Episode 117
Stories from the Front: Escalating Fraud Attacks
Host:
Craig Jeffery, Strategic Treasurer
Speaker:
Nithai Barzam, nsKnox
Episode Transcription - Episode 117 - Stories From the Front: Escalating Fraud Attacks
Craig Jeffery:
Welcome to The Treasury Update Podcast. This is Craig Jeffrey. And today’s session is Escalating Fraud Attacks. This is part of the Stories From the Front series. And I’m here with Nithai Barzam. Welcome to the podcast.
Nithai Barzam:
Thank you, Craig. Nice being with you.
Craig Jeffery:
Nithai is the chief operating officer of nsKnox, and he’s a corporate payments expert. I’m glad to have him here on The Treasury Update Podcast. I’m sure not everyone has heard of nsKnox, much to your marketing group’s consternation. But maybe you could just give us a quick one-minute explanation of what does nsKnox do? What problems are you solving?
Nithai Barzam:
Sure. So, we’re a bit of a hybrid between a cybersecurity company and a fintech. And our goal in life is to fight corporate payment fraud by providing cybersecurity solutions that help organizations protect themselves against multiple vectors of attack that, essentially, target their money. We were founded by Alon Cohen, which is primarily known as the founder and ex-chairman and CEO of CyberArk, one of the world’s leading cybersecurity companies, traded in NASDAQ. We’re backed by Microsoft, so we’re a Microsoft company. And our goal, at the end of the day, is to make sure that the CFO or the treasurer doesn’t wake up one morning realizing they’re $20 million short.
Craig Jeffery:
Yeah, I think the context of fraud has certainly escalated, so you’re in the right business. I mean, we knew that fraud was an issue before COVID hit and with COVID, I’ll just mention everybody that, nsKnox is also a member of the Treasury Coalition. And the monitor that we run, the survey that we run, showed that all the respondents reported a 36% increase in fraud attempts and attacks. So, this is significant context. And I’m setting up my next question is, this was significant before, now there’s non-standard processes, there’s more work from home. The technology environment is different, we might be running different situations. So, I want to get into that in a moment, but maybe you can tell us what happened during the lockdown? As part of the Stories From the Front series, what happened at nsKnox initially, and how did you relate to your customers as this occurred? And you could take it from a customer standpoint, employee standpoint, or a combination of those two.
Nithai Barzam:
First, maybe as a company. I guess, we were fortunate enough that we were set up for secured remote access to begin with. Employees have laptops, we have VPN access, multifactor authentication is set up, our data is securely stored on the cloud. So, essentially, we were work from home ready from the get-go, which made it kind of instant for us to be up and running from home. Customer support and customer success continued to support customers without interruption. Our R&D team, okay, they had a couple of days to get used to these daily stand-ups over Zoom instead of in-person, but continued to generate product releases on schedule as planned, and product presentations and demo. Once customers are happy to be available, it actually works really, really well. From the nsKnox standpoint, I’d say that was pretty instant.
Nithai Barzam:
And from a customer standpoint, I think this is more complex and interesting. I’ll split it into two, I guess. First, you could definitely tell that customers’ focus initially was really about the business continuity. Let’s first make sure we can make the day-to-day. Can I access the system? Can I process invoices? Can I actually make payments? Am I able to onboard suppliers? And so on and so forth. And so, let’s first worry about day-to-day work, and then worry about security.
Nithai Barzam:
Some companies like a global chemicals conglomerate we work with, simply put projects on hold. They were like, “Let’s focus on the day-to-day and not start new things.” But pretty quickly they realized that with the challenges they’re facing in terms of their day-to-day processes, as far as security is concerned, and with the increased rate of attack they’d rather implement this type of solutions. And maybe throughout March and into April, we’ve seen some slowdown in execution of projects. Then, the later part of April and into May, all projects got back on track.
Craig Jeffery:
Maybe you could talk through some of the specific challenges that some of your customers had when you were implementing, or beginning the onboarding process.
Nithai Barzam:
For starters, this is a pretty challenging task. The problem itself was huge even before COVID. You look at some of the reports from the ASB, four out of five companies are a target of payment fraud. And if you’re making more than a billion dollars, then you’re more likely, like 87% of these companies are a target. And there are so many ways that you can get attack. Has to do with your onboarding process, with getting requests to update details, with protecting your data, with affecting payments. It’s pretty complex to start with and statistics are pretty bad.
