Fraud attempts are happening on a daily basis in businesses across the United States and the world. This was shown clearly in our 2017 Treasury Fraud & Controls Survey (underwritten by Bottomline Technologies), where we found that 86% of respondents had experienced either payment fraud, cyber fraud, BEC/imposter fraud, or ransomware attacks within the past two years. Fraud attempts are not harmless either, and many have resulted in financial losses, either from time spent on reacting to an attempt or from money being sent out of the organization. The fact that 86% of the respondents were affected by it just goes to show that measures need to be taken to prevent payment fraud.
As we consider the prevalence of fraud, it is interesting to note that only 13% of organizations surveyed (approximately one in seven) had a formal, current, and well-understood treasury fraud and controls framework. Perhaps organizations had an IT framework or PCI, but a very small number had a framework that was formal and current. This certainly creates a challenge for organizations.
It is helpful to also understand the sources of fraud. 81% of fraud was from an external non-employee and one in five attempts reflected an unknown source. What is the breakdown of fraud experience? About seven per cent have experienced ransomware (note: in 2017). Up to 76% have experienced BEC fraud.
Here we will discuss six of twelve security principles that any company can put into place in order to have a more secure framework. The first six principles can be remembered by the mnemonic S.E.C.U.R.E. They are:
- Speed Matters
- Encryption and Control of Keys
- Challenge / Verify
- Update Continuously
- Readiness and Response
- Exact and Specific Accountability Management
1. Speed Matters
The first principle is “speed matters.” The concept of speed matters reflects the idea that how fast you respond to a fraud attempt makes a significant difference on how significant a loss your company will face and how fast you can shut it down. Of course, it is more desirable not to be hacked, but when it happens, your ability to respond quickly and appropriately makes a tremendous difference.
If you can try to understand the mind of the criminal, you can understand why speed matters. The criminals intent is to steal money, putting it into accounts they control. This can happen when someone pretends to be a vendor, and tries to convince you to send out money. Another technique is to steal your data and sell it. Finally, they may add some software that can encrypt your servers and then encourage you to pay with bitcoin in order to get it back. You can read this article to learn how to keep your bitcoin safe by putting it in a cold storage wallet.
With any of these fraud techniques, the criminals aim is to hide the evidence so that you do not notice that your money has been stolen. Therefore, the speed with which you respond to matters. One way that you can use speed to your advantage is to reconcile accounts regularly, on an automated and daily basis. There should be a process in place that identifies small changes and researches those irregularities. How you reconcile accounts and knowing what to look for is key.
If a criminal succeeds in removing money from your account, they still have to get it out of the banking system. Here is a quick overview of two banks to show us how this works. Here is a quick overview of two banks to show us how this works.
In February of 2016, The Central Bank of Bangladesh had a very major hack. $951 million USD worth of messages were sent through the SWIFT system. The banks defense was weak and had lots of holes, making it easy for the hackers to remove the money without being noticed. $101 million USD was actually moved, with the rest being blocked by the New York Fed when anti-money laundering triggers went off. $20 million USD was recovered only because someone spelled “foundation” wrong, and in total the bank lost $81 million USD. The criminals blocked how the bank would get notified and the bank was therefore fairly oblivious to these transactions. This enabled the criminals to filtrate the money out. This breach raised a lot of awareness in the industry about fraud and even led SWIFT to implement their new attestation program.
An example of a bank that followed the principle of “speed matters” well is the International Bank in Taiwan. In October of 2017, $60 million USD was sent out from their account. They had quite a similar situation to the Central Bank of Bangladesh, but they were able to respond more quickly, noticing that unwarranted transactions were happening. They responded quickly and froze assets in the banking system. Funds were returned and they lost less than $1 million USD.
2. Encryption and Control of Keys
The second security principle is “the encryption and control of keys.” The goal here is to encrypt data so that if someone enters the system it does not have readable significance. This is a second layer of security that is very important for companies to consider. If you are familiar with the Automated Clearing House (ACH), they have a tremendous amount of payments, and there has been significant amount of discussion about tokenization in order to add another level of encryption. This is an example of the principle, as companies seek to keep data from being readable and useable.
