2020 AFP Security Panel Discussion:
Protecting the Payments Process

INTRO: 

Welcome to The Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis and insights in your car at the gym or wherever you decide to tune in. On this episode of The Treasury Update Podcast, we feature our 2020 FinTech Hotseat Security Panel discussion at the AFP Virtual Conference. Moderator Doug Hartsema, managing partner of the Hartsema Group, interviews Chris Gerda, Risk and Fraud Prevention Officer of Bottomline. Scott Lambert, Treasury Managing Director of Cigna. Mohammed Al-Zraiqat, Senior Financial Crime and Fraud Manager of Bottomline and Craig Jeffery, Managing Partner of Strategic Treasurer. This discussion centers around the greatest concern today and in the future on the escalation of cyber fraud attacks, the mindset changes and activity shifts that are required, the right security roles and how they can properly collaborate and more. Listen in to this crucial conversation to find out what steps treasury must take to continually improve payments security. 

Craig Jeffery: 

I’m Craig Jeffrey, the Managing Partner of Strategic Treasurer. We’re an advisory and research firm based in Atlanta, Georgia. I’m delighted to have everyone here to talk about security and I’ll turn it over to let each of the panelists introduce themselves. 

Scott Lambert: 

Thanks Craig. My name is Scott Lambert, Managing Director of treasury for Cigna. Cigna is a global health service company. 180 million customer and patient relationships in 30 countries. We have about 70,000 employees. Our 2019 revenue was approximately $153 billion. My responsibilities are treasury operations, so I have about 44 employees located throughout the United States, and I have two employees located in Hong Kong. 

Mohammed Al-Zraiqat: 

Yeah. My name is Mohammed Al-Zraiqat. I’m working with Bottomline Technologies as a Senior Financial Crime and Fraud Manager. My responsibility is about understanding the market conditions and listening to customers and trying to come up with a solution that tailors and try to prevent fraud and financial crimes. So Bottomline is a public health company and we basically provide services and on payments and also technology on the fighting financial crimes and complying with local and international regulations. We basically, help people pay and get paid. So that’s basically what Bottomline is all about. 

Chris Gerda: 

Hi, I’m Chris Gerda and I lead the risk and fraud prevention efforts for Bottomline’s Paymode-X line of business, which is a 485,000 network members strong, processing $285 billion or so annually, to vendors in authenticated payment network to prevent against fraud. 

Craig Jeffery: 

Great. Scott, Mohammed, Chris, thank you for your introductions and I’ll introduce you to our moderator today, Doug Hartsema. Doug, maybe you just fill in a little bit more and we’ll get going. 

Doug Hartsema: 

Okay, great. Thanks. I’m Doug Hartsema. I’m the Managing Partner of the Hartsema Group. We’re a small specialized consulting practice that runs customer advisory groups, primarily in the banking and treasury space. So let’s get started. A quick overview of what we’re going to cover today. First of all, we’re going to do an inventory of the concerns around cyber security and fraud, and payment risk, and payment fraud. Then we’re going to talk about business email compromise, particularly around the crisis. Account takeover fraud, system penetration, sort of your worst nightmare. We want to talk about attack vendors, the bad guys, and then finally, a vaccine for cyber fraud. We’re going to ask the question, is this ever going to be easy? So let’s start with the concerns inventory. 

Doug Hartsema: 

Everybody watching this event has a list of concerns on the topic of fraud and cyber security. There’s certain things you’re worried about, but the folks that we have on this panel are experts. So given your expertise and your daily interaction in this space, your list might be slightly different from those that are watching this presentation. So let’s start with the one or two of the top concerns that you see in this space. We’re going to talk to the technicians and the practitioners. So in this case, let’s start with the practitioners. Let’s do that. Let’s start with the technicians here. Let’s start with Chris. 

Chris Gerda: 

Sure. Thanks, Doug and I appreciate being here and going through some of these tactics, especially in this COVID environment. So I think the top two, top three for me, one would definitely be account takeovers, which we’re going to get to. Those are really precipitated by the increased phishing attempts that are out there and why those attempts are successful. The second would be, I think it’s significant is ransomware due to the ability to deliver malware more effectively because the numbers game now has this new excuse of COVID-19 to get people to click download and to pressure them into opening new attachments. Those are probably two of the most damaging ones and the ones that become harder when you’re in a work from home environment and you can’t do callbacks the same way you usually would. 

Doug Hartsema: 

Craig, let’s go to you next, the customer view on this. 