Nithai Barzam:
Tons of money gets stolen despite everything that companies were doing even before COVID, but once COVID hit, you could immediately tell a number of things. First, there was a spike in the rate of attack and the level of sophistication. And I guess that the main reason for that, or two reasons for that is, organizations were really struggling maintaining the day to day. And first they had real difficulties maintaining their processes. You’re typically used to get into the boss’s office and ask a question. Now you’re working from home, “Should I make the call, not make the call? Is he available? Is she available?” And then you try to maintain standard processes. Best practice process would probably be receive documents from the vendor, when you onboard a new vendor, when you get a request to update details, try to verify that the bank account is indeed theirs and then make an unsolicited call back. Try to speak with the right person to confirm the details. You’re calling the supplier and nobody’s answering because they’re not at the HQ, they’re home and you don’t have their mobile phone number necessarily. So what do you do?
Craig Jeffery:
Yeah. Some companies restrict the ability to forward phones out of their main offices. So it’s …
Nithai Barzam:
And then some of them will tell you, if you do get somebody to talk to, they’ll tell you, “leave the details and somebody will call you back,” which is exactly what fraudsters would do, right? They would call you back and confirm the fraudulent details. Take, for example, medical devices are manufacturer out of the US. They operate globally, about 50% of their suppliers are in the US and 50% are international. And they already had difficulties because of language barriers, time zone differences, not easy to get hold of people. And then COVID hits and they’re like can’t really get hold of people. And so the motivation to introduce some validation service that allows them to validate this without asking the supplier, relying on third-party data, made sense to them.
Nithai Barzam:
I had a discussion with a finance manager for a restaurant chain in the US and not only did they have to now get used to the fact that they’re only doing deliveries and the restaurants that can actually host people were very limited only in some of the States and so businesses not doing great to start with. And then they’re running into these side difficulties. And they actually decided to hold payments if they couldn’t validate. And she was pretty embarrassed. And she said, “We’re holding payments for 60 days now. And maybe I’m okay because some companies are actually holding for 90 days and I’m still doing okay, but how long can you hold with that?” So some real difficulties in maintaining day-to-day processes.
Nithai Barzam:
If that’s not enough, then there was a whole new set of challenges that came about with COVID. First, an increased demand of all the services around payments. Companies were scrambling to find those suppliers because they couldn’t work or couldn’t get what they need from certain companies. If you’re with a supplier in Italy or in Spain, for example, they were in a total mess and you couldn’t get anything. And you’d try to find alternative suppliers, say in China, or Japan, or somewhere else. And so more workload, but you’re at home, don’t really have the access and so on and so forth.
Nithai Barzam:
And then there was also more requests for changes, and some of them are okay, and some of them are fraudulent. There’s the known story of the ancient orders, where they’ve actually bombarded companies with emails asking “divert payments to the factory instead of to the headquarters because headquarters is closed, but we still want to ship your goods. Please use this bank account and pay directly to the factory.” So all this seems reasonable, all of a sudden, so a lot of pressure resulting a risk on itself. And everything is so problematic with work from home, a CSO, one of the high tech companies we work with shared with us, he’s saying, “You know, I’m concerned with the fact that employees from home have less focus on this thing. And we, as the company has less control. The mid-level managers, they don’t see the people on the floor anymore, so you’re not really sure if they’re doing what they should. And it’s really hard.”
Nithai Barzam:
Next in line is email, text messages, voice messages now become a bit of a standard way to communicate because nobody’s at the office, but this is really vulnerable to phone spoofing, to voice cloning, all the new techniques that those fraudsters are using nowadays. And if this was not enough, then a whole set of new vulnerabilities open up when you work from home to malware and to credential theft. Because, I don’t know, we were lucky at nsKnox, everybody had laptops, but I’m speaking with a lot of companies and some of their finance people, they don’t have company laptops and now you’re scrambling into providing them with laptops. Are they properly installed and configured? You’re actually shipping them directly from Dell or whoever and they’re not really up to standard and not as secured. People are using home wifi, easier to penetrate. Remote desktop apps are being hit. People are mixing personal devices. Home computers, personal devices, and work equipment. And a whole set of key loggers malware gets in there, credential theft become a huge, huge issue.
