.
FINANCIAL INSTITUTIONS: A RESOURCE AND MODEL FOR CYBER THREAT DEFENSE
Positioned on the front lines in the war against cyber fraud, financial institutions can be a helpful source of tools and guidance on security measures — both those particular to the needs of individual treasury operations, and more broadly. Basic examples of tools they can provide include ACH debit block and positive pay services, along with dual authorization for transaction initiation.
Banks use and encourage the use of a multilayered security strategy to defeat evolving security threats. That is because no single control mechanism is ultimately effective in preventing fraud.
In their own layered strategies, institutions use both overt (visible) and covert (behind the scenes) controls to combat cyber fraud. Overt controls include user name/password, pattern log-in, tokens (including new virtual tokens that can be downloaded to a mobile phone or tablet), biometrics, consumer education, alerts and notifications.
Examples of covert controls, used in combination, include:
- In-session monitoring and rules management
- Negative lists (i.e., known bad computers)
- Frequent application patching and updating
- Threat intelligence collection and sharing
- Spend/deposit limits
- Email authentication and phishing defenses
To maximize security and maintain the confidence of clients, it’s critical for banks to continually review fraud trends, participate in information sharing forums focused on security, and review new threats to maintain the effectiveness of our risk-mitigation measures.
Given the rapid pace of the development of new and ever more sophisticated cyber threats, contingency plans, security policies and procedures can’t be allowed to gather dust. A popular declaration in the early 19th century, “Eternal vigilance is the price of liberty,” holds true today in many contexts, including the freedom from cyber fraud. Vigilance, combined with proactively implemented effective countermeasures and leadership from treasury managers, gives a company the best chance of keeping this growing threat in check.