There are two types of encryption, and in both the keys must be secured.
The goal of encryption and control of keys is to keep all information secure. This is done in part by not doing foolish things. Access to passwords and keys must be controlled. Do not put passwords on the bottom of keyboards, on a screen, or buried in the back of a notebook. These are all way too easy ways for a criminal to find your password, and actions such as these defeat the purpose of a digital key. Similarly, if someone sticks a piece of wood or a book in the door so that it does not lock and then they forget about it, this can thwart security. Finally, companies should enforce the length and strength of passwords, ensuring that they are changed on a regular basis.
3. Challenge / Verify
If you bar entry through the third principle of “challenge/verify,” the goal is to not let criminals gain access to your data. For example, in your office if someone leaves their computer, are you able to get past their screensaver? From physical location access to system access, companies need to challenge and verify all points of entry. By barring entry, you safeguard information. The ultimate objective is to stop intruders at the door, denying them the opportunity to access any information or data.
There are a few more examples of how to apply this principle. One tactic is out-of-band authentication. This means not using the same channel that may have been compromised to confirm the message you have been sent. Your due diligence is to make sure you are validating certain transfers if they are coming through channels that are not particularly secure, such as email.
As far as the physical network, ID and password should be required for access. Sometimes a third level of authentication is also required, which can be useful in treasury. Certainly, system administrators should have multi-factor authentication. There was recently a large four consulting firm that had system administrators without multi-factor authentication. They were breached and the criminals gained access to the keys. The physical network needs to be challenged and tested. The idea of vulnerability assessments and penetration testing is essential.
For the office or plant, challenge those you dont recognize that are trying to gain entry to your building. Think of all of the people that are coming into the office (those who water plants or fix machinery) and challenge and verify systems and requests. Locking doors and file cabinets is important as well.
4. Update Continuously
The fourth principle is to “update continuously.” This means staying current. Your IT team should enforce that the server is updated with patches and fixed regularly. Computers should have antivirus and security software such as Zonealarm maintained and enforced. Companies should use current and modern software that is updated and pays attention to security. There are also messages and locations from the government standpoint where IT can participate in updates. If there are hacks, make sure to update the broader community. Your staff should also be trained regularly on compliance.
5. Readiness and Response
The next security principle is “readiness and response.” How is your organization ready to respond? In terms of speed of detection and response, being ready means the understanding behind the action. Good questions to ask include, what do you do when there is a problem? Who do you call? What is your course of action if your computer is compromised? If you have a disaster recovery plan, is that sufficient for high level cyberattacks? Is your plan of action defined? If you have an action plan book then you are well prepared. If you have something more informal, then you probably have some work to do.
6. Exact and Specific Accountability Management
Finally, the sixth security principle is “exact and specific accountability management.” This is the concept of who has access and who holds certain functions of monitoring. Is there a specific audit trail and accountability for accessing files and data? Specify who holds responsibility in the organization for monitoring and responding to fraud attempts.
One important aspect of this is payment files. With an audit trail, a system will track activities by unique userID. The system logs or tracking should not be able to be altered or deleted as that could hide fraud or data breaches. Specific accountability includes controlling physical keys and key cards.
Conclusion
Fraud is significant. Criminals are adapting, and they are using technology against you.
Treasurers must be proactive in strengthening defenses against fraud. Internally educate your employees and have a defined fraud and controls framework. Clarify who is responsible for the proactive and reactive defenses in your organization. Stay aware of threats and do not underestimate how fraud can impact you.
To learn more about this, you can view a webinar replay on this topic here.
Meredith Carpenter
Content Copywriter, Treasury Analyst
Meredith Carpenter works as a content analyst and copywriter in the market intelligence division of Strategic Treasurer, a top tier treasury consultancy headquartered in Atlanta, Georgia.