Nithai Barzam:
When discussing this with KPMG, one of our partners, they’ve actually indicated that employees are now five times more likely to click malicious links because they’re hidden as information that everybody creates so much. You want to get the map, you want to know how it’s in your area, and all of a sudden you’re infected. So a lot of bad bid stuff around why working from home was really bad.
Nithai Barzam:
I would just throw out there that insider fraud is also growing. There are a number of factors, which can definitely speak to, but this by itself was another risk or threat resulting from COVID.
Craig Jeffery:
What are the examples and the causes of insider fraud? Because it’s, is it due to the fact that there’s … People are working in a different environment, that they know that the controls are down or something else?
Nithai Barzam:
Yeah, it’s a bit of a mix of them all. Like when you look at drivers, what are the forces that will drive insider fraud? You could look at that three factors, basically. The first one is pressure, the second is opportunity, and then the last one is rationalization. How can I explain doing this thing? Talking about pressure, COVID crisis, this is really easy. People getting their salaries cut or partners lose their job. Mortgage, you still need to make good on the payments, rent, so on and so forth. you may be sick, somebody you love, and so on and so forth. So definitely no questions around increasing pressure.
Nithai Barzam:
Opportunity, this is exactly where I’m working from home, I’m using my laptop instead of the company’s, nobody’s looking at what I do, and there’s definitely more opportunity. And then rationalization, this one is tricky. But given so much for sure and greater opportunity, people start justifying this. Like, “My company is doing much better than I do. If I’m going to take 10K, 100K, maybe they don’t suffer as much and I really need it more than they do.” Type thing. And so we’re seeing a lot of incidents, and also the average size of an incident, increased as well. There was some reports indicating 31% increase in insider incident over the period and then the average insider incident. And overall, by the way, insider threat, insider fraud is as much greater than people believe. We always want to trust our employees, whether they’re in finance or in IT, but if you look at a study from PWC, 50% of the cases where more than a hundred million dollars were stolen, actually involve an insider. That’s pretty big.
Craig Jeffery:
How do we move past this? I mean, in terms of what’s needed today, and is there anything that has changed with what you’re recommending, what you’re looking at, what you’re advising your clients on?
Nithai Barzam:
First, I think what’s needed is understanding in two main things. Number one is organizations will not stay lucky for long. With the statistics of who gets impacted, of the volumes, of the sophistication of fraudsters, and so on, and so forth. I think companies are probably divided into the ones that fell victim and the ones that will fall victim.
Craig Jeffery:
Luck isn’t a strategy, right. It’s not a good strategy. Yeah. Okay.
Nithai Barzam:
My father used to say hope is not a strategy. I think he was bang on the mark here and I’ll use it now.
Nithai Barzam:
The second thing to keep in mind is work from home is here to stay. I know we at nsKnox are asking ourselves, does it make sense to keep all the office space? Because hey, we’re doing pretty good working from home. R and D is okay, customer support’s okay. You do want to maintain the sense of teamwork, working together, and so on, and so forth. But I’m speaking to many customers we’re considering this. And part of the future plans definitely involve work from home, regardless of COVID.
Nithai Barzam:
So with these two things in mind, it’s time we understand something needs to happen. And I would say first, treat this as a huge problem because it is. Collaborate, if you’re in finance, collaborate with your IT, and if you’re the CSO and you feel responsible for this, then make sure to collaborate with your finance team. Because the fraudsters always sneak between the cracks between these two teams. The people that actually know the process, understand what they do, understand what they need, and the people that understand the risk and have the means to potentially stop this. This would maybe be important collaboration. And lastly, I think there needs to be like a holistic approach. We at nsKnox call this the three layer approach, which is to say first address your infrastructure. A lot of things that you could do to secure the endpoints, make sure that the access is secure, that your communications, you’re using VPN and multifactor authentication, your email is secured, and so on, and so forth.