Craig Jeffery: 

I look at it because we work with a lot of customers, a lot of companies, and I guess one of the things I would say related to our research is, because these threats are sophisticated. The criminals are both persistent and automated, the attack levels escalate. Chris mentioned a couple of great examples of why there’s an increased level of concern. So I’m taking a broader approach and saying, because the threat is escalating so dramatically, and people are spending more to provide a defense. My bigger concern is that the level of confidence people have with what they’ve done last year or two years ago, is making too many people complacent. They think they have things lined up. So I think the concern is really around the element of making sure your defenses continue to increase, to exceed the increase in the attack level. I’ll leave it at that. Chris laid out a couple of really, really key attack types that are a concern too. 

Doug Hartsema: 

Okay. Again, changing gears, Mohammed from Bottomline. 

Mohammed Al-Zraiqat: 

Yeah. So one of the really biggest challenge that we are seeing in the industry and speaking to customers and even with regulators as well is the authorized push payments fraud. So this is really significantly over the last couple of years, and 2020 with everyone working from home is really not an exception. What’s very interesting about this type of fraud is you as a person, you authorized your financial institution or corporate to make the payment yourself. So the challenge here is, it is very hard for institutions to know if it is intentional by being complicit to the fraud or being really a subject or victim for fraud. So this is really something that makes it challenging for institutions to figure out what was the real reason behind it. So authorized push payment, and there’s a huge increase even in Europe, in general about the whole crime. So this is really one of the biggest challenges I could see in the industry. 

Doug Hartsema: 

Let’s wrap up with Scott from Cigna. 

Scott Lambert: 

Yeah, I would say that my two largest concerns at the moment are, it’s still business email compromise and specifically vendors or healthcare providers that we deal with that their email’s been compromised. We’ve seen a number of attempts where fraudsters have actually hacked into a vendor’s email system and try to change instructions. We see quite a bit of that even more during COVID. Then the other one on my list it’s account takeover similar to Chris. Not only is it a concern for the Cigna accounts, but also for the client accounts that we manage, whether it be kind of our administrative services business, or kind of the health savings accounts that many of our have. 

Doug Hartsema: 

Quick follow up, for anyone. Do you think your list of top concerns is going to be different, say a year or two, three years from now? 

Mohammed Al-Zraiqat: 

As I mentioned, we noticed there is a increase over the last couple of years and the authorized push payments and the UK Finance, which is an association here based in the UK, responsible for providing some services on the financial sector. They provided actually a staggering number. There is a 29% increase from 2018, over 2019, and talking to customers, understanding the data that we have about customers, how they are using our fraud detection systems and stuff. We realize there is a huge significance of people working from home that led to people seeing these numbers increase. So I don’t see, for the upcoming at least couple of years and a decrease of the authorized push payments, given the fact people want to have transactions processed faster and also the disability and also the non anonymous concept of the fraudsters behind it. So I still believe there would be an increase over the coming years and the authorized payments as well. 

Craig Jeffery: 

I think I will jump in too, and say that as we’ve seen over the last four or five years, there’s a new combinations of attack methods, where business email compromise for example, is combined with data exfiltration, increasing their yield by about 11 fold for financial returns. We expect to see more combinations of that and just like we also saw earlier, where phishing emails were written so horribly, everyone kind of laughed at them, and then they’ve been able to escalate what’s going on. We expect increased sophistication across all areas, which necessarily means something’s going to change with that. The one thing we see happening is, I expect to see some improvements and I don’t want to give too many clues to those who are criminals, who are trying to take advantage of different payment systems or attack methods. 

Craig Jeffery: 

They don’t always understand how the payment systems work very well. They continue to find out more each month, each quarter, but sometimes they’ve made some very, what we would consider foolish mistakes, but they’re learning and fixing those. So I think there’s going to be bigger issues in payment systems, but I don’t want to be more specific about that. I think we could all relate to some examples where they were caught by luck, by not knowing a piece of information. 

Chris Gerda: 

I think that’s a great point, Craig. The criminals are always going to gravitate to the weakest link in the chain of technology or the policies within an individual organization that they’re targeting. So when you look at, in the recent two year fold, they started finding that two factor authentication was the blockade of stopping them to getting into account takeover. So they moved to, how can I take over two factor authentication, and now SIM port fraud has become a much more prevalent fraud tactic so that they could get that big payday. So how do we stop SIM port fraud and what’s the next step there? We’ll talk about that. I’m sure an account takeover in upcoming questions, but always being, what is the weakest link? The scheme doesn’t really change, the overall business email account compromise, account takeover. Those remain the top concerns, I think for me in the next two years, but the tactic by which they perpetrate those frauds, changes. 

