Tuesday, April 4, 2023
11:00 AM – 12:00 PM EDT
This is an online event
Omri Kletter, Bottomline
Chris Gerda, Bottomline
Craig Jeffery, Strategic Treasurer
Description: The Treasury Fraud and Controls Survey studies the current state of fraud experience, security measures, and plans for the future. The 2023 results provide valuable data on multiple elements impacting corporate fraud and security, including most commonly experienced fraud types, trends in control measures and training policies, investment plans for prevention and detection technology, and more. This webinar will highlight and discuss some of the key findings from this year’s research, covering topics such as the following:
• Views of the fraud threat level and corporate security position
• Fraud types and rates of loss and attack
• Security practices and controls employed
• Types of cyber security technology currently employed
• Expected investments in security & fraud prevention technology
If you encounter any issues with this webinar replay, please contact our team.
Okay, well, welcome everyone to today’s webinar on the 2023 Treasury Fraud and Controls Survey results. This is Brian from Strategic Treasurer. And we’re pleased you could join us as we evaluate the survey results and discuss the implications for organizations in 2023 and beyond. But before I introduce today’s speakers, I have just a few quick announcements. Zoom offers several different ways for us to interact today. If you would like to post comments or questions viewable by all attendees, please use the chat icon in the toolbar. If you would like to ask your question to just the presenters, please use the q&a icon in the toolbar. You can ask your questions at any time during the presentation and we’ll try to get to as many as we can. But if we don’t get to your question, someone from our team will gladly follow up with you. There will also be a few polling questions throughout today’s webinar, where you’ll be able to select your response from a list of multiple choices. You will need to click the submit button on the polling questions to have your response recorded. If you are here for CPE credits, you will need to answer at least three polls today. And last, please ensure that your resume display name includes both your first and last name, so we’ll know to whom we should send the credits. Our speakers for today our Omri Kletter, global vice president of fraud and risk management at Bottomline, Chris Garrett, risk and fraud prevention officer with Bottomline, and Craig Jeffery, Founder and Managing Partner of Strategic Treasurer. Welcome Omri, Chris, and Craig. And I’ll now turn the presentation over to you.
Craig Jeffery 02:18
Thank you, Brian. It’s good to be with you, Omri, and Chris, again, on this eighth installment on the Treasury Fraud and Controls Survey. Welcome, everyone. I’ll add my welcome to Brian’s Bottomline and Strategic Treasurer. So glad you’re here, spend a little bit of your time to discuss treasury fraud and controls, the status and the situation. But let’s begin with our overview. Our overview is today’s agenda. So about the survey, just a couple of highlights, there was over 300 respondents, I already said it was the eighth year, longtime partners, Bottomline Technologies and Strategic Treasurer. We’re excited about that, then we’ll move to the fraud situation. When we think about the fraud situation, of course it is bad, but how is it bad? What’s changing? What things are getting better? What do we need to be mindful of? They’re going to shift into remote work. Many, many people like working remotely or in a hybrid environment. That’s very clear. But there’s some changes in the risk portfolio that happens with this remote work some concerns. So things like business, email compromised, and data theft are key key concerns. Then we look at payments, the process, what’s going on with payments, the process needs to be inventory needs to be examined, and it needs to be protected. They’ll spend a little bit of time on fraud prevention, what’s going on? What are your peers doing in terms of spending? What’s their motivation for fraud prevention protection? And how are they going about gathering information on this. So some really good information about what’s changing over time. And then finally, we have four takeaways to fuel your response to the current fraud situation. So with that, let’s take a quick jump into the survey stats. So as we look at the survey stats, I already mentioned over 300 respondents, eight years of research, good participation globally global organizations. I’ve taken part of this you can see the timeline. You know, one of the items here that I think you’ll find interesting is the fraud threat level over the years. This is like it’s increased or significantly increase from the prior year. So when you look at this, just see 76, 87, 84, 78 Things are getting better. And I would say not so fast. This has increased over the prior year. So this is compounding significantly over well over three quarters of companies on a year over year basis say the threat levels increased Next each year, so it’s compounding year over year. Thankfully, it’s not, you know, it’s not 100% year over year, but it is still compounding year over year. So those are some of the information about the survey, the survey report, and infographics are available for download. That information will be shared in the chatbox. And also towards the end of our webinar, but let’s get into some content. So the first one, and we’ll we’ll start with Chris here, you know, Chris, this this threat level of fraud, I’ve already given you the lead up of year over year. So this is high levels of increase your significant crease on a year over year basis. Essentially, no one thinks the threat level has decreased. What are some of your thoughts here on how to be concerned about this? Of course, this is a fraud seminar. So it’s, you know, there’s got to be some level of threat that we’re concerned about.
