Learning from Financial Fraud Series Episode 11: Control Removal – The Criminals’ Backdoor

Announcer 00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Jonathan Jeffery  00:19

Welcome back to the learning from financial fraud series on the Treasury Update Podcast. In this series, we explore multiple major financial fraud cases. We discuss how each one occurred and was kept hidden for a period of time, and will dissect how it was eventually discovered and get insight and guidance on how to prevent this type of situation from happening to you and your organization. I’m Jonathan media production specialist here at Strategic Treasurer, and I’m here again with Craig Jeffery, Managing Partner. Welcome back to the show, Craig.

Craig Jeffery  00:47

Hey. I like talking about fraud, but I like talking about controls a little bit more.

Jonathan Jeffery  00:53

Well, it’s our 11th episode in this series, so I’m excited to keep this series rolling with control removal. Do you want to talk a little bit about what the situation was, who was involved?

Craig Jeffery  01:05

The idea that criminals remove or compromise layers of securities should be particularly instructive and concerning for those that are, you know, in the risk management business, those that oversee funds transfer, because if you have a layer of protection, you’re expecting that to provide protection. Provide protection. And so people are trying to remove it, like eliminate it, or compromise it, you know, so that they can enact some type of fraud, remove money from the organization. So a multinational company had their account debited in an unauthorized manner. And so think of an ACH transaction. It was, it was debited. The company contacted the bank and said, Why was my electronic filtering, my electronic pre authorization? Why didn’t that work? Or they didn’t start off with that. They they were asking the bank, you know, hey, here’s a fraud. And the bank had come back and said, we’ve talked to you about electronic pre authorization. These are standard, good, commercially reasonable procedures to have in place, services that make great sense to have in place. You know, you should have had those on there. And they’re like, We did. We did put those on there. We did sign up for that. And then the bank’s like, oh, the bank goes and pulls the information, sees the instructions to remove the security, so they show the company and ask, is this your Is this your signature? And the companies, yeah, this is our signature. We didn’t send you that. So there’s somebody had gotten the signature, applied it to the forms and the documents that remove that type of security the criminals had found, hey, here’s an account. I can’t get money out of the account because there’s a security feature. How can I get around that security feature? I can’t get around it, but maybe I can remove it. How do I remove it? Well, the bank can be helpful. Maybe I can get information about that. And so once they got that, they applied fake signatures, shared that with the bank. The bank removed it, and then they were able to execute their their fraud by debiting the account, because the security service is not there, and the company is checking on that, maybe not as frequently, because it’s got the controls in place. I don’t have to check on it every day or every every moment there’s controls in place. So yeah, once the controls removed, the debits came through, and that was a pretty significant situation for for both the bank and for the company.

Jonathan Jeffery  03:30

It’s amazing how much reconnaissance they would have to do for this compared to the last couple types of fraud we’ve looked at. You got what signatures look like to match them. You’ve got the banking information. You got all these details that they have to gather and put together to make this happen.

Craig Jeffery  03:46

Some things are harder. Some things are easier. The idea that you may not be able to get signatures if you have access to someone’s email, you may see signed documents or even some manual reports have they’re signed by the CEO or by someone else. And so now you just scan it, you clean it up, and then you apply it to a document. So it looks like, Hey, here’s a here’s a signature, here’s an authorized method of doing that, and then getting the documents. It’s it does take more steps and more knowledge. Is like, how can I get the instruction from the bank? Who do I need to send it to? Who’s the who’s the relationship manager I need, I need these forms to add and remove this, this function I want you to have that now, it’s I need to create the documents right? I need to send it to the people, the who can take it out. You confirm it’s done, or you keep testing it, and then when it’s done. Now you can target, and you’re going to target at the right time, the time which are the most leeway before it would be discovered, like on a Friday before a long weekend, or something like that, where people are not paying as much attention so you have the longest amount of time to get money out of the banking system.

Jonathan Jeffery  04:54

It’s a good thing to remember, as we come up to a Friday before a long weekend.  Anything else on the attack you want to share?

Craig Jeffery  05:01

The loss was under two and a half million. The things that we should do, what are, what are some action things that companies should do is, when we think about criminals or trying to remove a layer of security or compromise a layer of security, have an ongoing, regular review or audit of what controls you have in place. Secondly, and probably more importantly, is, as you set up your banking structure and you expect transactions to come in through different accounts, have them focused so they’re not buried, and have a regular review of activity, even if the controls are in place, just being able to see is anything anomalous? Is this? Is this right? Is this unexpected? A number of companies will also do daily reconciliation, oftentimes, leveraging technology to run through all the transactions, compare them to what’s expected. So what’s on your your cash book compared to what came through the bank? Does it match? Does it contain some of the other information? And are you looking at that? If you’re suspicious, be suspicious quickly. Do immediate follow up. We have other examples that we’ll cover in this series, where people are sending information through that matches confirmation numbers, setup numbers, company IDs, that are part of the security process. So that’s really part of the removing a layer or compromising a layer. You know, it’s like when I knock on the door, I’m going to knock a certain way, I’m going to say Open Sesame, or I’m going to say 1234, well, if someone knows that, you say 1234, after you knock, then they’re able to compromise that layer. So there’s a we just have to be careful across the board. So confirming that the security methods are in place, checking them, designing your structure. Those are all all valid ways of going. And I think the key learning thing is just because you put in commercially reasonable procedures, think about the entire control framework of what you need to do, and know that whatever is good today won’t be as good tomorrow, because the criminals will find new ways of doing things, but criminals are already removing and compromising layers of security that you have. That doesn’t mean don’t have layers. It might mean have more layers, but it also means checking and confirming the layers that you have. You got locks on your doors. Before you go to bed, you probably walk around and check to make sure that they’re locked, make sure that the locks there and make sure that they’re locked. That matters. That matters in this risk environment that we live in.