Scott Lambert: 

Chris, maybe just to add onto that, to your point, the fraudsters are always looking for the weakest link. I think it’s important for companies to understand what their potential vulnerabilities are and to your point, I think a lot of companies have really spent a lot of time building up their defenses around business email compromise, looking at account takeover. I guess what concerns me is what’s next? What’s out there that I don’t know about now that I might have to worry about two years from now? 

Doug Hartsema: 

Let’s dig a little deeper into the business email compromise and how that’s changed. One of my favorite quotes, is never waste a good crisis. That quote didn’t come from a criminal, at least not that I know of, but unfortunately the criminals really are trying to capitalize on this current crisis. So specific to business email compromise, what are you seeing that wasn’t happening pre crisis? Let’s start with the technologists this time. Let’s do Chris and Mohammed, and then the practitioner view from Craig and Scott. So Chris. 

Chris Gerda: 

Largely the business email account compromise scam has remained the same. It’s the social engineering angle that changes. So fraudsters are using COVID-19 and the empathy that everyone has for one another, as their ability to put pressure on organizations they’re targeting to not do a call back because they’re not at their desk, because they’re working from home. So they’ve been able to not only do that, but they’ve actually been able to deliver more successful phishing emails. One of the most successful ones was the John Hopkins COVID-19 heat map. So people, when they’re under pressure, they want knowledge and COVID-19 is putting that on us, and so fraudsters are sending links out that are the best clickbait they could possibly have because of the pandemic. 

Chris Gerda: 

That gives people the click, and then they’re going to give up their Microsoft credentials to their Outlook, to access said document. Then all of a sudden they’re phished and the fraudster can enter into their email. So COVID-19 in short has been the social engineering hotbed that has been the difference in how BEC scams are being conducted right now. 

Mohammed Al-Zraiqat: 

Here at the Bottomline, for example, we have almost 3000 customers, primarily corporates using our fraud detection systems that we provide. We clearly noticed from the data that we have and the statistics, plays a huge rise in the cases that’s flagged as unusual for our customers basically to look into this and review of this kind of type of activities. This in my opinion, really ties the two aspects, mainly because from technology standpoint, the technology that relies really heavily on how the customer’s ultimate customers are spending behavior is and how they are using their payments or financial systems into this, slightly changed during the pandemic. Usually you spend normally before that, then you suddenly start to spend and your spending behavior has changed. That naturally leads to a system to digest this information. 

Mohammed Al-Zraiqat: 

Because it’s based on the profile, there’ll be change in the customer profile and the system will need some time to adjust and quickly try to adjust to that kind of change and shift to that. This comes off obviously with some sort of high level of false positive rates. As a result of that, and again, this is not true because systems rely on the behavior profiling of customers, and if there is any deviation of that, these will get flagged. The second aspect of it is basically customers start to use more of the remote payment channels, such as cards or online payments, faster payments. They rely on the information that they receive from their customers. If this information has been compromised, for example if you take the CEO fraud type, and that’s basically, you pretend that you are the person who was behind that email, but you turned out not to be. 

Mohammed Al-Zraiqat: 

Unfortunately, it opens the door so wide for fraudsters and to thrive and also to use that as vulnerability for some victims due to the lack of their awareness or maybe knowledge. That really causes some losses for customers, victims, and also financial institutions as well. 

Doug Hartsema: 

Let’s transition to the customer piece. Scott and then Craig. 

Scott Lambert: 

I guess from a business email compromise perspective, we’re not seeing as much, well, I’ll call it the emails from… Kind of the fraudulent emails, apparently from an executive asking to transfer money associated with a big deal that stopped. We saw a number of those a couple of years back, but I think companies have done a pretty good job and the fact that when emails are received by the company, you can usually tell if it comes from the outside or not. We’ve done enough training internally to tell all our employees that they won’t receive emails from an executive asking them to transfer money. We’re pretty good about doing mandatory training every year and treasury also. We take a lead and also help our business partners with fraud training. 

Scott Lambert: 

What we are seeing in increase though, is on emails from vendors or healthcare providers asking to change banking instructions. In the past, we were always trained to kind of look for anomalies within the email address that it’s not quite from the vendor. It sort of looks like it comes from the vendor, but there might be some slight difference in the email address from where you’re receiving the email that would tell you that it’s not from them. What we are seeing more of is that the vendor’s email systems are being hacked and it really is coming from the vendor’s email system and it is a legitimate email address. Those are the ones that are a little scarier, but we have certainly implemented fraud control prevention practices within the company that we’re not going to act on an email, we’re going to call back somebody within the company. I know the relationship contact. 