Chris Gerda 05:56
Yeah, absolutely. Correct. I think you see each year, right, it’s different types of attacks. So the attacks becoming more sophisticated, more automated, as you always say, right? And in increases continuous right. So we’re always seeing an increase increase in combating the increase. So it’s, it’s kind of a whack a mole game? I don’t know, if you’re gonna see, you’ll see decreases when when organizations also answer I see a decrease in fraud in my organization. It’s often because they’ve integrated with some threat provider to actually decrease their their threat, right? Whether it’s email monitoring, a payment network, or some sort of anti fraud solution, and helps a lot with a decrease 1%. Here said it decreased in the question, probably a lot about feeling. But if you think about your particular organization, and when you partner with someone to decrease your threat, that’s that’s another great API for everyone to look at. How successful were your partnerships for security?
Craig Jeffery 07:04
Yeah, very good. Now, we’ll, we’ll shift slides and bring Omri into the, into the mix, what What have people been experiencing with fraud, we’ve experienced fraud or suspected fraud. So we’re at 73% of people have either had it, or there was suspected fraud in the organization. So a significant minority are experiencing fraud. And when you combine those two together, we’re pretty close to three quarters, having experienced it or suspected on a year thoughts on this issue. So first, obviously, to essentially get the slides on or disconnected. Right. And, and before I go deep, so first of all, you know, you start the discussion by thanking vocalign, so many Thank you, and the team. And thank the audience, and obviously take the think the people who took the time to, you know, to answer these questions and to be piled in yes, we’re doing it for many years, we, we see great value of the industry coming together. And I think this this event, obviously, for people who are attending and people that will later engage with that on on the virtual arena, I think it’s very important. And I think it’s an opportunity for us, I know that we are all extremely busy, but to take almost a an hour out of our schedule to really reflect and to think together and see what you see and to learn and to observe. And I think it’s important, I think the by doing that, too, certainly is one of the things that we hope, you know, will help us as a society and organization is, is industry experts, right? To come up with burden may also say, as I’ve seen throughout the chats that people are saying hello from so many different places around us may say also hello from London, United Kingdom, because to a certain degree, I’m based in London, but it’s very important that we understand this as a global phenomena. If we tie these two points together of you know, the higher concern and also obviously, related to the fact that you know, Chris said correctly, there is a feeling, but this is also the data, right? Three quarters of the people really experienced either confirmed fraud or something that really had to change their processes or they had to invest time in fold. And we ask ourselves, I think many people around this virtual roundtable why right to certain getting, you know, we are, we’re seeing here data in us as a group trying to provide commentary and ask why I think the first question we should ask yourself is why not? Why not? Well, why shouldn’t be go up? As we’re seeing the actual numbers go up. And we know that the GIL political environment, I would say the things that are around us around the payment industry around the Treasury that really impact us are not necessarily improving, right. We know that organized crime and sometimes big level are actually involved in these activities from both internal to external, we know that there is still a very big push to push digitalization around the world, not necessarily with having the solutions ready from a port perspective. So there is a push on one end to do lots of change that make life easy and allow us to do things in a speedier manner. And we’ll say throughout throughout the session, but not necessarily provided the remedies before. And I think Chris alluded to the fact that, you know, where technology can help where people can help workforces is part of the elements. So I’m not surprised, unfortunately, to see these results, I think we should all, you know, to ascertain the takeaway take that the individual feeling that we have is actually big A backed by data, and to a certain thing, definitely also a call to action. Excellent. Thanks, Omri. And thanks for for joining us from the UK. All right, so we move to our first poll question. So this is a you answer this a single choice. This is what do you perceive as your greatest fraud risk over the coming one to two years, 12 to 24 months. And you can read the list, it all goes all the way down to the last one is system level fraud system takeover. If you don’t see it, you may have to, you know, Alt Tab or follow some instructions in the webinar chat, as to how to find the poll question. So once you select it, and you’re good with it, hit submit, and you’ll be in good shape, it’ll be submitted. In the chat box, there’s a link for following bottom line and LinkedIn, encourage you to click it and follow bottom line if you’re not already doing so it’s a good way to stay in touch. And we’ll also provide a link for strategic treasure at some point. And for those who want to see the results of the poll questions. We’ll ask if you could type the word poll, or TFC for Treasury Fraud and Control, that would be that would be awesome. Look at that. Yeah, great. Great question. Yeah, question, occurrence or impact? So yeah, we could we could calibrate that question next time. Tom. Thanks for the the information. So Chris, maybe we’ll turn it on to you for to start here. This is email compromised has been a big issue for some time. That’s number one. Number two is data theft, malware, viruses, then, then we the tail off, everything seems to be under 10%. If I can see the rest of it.