Nithai Barzam:
Secondly, it’s to look at people in process. It’s to educate and train, most organizations are doing it. The larger you are, the more likely you have these type programs, but they’re totally not enough. You want to centralize and standardize as far as process. Everybody talks about segregation of duties, not a lot of people do this throughout the process. Talk about interfaces. This is where your IT finance discussion really comes into play. And don’t rush. Fraudsters will always create a sense of urgency, and when you do things quickly, you regret. Some things were meant to be done quickly, some we should take our time. And then lastly, on top of that, you want to automate everything to do with manual processes that talk to, validation of accounts that talk to protecting your master data and talk about automating the validation of your payments. So there was a whole set of activities that we’d recommend you engage with.
Craig Jeffery:
You know, I guess the other item that I wanted to hear from you on is what else is not working well? I mean, we talk about the increased level of threats that change work environments, but what’s not working well? Or maybe you could say, here are some other exposures you want to highlight. Where are those gaps between systems, between people?
Nithai Barzam:
That’s a great question. First, I think it’s about the unfair fight, if you will, between manual processes and training versus state-of-the-art technology and psychology. As long as we keep this broken equation, the fraudsters are going to flourish. We need to fix this now.
Nithai Barzam:
I definitely think that the companies today have much more awareness of the problem, but oftentimes what I’m hearing is social engineering, “this only happens to dummies. A fraudster is able to trick you.” But the reality is this is far from it. This is really very sophisticated, very organized, and you should never underestimate the opponents. They’re really, really good at what they do.
Nithai Barzam:
And so, in addition to focusing on social engineering, which is really good, you should also be aware of the two other main vectors of attack, the insider threat that we talked about, and then the cyber attacks, and both of them are really growing over the past few years and post COVID in particular. Take a recent IDC survey that highlights that 64% of the organizations that are using SAP or Oracle ERP, and they were the one to question, I’m pretty sure it’s not specific to them.
Nithai Barzam:
We’re actually hacked during the past couple of years, this is crazy to think finance professionals believe the system is secured, but it’s not really the case. The Department of Homeland security issued a warning stating specific targeted model here is targeting ERP systems. And so definitely be careful around those. And then we talked about insider fraud growing. I think a lot is not working well. There was a lot that’s being done to improve the situation, but there’s still … In general, I think there’s a bit of a discrepancy between the frequency and the level of the risk and the level of investment in solutions. I actually think one of your surveys highlighted this pretty nicely because the percentage of companies actually planning to increase their spend on solutions definitely does not match the fraudsters intentions of investing more in stealing our money.
Craig Jeffery:
Yeah, the threat level, like you said, the sophistication, the threat level, the amount of automation they have, and their payouts create what you were saying is the … Well, you use the term unfair fight in a different way, but that’s part of the unfair fight is they’re continually targeting and probing everyone because they’re automated and sophisticated.
Nithai Barzam:
If I was to characterize them I’d say, fraudsters, they operate like a business. Some people still have this vision of a hooded guy in the basement trying to do some stuff. This is far from it. This is organized crime. This is nation state funded. There’s a UN report that highlights how North Korea stole $2 billion worth of money from different organizations. They’re professional, they get better over time, and they operate like a business. They prioritize, they segment the industry. They now invest in custom malware targeting different ERP systems. You may not even be a target, but you just happen to use this type ERP system, and then you’re in the game. My bottom line here would be, try to make this type of investment and security before you become a victim, because then there’s the monetary losses, there’s the reputational damage that you already suffer. And now you’re really ready to implement the solution, but it’s a bit late.
Craig Jeffery:
Nithai, thank you so much for your time today, and your thoughts, and guidance. You’ve given a lot of prescriptive advice, but maybe at the end you could wrap it up with a headline or some phrase that we could leave with in our minds.
Nithai Barzam:
I think I want to leave you with the following thought, the problem we’re trying to address here is huge. It’s almost like a pandemic on its own right. Although some people would not like the use of the term here. But the fact that this is such a huge problem doesn’t mean that we can’t fight it. And actually any of us that’s a finance professional has the responsibility to act. So go out and do something today, protect your company’s money and stay safe yourselves.
OUTRO:
You’ve reached the end of another episode of The Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only and statements made by Strategic Treasurer, LLC on this podcast are not intended as legal, business, consulting or tax advice. For more information, visit and bookmark strategictreasurer.com.