Scott Lambert: 

The other thing that we’ve been doing too, is we’ve been implementing account validation software too, where we could type in an account number and an account name, and we’ll get feedback fairly immediately as to whether there’s a match or not. So those are a few of the things that we’re working on. 

Craig Jeffery: 

Following on some of the discussion that, what’s effective with the lie, I guess. Part of the lie of a business email compromise is if you seed in more truth that exists there. Some of the examples are someone receives an email, it says our main headquarter offices are closed. Everyone’s working from home, we need to change payment instructions, so that it can be received and seen by the factory, here’s the information. So you’re like, Oh, the fact the headquarters is closed. Finance is closed, they’re working from home. So there’s a number of things that marks you in that direction. In addition to the clickbait, like Chris had mentioned, there’s this more believable storyline that you’re nodding your head three times, and then the fourth one is where it’s shifted. 

Doug Hartsema: 

Let’s go into account takeover fraud, the second most popular concern. Obviously there’s a risk in today’s environment. On this topic though, rather than what’s happening out there, I want to shift the question away from what’s happening to what can we do about it? What can we actually do about account takeover fraud? Again, I want to start with a technologist. So how about Mohammed first, then Chris? 

Mohammed Al-Zraiqat: 

Yeah. One of the greatest examples I always refer to is what the UK has come up with the initiative, which is the confirmation of payee. This is really a good example of how you can eliminate at least as much as possible of this. So as I mentioned earlier about the significant increase in the count to, sorry, the authorized push payments, it’s really reaching about in 2019 about equivalent to the $600 million last year of the fraud subject related money that has been basic subject for this type of fraud. This is significant. So UK financial regulators mandated the largest six banks in the UK to come up with a significant or a specific initiative to help minimize this type of fraud. Basically, and it’s really depends on the sharing of the information between these financial institutions. 

Mohammed Al-Zraiqat: 

That ties up to the share of liability with the end customer as well, make the customers also liable of this kind of fraud as well as the financial institution. So this is also on the other hand, also increases the customer experience. If you give the customer the option to make sure that they know where the payment is going to, this is a significant increase in the satisfaction. The confirmation of payee basically is live now in the UK and somewhat where the data sharing, as I mentioned, it’s basically a name matching service. If you think about this, in which when you set up a new payee, you have to make sure this is the account number, this is a source code, which you use it specifically, and also it matches the name on the account within the institution. 

Mohammed Al-Zraiqat: 

This is significant because it makes sure that the payment is going to the ultimate person that you know this person is behind it and whatever it is, the account take over, or even authorize payment, you make sure the payment is going to the right people. One good example is Lloyd’s bank basically shared statistics after the participating in the confirmation of payee protocol here. They had shared, actually they got 51% reduction in the authorized push payments for what they currently have. This is a huge, significant amount of saving for the financial institution and also remove a lot of burden from the ultimate end customers. 

Doug Hartsema: 

Chris, anything to add to that? 

Chris Gerda: 

Yeah, absolutely. So confirmation of payee, we have similar type of services in the United States that financial institutions utilize. It’s not stemming from the regulatory body where it does in the United Kingdom, but I see that as falling kind of in the middle of a defense strategy to prevent this. The first thing to prevent account takeover is to enable two factor authentication on everything you have. Email, your computers at home, your bank accounts, and if you have the ability to use an authenticator app, use that over a text message because it’s more secure. Also, I talked about SIM port fraud earlier, make sure that your cell phone account has a pin number that a fraudster would need to have in order to move your SIM card, which is essentially your cell phone number to another phone, so that you have another blockade for them. 

Chris Gerda: 

That kind of controls the moat around the castle, and that comes before you even have to worry about authenticating an account. Those are extremely important. Do it both on your personal and your business life, because as we’ve seen, they’ve just collided and we have to make sure that everything we have is secure to make our companies secure. Then I also see after that payee confirmation, bank validation type of process, we see a lot of people moving larger corporates to in-house payment monitoring. Not relying on the banks as much to detect a fraudulent payment, but actually taking control themselves because they know their business better than anyone else. 

Chris Gerda: 

So what keeps strategic leaders up at night is payments to new payees that didn’t actually maybe follow the validation process as well as they needed it to be done and they can put flags and interdict payments before they even go to the bank for processing. So they can have a level of oversight. Today’s environment, you have to assume you’re going to be breached and figuring out how to block those things proactively rather than reactively is really the method you want to take. 

Doug Hartsema: 

Perfect segue into my next question for Scott and Craig. So for you guys, the question is slightly different. Fraud detection, prevention requires a partnership with the banks, your technology providers, their technology providers, and their customers. So from your perspective, what’s the current state of that fraud partnership and what could be done to improve it? 