Jonathan Jeffery  07:29

As we look at layers of security being compromised, what are some other layers that are frequently compromised?

Craig Jeffery  07:36

Well, some of the things that are that are compromised, maybe not frequently, but we’re starting to see this now, and it’s, it’s disconcerting, but it’s logical. I mean, if the criminals are trying to find new ways of attacking and people are putting up certain defenses, removing those layers of security, is logical. So think about, you know, you don’t have to think about how to be a criminal for too long to realize, how does this lock work? How does this security service work? How did how does debit filtering work? How does electronic pre authorization work? How do we ensure these things flow in a particular way? To imagine how you can remove those so I’ll give you an example. This. This. This has happened quite a few times, and I expect to see it happen more. I’m trying to convince you to change your payments to one of your vendors to an account that I control. So I try to go off after AP about that, well, after that’s happened a few times, and people are yelled at, and they’re they’re trained, they’re like, Okay, we got a call and get confirmation. So they have an out of band confirmation process, an out of band validation process. They’re calling the number that exists in their database. They’re following up with the person that they have in their list. They’ve already been burned when they followed up with the phone number that’s on the fake email they had, because they called the they called the criminal. And so if you call the person that’s committing the fraud, they’re going to confirm the information. So now you go back to your database and the will the criminals know this and say who’s in the record of that. So what’s going to be easier trying to intercept phone calls compromise, let’s say a corporate phone system, or maybe I can get the customer who’s going to be paying the vendor. Maybe I can get the customer to change who the contact person is. If I gain access to the vendor’s email system, I could send emails saying, Hey, Chris Young is no longer managing AP or AR. Rather, this is being managed by me or by this other person. And then the information is provided. Please update your records, and then the other the other person with whatever the fake email or the email they control, sends communication over time, maybe two weeks later, four weeks later, you know, recent example was, you know, two weeks later, after they had changed the contact person, then they say, Hey, we’re moving to a new bank. Here’s the account, Acme widgets, Inc, at this bank, this account number, please change that for future payments. Please confirm that you’ve made the change. They make the change. Payments go out, and the company’s like, we didn’t tell you to do that. And then they’re like, Yeah, you did. We can, and we confirmed it. It’s like, you confirmed it, and then they find out they confirmed it with the criminal, because the criminal had compromised that that point of contact, which was part of that layer of security, and because criminals are very careful and patient, you can think about the fact that they are willing to wait a while to go and say, I need to compromise this channel. I need to change this layer of security. So when they call back to confirm they’re calling me, yeah, that’s one, one other example of how people are removing or compromising the different layers of security. One interesting thing on that is liability, if the criminals made the changes, taken off of the money. The company sending the payment might think that the other company is liable because they told them to change the payments, and it might take a while to come to a conclusion there. And there’s a lot of issues there, right? If you got your email system hacked, that’s probably different than if someone sent a spoof email, put in an extra L or whatever removed to now, or a zero and a one, you know, as they set up some kind of domain, where does the responsibility lie that usually gets, you know, battled out, settled, you know, before it goes to court. But there certainly can be court cases for that.

Jonathan Jeffery  11:35

Yeah, and regardless of whoever ends up taking the brunt of the payment, both sides have pain and want to make it resolve for any future cases. Do you have any final thoughts you want to share on control removal, this type of fraud?

Craig Jeffery  11:49

The only final thought I have on control removal is that this is an area that people are not paying much attention to. On the fraud side, they’re paying attention to a lot of the frauds have been around a while, and while we’ve seen some of these control removal or security layer removal actions happen, it seems to me that this is really, you know, really started somewhere around four, four or five years ago, and it’s expanded quite a bit of late. So this is an area to to be really careful on having your payment process assessed, ensuring your controls are in place, and you’re looking to see how would a criminal attack your your weakest link, and identifying your weakest links and put in the right compensate controls, is do now. That needs to be done now. It can’t be it’s not something, hey, this will develop over the next 234, years. I’ve got time. You need to do that now.

Jonathan Jeffery  12:42

Great. Well, thanks for sharing all to all our listeners. We have a great lineup of guest speakers for the summer of 2024 so stay tuned. Subscribe on Apple, Spotify, any podcast channels, or you can even find us on YouTube. So thanks.

Craig Jeffery  12:59

Sounds good. Thanks, Jon.

Announcer  13:01

You’ve reached the end of another episode of the Treasury Update Podcast, be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.