Treasury Fraud & Controls, Part 1:
Increased Success Rates and Sophistication Raise Threat Level
Much as we all wish they would, cyber criminals are not sitting on their hands. While these groups and individuals are anything but admirable, we could stand to learn a few things from them in terms of creative innovation, adaptability, persistence, and patient commitment to goals. Our posture, while defensive, must be no less active and intentional than theirs, or we will inevitably fall behind and leave our organizations open to attack.
For five years, Strategic Treasurer has partnered with Bottomline Technologies in performing research on Treasury Fraud & Controls. Our annual surveys continue to show a steady rise in fraudulent activity. The data from the 2020 survey confirms that cyber-attacks are increasingly numerous, both in terms of type and of sheer number of attacks: from 2017 to 2020, for example, the percentage of corporate respondents answering that they had experienced fraud in the previous 12 months steadily rose by a total of 7% (46% in 2017 to 53% in 2020).
Clearly, criminals are not giving up, and their reasoning is relatively obvious: they are seeing a distressingly sharp increase in success. Business Email Compromise (BEC) creates a striking example. Not only does it represent the most attempted type of fraud, with 67% of corporates having experienced unsuccessful attempts, but another 15% of corporate respondents experienced loss at the hands of BEC. This number is almost doubled from the previous year, when only 8% indicated a loss. Meanwhile, the total attempts (including both successful and unsuccessful) rose from 79% to 82%.
- Business Email Compromise (Attempts & Losses) – 2019 79% 79%
- Business Email Compromise (Attempts & Losses) – 2020 82% 82%
In other words, the data suggests that with some types of fraud, the criminals are attacking somewhat more often and much more effectively. The number of attacks is increasing steadily over the years, which is concerning enough in its own right, but the sophistication of those attacks is increasing significantly, and between these two concerning trends, fraud poses an ever greater threat. The alarm bells in treasury should be ringing loudly.
Grounded Confidence or Complacency?
Those alarm bells for fraud have been ringing for a long time, and when alarms have gone off for so long, it can become tempting to simply block them out. For treasurers, as managers of risk and protectors of our organizations, it is imperative to resist that temptation and take the time to hear the bells out, but it can be especially tempting for those who think they already have the situation under control.
Currently, the data points to corporates continuing to direct funding towards fraud. More than half of respondents indicate spending the same as previously, and approximately 20% indicate spending more or significantly more than in the year prior. Whether because of that or not, corporate respondents also indicate feeling increasingly confident in their stance against fraud.
More than half of corporate respondents, when asked to rate their position “with regard to the threat level associated with fraud and considering [their] current security posture” indicated that they felt somewhat or significantly better about their position than in the year prior. While it’s encouraging to see attention and funding directed toward security and steps taken to combat fraud, the problem is simple: fraud is not declining.
Since the reality is quite the contrary, with the success rate of fraud on the rise, the confidence of corporate treasury is more concerning than reassuring. While many treasury departments may have made significant improvements in the past year, and that is commendable, it cannot be allowed to induce a false confidence. If the criminals don’t give up when we spend more money on security, neither can we.