Craig Jeffery: 

So that’s a really good question. How are the three elements working together? I’ll give some examples that might be the best way to look at it. So some technology firms offer a range of additional services, same thing with banks, they offer validation, confirmation, checking and it always seems to some people that they’re offering these items for sale, for profit and their attitudes sometimes has been, why are they trying to make a profit on all this? Aren’t they liable as it is. I think banks have gotten a lot better about educating what’s going on and they’re really trying to protect their clients. They’re trying to protect them with these services, but they’re also doing quite a bit in the education front. 

Craig Jeffery: 

So whether it’s providing training to their corporate clients, firms like Bottomline or banks are offering different types of training or courses or seminars to make sure people can detect those. That’s really a key part of this idea of a partnership, where they’re sharing what they know. Banks, technology, firms, payment providers, like Bottomline are ones that can easily share the knowledge of dozens and hundreds of customers and share that to companies who may experience a few things or have a small network that they’re gaining information. So I think the knowledge is a real key element of the partnership. Knowledge sharing and training. 

Scott Lambert: 

Yeah. Again, and Craig, I’ll add onto that. So we worked very closely with our banks and our technology partners to kind of get a better understanding of here’s what we have in place, what could we be doing better? Kind of having that collaboration I think is very important. To Chris’s point, we ensure that all of our payment platforms do have multi-factor authentication and for our SAS platforms, we even go a step further. So not only does it have multi-factor authentication, but we also work with the vendor to have IP address restrictions. So if a transaction is initiated and it doesn’t come from the specific IP address, then we have certain restrictions around it, and plus you can’t even get into our system if it doesn’t come from that particular IP address. Other things that we’re dealing with are banking partners and technology vendors, I know that there was discussion around account validation. 

Scott Lambert: 

We’re starting to, I mean, we’re using that more and more. I will say it’s not a perfect solution, so it’s only as good as the information that the banks contribute into that large, very large database. We’re still finding that a number of our global banks I think are fairly represented within the database, but a lot of the smaller banks and credit unions aren’t potentially contributing information into that account validation database. So it’s only as good as the information that’s there, but it is getting better. The other thing, some of our banks are doing now is they’ve put artificial intelligence around their payments databases. So we noticed that a few of our large disbursement banks are contacting us now and saying, hey, we’ve noticed that this is the first time you’ve made a payment to this payee, is it valid or not? Initially it was kind of driving me crazy to do doing all these acknowledgements, but I’ve grown to really appreciate it. 

Mohammed Al-Zraiqat: 

If I may add also, I can’t really agree more on the training and raising awareness to the customers and the ultimate users actually of the system. So, Bottomline, what we use actually, we set up what we call advisory board in which we actually sit with each customers across the regions and we designate different teams across different regions, because they know exactly what the market conditions are, what kind of type frauds that increasing in a specific region and this advisor role basically is sitting with the customers, try to help them try to fine tune the system that works the best for them, and try to make sure that they get the value out of the systems. Increasing the awareness as well and making sure that everyone is aware of what the current challenge is. So this is really something that ties into the partnership between the two parties. 

Doug Hartsema: 

Let’s transition to system penetration. Has to be the nightmare scenario for all of us, but of course we know that system penetration only happens in another country with someone else’s customers or another company, right? Can’t happen to us. Today’s audience are primarily bankers and corporate practitioners, probably about half and half. So what advice do you have to bankers and or corporate practitioners about how to address and or prevent this nightmare scenario of a full-on system penetration? Again, let’s start with the technologists. Let’s go, Chris first. 

Chris Gerda: 

If I think system penetration, I’m going to take the example of ransomware. It’s the one we hear the most often. It shuts down and lately has been just snarling hospitals to a halt or if you’re central corporate to business and you need to maintain your operations. The first thing I’d recommend is get cozy with your IT department as a business leader. Understand how your data is encrypted. Is it encrypted at rest? Is it encrypted at transit? Have a flow chart, understand where your weak links are and make a plan to always be moving forward and closing any loopholes that you see and be really blunt about it. Don’t kind of beat around the bush, so to speak about the possibility of something happening. With that, establish that incident response plan. It doesn’t have to be a book and it shouldn’t be something that’s too stringent to follow. 

Chris Gerda: 

It needs to be flexible and give you an ability to work within some sort of common framework. So when something happens, you’re not scrambling right off the bat, and then finally partner with, if you’re large enough, your third party firms that you may use, you may already be looking at them to come in and if there’s a cyber incident, how will they help you? Or proactively speak with them about how those services work, so that maybe they’re slightly familiar with your systems already. They know you, maybe you have an arrangement with them set up, so when something happens, the people that are coming in to set you back up, to get you running and get your customers online, know you and know your systems to some extent. 

Mohammed Al-Zraiqat: 

Yeah. When you think about all of the data that Chris mentioned, there’s a huge amount of data that lies within the firewall and the IT department. So this is data that comes in and out and being monitored on traffic. If you apply some sort of analytics of how usually your data traffic looks like, and if there is any deviation or any increase or any anomalies, and these kinds of traffic, you can basically use or you record and play and analyse anything that’s suspicious enough for this traffic data that comes in. Huge amount of data every department has their own IT department, which all this traffic comes into through the network. It’s very important to build some sort of analytics of how usually it looks like even during the peak time, during the ease time. You can analyze this and build a profile, even on the network itself, as much as you are building profiles over customers behavior and spending behavior or stuff like that. 

Mohammed Al-Zraiqat: 

Regardless if its financial institution or corporate, it is really… There is a treasure there in which you can build up analytics and try to profile the network flow and the traffic and build any anomalies that could really stem out of this from practicality standpoint. 

Doug Hartsema: 

Great, thanks Mohammed. So from a corporate standpoint, system penetration, Scott. 

Scott Lambert: 

Yeah. It’s certainly not my area of expertise, but I do have meetings and I do meet periodically with our data security team, and I know that we have a large group that’s continually monitoring our networks for data intrusion. I know that they utilize third-party companies that attempt to hack into our network and have groups that kind of monitor. They do these red team, blue team exercises also, continually throughout the year and are always evaluating potential vulnerabilities to our networks, et cetera. I will say that training is also key. We go through training every year or two. Train all of our employees not to click on any links that are sent in emails and we actually do phishing training exercises where an email will be sent to an individual, and if you click on the link, it says, okay, you failed. 

Scott Lambert: 

If you fail a couple of times, you have to go through training again. That’s done throughout our company as well. Then, kind of getting back to multifactor authentication, I know Chris had brought that up earlier, but having multi-factor authentication on all of our treasury systems has been important for us as well. 

Craig Jeffery: 

Scott, great points and Mohammed, I love some of the things that you were saying. I think one of the elements of advice that you’re asking for Doug, one is on perspective and the other will be just more tactical pieces of advice. I think the perspective is the difference between being paranoid about the defense and being derelict in your duties can be two months to two years. So what’s considered that’s way overkill today may not even be enough in a few years, and that’s just the general issue of what’s taking place. So in Mohammed’s point about using technology to find and detect problems, I think is brilliant because to defeat the automated sophisticated hackers that are using technology tools, we need tools in our defense. That’s probably the only way that can occur. 

Craig Jeffery: 

Scott mentioned training. That’s a good point. Training with testing is vital. A couple other ways of protecting against this, I think is this idea of vulnerability scanning and penetration testing. Those seem like those are check the box, we’ve already done those. We work with large companies, small companies, our company is under 50 people, and the amount of attacks and attempts that we get, it seems unbelievable to me, despite the fact that we do surveys and see how persistent, prevalent, and automated these types of attacks are. Any given day, we were realizing 750 to 1100 attack attempts. We had to outsource some of the defense just because the number of attacks and attempts was outrageous. I can only imagine what’s going on at Cigna and other companies, if we’re experiencing that. 

Craig Jeffery: 

So we’ve had to leverage outsourcing tools and techniques, and we run vulnerability scans constantly that requires immediate fixing, and then we have the red and blue team of the… You pay people to try to break into your system. You share more information than you share on the web so that they have the ability to probe your system. I think that’s true. The technology pros need to know that, but also treasury and payables professionals, we need to know how do you make sure you’re attuned to that and this other last concept is how are you benchmarking yourself against practices that others are doing? Where do you fall in there and then what should you be doing from what your technologist, your bankers and the industry’s saying? 

Doug Hartsema: 

Let’s change the subject a little bit. Let’s talk a little bit about the crooks themselves, what we’re calling attack vectors. Another of my favorite quotes, if you want to understand a frog, don’t study the frog, study the pond. So how much do we know about these criminals and what’s really their motivation, and what does their playbook look like? In short, what does pond look like? Let’s again start with the technologists. Mohammed this time. What do we know about these crooks? 

Mohammed Al-Zraiqat: 

Yeah. In general, throughout my career, when I was in the… Well, I’m still in the financial crime and fraud detection technology as a practitioner, we always used to know, and this is a fact that always criminals are one step ahead of us. They will absolutely find ways to find venues, how to defraud the public. They are just like one of the examples I can say, just like the water. They run through the streams where it’s least resistance. So the more we have any vulnerability, they absolutely will latch on it, and we’ll absolutely take advantage of it. So what that is, we understanding the pond is really just like understanding the ecosystem we are operating within and make sure that we set the right controls and we mitigate as much of problem as we can. Think about the whole COVID thing, nobody knew that’s going to happen. 

Mohammed Al-Zraiqat: 

When it happened, they found an opportunity for it because they will take a step forward, a step ahead of us. What we try to do actually as a practitioner, or even as a technologist, we try to mitigate as much as possible to stop that from bleeding. We build the profiles, we built the controls and risk management to mitigate that from happening again. What I can tell, the way I understood it throughout the career, it’s always hard for us to be ahead of the curve. We just try to minimize as much as possible and learn from what we have. As we learn topologies, we learn trends, and this ties up to the whole ecosystem and how we can understand the vulnerabilities within the ecosystem. 

Chris Gerda: 

I think that you find most of the criminals today are definitely within organizations. Organized crime, international, overseas. They want to remain anonymous, but they need to have a touch point where they can actually receive funds either through a mule account or a smurf account, and they’re trying to hide. So looking for the things that if they’re swimming in the pond and they’re hunting, they’re using proxy IP addresses to mask their location, and we can see that, and when in business it’s very odd to use a proxy of a certain type, so you can stay out ahead of them. I think too, they’re playing a numbers game. So they’re swimming through, and eventually they’re going to find someone that is going to fall victim, rather that is an elder financial exploitation situation or a loophole in the email security at a corporate. 

Chris Gerda: 

They can do that because of, as Craig often puts it, the automation of their attacks can be widespread, and then as soon as they have a phish on, so to speak with the pond analogy, that’s where they start targeting and focusing. 

Doug Hartsema: 

Craig or Scott, any insights on what corporates know about the crooks? 

Scott Lambert: 

I guess I’ll just add on to what the Bottomline team has said, is that quite honestly, I really didn’t know much about the profile of crooks until I started having conversations with our data privacy, data security team. I think somebody from the Bottomline team had previously brought up incident response, and we do that within Cigna between our data security, our IT group and our businesses. We go through various scenarios and thankfully it hasn’t happened, but we do some scenario planning. One of those scenarios was around ransomware. So if we get hit with a ransomware attack, what do we do? Do we pay the ransom and being a finance guy, my first question is, well, if you pay it, how do you know you’re going to get your data back? 

Scott Lambert: 

Our data security guy said, well, these crooks have a reputation to uphold, right? So if they don’t give you your data back and they implement ransomware somewhere else, people are going to be less apt to pay it. They almost have a brand, which is a little scary. That’s when it really hit home for me that this really is a business and it’s not some high school kid sitting in his parents basement trying to hack into a corporation. 

Craig Jeffery: 

Yeah, I like that. There’s no honor among thieves, right? They have a brand to protect. Yet some of those ransomware payoffs, they end up not being able to unencrypt them. It’s not a huge percentage, but sometimes that’s happening. I think some of the other elements of the attack vectors that come in and perspectives on the pond, if you will, is that they’re playing the long game. Their payoffs are huge, and so they’re much more patient than the check fraud criminals of the past, right? It was much easier to do it and you get $1500, $1,800 and you move on to the next one. All you have to do is buy checks and do that. Well, the payoffs are ten, a hundred, a thousand fold. Multiple orders of magnitude higher. They can stay and wait and nation state actors are doing these things as well. 

Craig Jeffery: 

So this long game is important. They can invest more, so their tech is more sophisticated. They’re also leveraging what’s going on in the business, not only leveraging tech, but they’re leveraging multilevel marketing, if you will. Ransomware as a service, as an example where they put tools out and then someone else who’s an expert at writing good emails or crafting things for clickbait can then leverage those tools to attack what’s going on. So they’re trying to steal data, convince you to send money, gets you to send money or lock up your data, and then they’re also trying to increase the sense of urgency if they’ve compromised, any element. I think the last piece that may or may not make as much sense to finance people if they’re not into the tech of fraud, is this idea, they’re trying to penetrate and remove any layer that you have. 

Craig Jeffery: 

Once they penetrate a layer, compromise a layer, they will use that to either move laterally or to find the next layers. They’ll just keep working and remove. You have four layers, Okay, I’ve got your multi-factor compromise. Now you haven’t made a change at the bank system, so I’m going to start up a conversation with the next layer of your security. They’re sophisticated, they’re persistent and they’ll learn piece by piece to wear you down. Not unlike the Borg, if you’re a Syfy fan. They’re just going to continue to compromise the next system. We have to have a defense that matches and cycles accordingly. 

Mohammed Al-Zraiqat: 

Yeah, just the last thought about this, is they also leverage the same technology that we also use to prevent the same crime that they commit. So it’s very interesting to see that we work from the both spectrums. We’re fighting over the same thing to prevent what they’re doing. They’re also gathered, the same way we do here to try to prevent. They gather using the dark web or somewhere. They chat, they figure out what ways, how to basically better the systems and stuff. 

Doug Hartsema: 

Okay. The final topic. I’m going to call coasting. So surely somewhere there’s a vaccine out there for all of this, and so surely one day this entire issue is just going to be something that the IT department takes care of, but seriously, will there ever be a time when we can just kind of coast on this topic? 

Scott Lambert: 

I don’t think that will ever be the case. I think there’s too much money out there to be made, unfortunately. I think what you have for defense today, what’s considered state-of-the-art today might not even meet minimal viable requirements, even a couple of years from now. I think it’s important that you understand what your potential vulnerabilities are. I think Chris brought up earlier that the fraudsters are always looking for the weakest link, so understand what your vulnerabilities are and have a plan to address them. Continually work with your technologists and your banks to understand what the latest fraud out there is and what trainings available that you should be providing to your staff. Then you can kind of work with your internal IT team to ensure that you’re addressing any potential concerns. 

Doug Hartsema: 

Okay. All right. Craig, are we ever going to coast on this? 

Craig Jeffery: 

I think you know the answer is a big no, but I would phrase it this way too. I was thinking about this because you gave us a little bit of heads up on what you would ask about. It’s like the question about, will we have peace? There was, I don’t know if it was Twilight Zone where someone founded a genie bottle rubbed it, and his first wish was world peace and everybody was gone and he was the only person there. So obviously he had to use a second wish to bring people back, but the point there is, as long as we have people and money, we’re going to have a problem and it’s not going to go away as long as those two things exist. 

Mohammed Al-Zraiqat: 

I totally agree with the concept. I cannot see this as going to coast, at least for the time being, or at least for the foreseeable future, as I can see. I don’t know what’s in five, 10 years, what could happen, but at the time I don’t see that is going to go away. We think of it like, I encourage the IT department team as well as risk managers or treasury or account payables or all the fraud prevention and cyber attack specialists, just try not to tune your risk appetite or minimize your risk controls, to compromise the higher volume of workload that you might get because of what will cause this to happen. For example, if you increase your system threshold might expose you to become a victim. So this is really something quite important for everyone to understand. 

Mohammed Al-Zraiqat: 

Leveraging the technology. In my opinion, the technology is here to help and think about also the automation of the process. If you have a lot of repetitive work that you have to do in order to help preventing those kinds of attacks, use those technologies, think about the robotic process automation, is there to help. Ask your provider, ask your partner or vendor of what is it that you can do, maybe what together you can leverage some areas in which you can enhance more on your controls instead of just minimizing it for the sake of minimizing the fraud or the cyber attacks. 

Doug Hartsema: 

Okay. Chris, please tell me that these guys are wrong and this isn’t going to be a problem. 

Chris Gerda: 

Well, I think, we have to maintain security. To maintain security, you have to maintain your strength. To do that, you need discipline and every day you have to put calluses on your hands. You can get into a good culture that is not afraid of doing that every day. That’s the only way you can feel like you’re coasting, but you’re coasting ahead of the fraud. You’re never going to coast behind the fraud because you’re either ahead or behind it. So you can coast, but you can coast by doing the hard work and feel good about the culture that you’re in. Culture is very important, and to Mohammed’s point about workflow and workload, you have to absolutely be ready to take that on, and you can do that in a good culture, and you can do that with good technology partners that can bring the ease that allows you to scale your business. 

Chris Gerda: 

So I think that puts it all together. If you’re going to coast, coast ahead with hard work and that’ll help you sleep at night, but there’s no actual coasting going on here. 

Doug Hartsema: 

I love it. That’s a perfect close. So let me thank the participants. Thoroughly enjoyed the discussion today. I will turn it over to Craig to close this out. 

Craig Jeffery: 

Thanks, Doug. Great job moderating. This is our first remote FinTech Hotseat due to COVID. You did a fantastic job, really appreciated the dialogue and just the learning that went on. Mohammed and Chris and Scott, thank you so much for participating. Fraud and protecting against fraud is such a core responsibility. We’re very thankful for each of you for sharing this information and for those watching, thanks for joining us. 

OUTRO: 

You’ve reached the end of another episode of The Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn, just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer, LLC, on this podcast are not intended as legal, business, consulting or tax advice. For more information, visit and bookmark strategictreasurer.com.