Chris Gerda 12:56
Yeah, looks like under 10. I think that this says the group knows the greatest threats that are targeting them. business email compromised for audit possible fraud. That’s your payments that are going to a fraudster right when they trick you to change bank account information. It’s probably what each of us, if we look at our emails over the past month, we probably have one of those sitting in there from a vendor or in payables, cyber fraud, really the ransomware piece of that the data theft depending on your industry, really important, right data theft of account numbers and logins and passwords. Keeping those encrypted or definitely a huge shift towards pseudonyms and ERP systems rather than holding banking information. And finally, social engineering by phone email text, that is the precursor to business email compromised fraud that leads to the next level. So it’s a great way to look at it as in if you’re going to prevent BEC fraud need to prevent the social engineering by phone, email, text in most organizations.
Craig Jeffery 13:59
That sounds good. Yeah, let’s let’s continue on. And I’ll try to make sure I call on the right person for the slides that they’re looking at. So Thanks for Thanks for flex flexing on this. So as we we look at the top fraud attempts, business email compromise, imposter fraud, you know, CEO, Chief Executive Officer fraud tops the list and over three quarters, social engineering, the same type of thing right by phone, email, or text. Instead of just using you know, one method, there’s some other methods there. Two thirds and then half a cyber fraud information, data theft, malware, payment diversion dips just below that. And then ransomware is only hitting about one out of five and there’s been some some solid improvements there. Omri, I believe you’ll start this off and then Chris, maybe you can pick which one you’d like. And then we’ll dive it off to Chris. No worries and we all are, Craig, flexible I think don’t worry about me and Chris hoping to. But just just on reflecting what we’re seeing here, I think, again, definitely aligned with what we’re seeing just for people who are less familiar with with bottom line. And you have here interesting representations because on one hand, we are a solution provider. So we provide tools for a organizations both cooperates banks, and even government agencies to detect fraud, but we also operate our own payment networks and use our tools to protect ourselves and Chris, to if you don’t know, is the master, he really is like a chief financial officer for the organization from organization. So obviously, what I’m trying to say that the different data points that we’re seeing, differently aligned, aligned with that, and, you know, for good and bad we have, we need to use our own tools to protect ourselves too. And we see the same challenges, by the way, globally. And maybe that’s also important to, to mention, I think what what we’re seeing to a certain degree here is a realization for the fact that this this, the weakest link, is actually the people to a certain degree, I think, we’ve seen a shift where through a malwares, or device takeover are things that obviously have an impact, but practically really leverage if you like technology to, to, to attack the endpoint devices, we’re seeing a shift for attacks, targeting and our our lack of ability many times to differentiate, right? Between genuine and fraud activities that are being imposed on us. And again, demonstrating haven’t done enough to differentiate between these activities. We are leveraging, as we all know, the digital channels, the digital digital channels themselves have weaknesses, right, your email would be a perfect example of somebody that is brilliant on on many ways of communicate, but hasn’t been integrated into security and verification properly. And that’s true to the other elements too. I want also to make a comment around the Disable for the elements. And in the combination, sometimes three is not well articulated between cyber and Ford. And I think to a certain degree, we we see this as increased risk also, because we are very focused to understand what’s happening on maybe the different transactions, but we’re not monitoring the junctions, where things are happening, right? And how it looks like from if you like a DLP perspective as a whole, and to detect the types of fraud. So absolutely not surprising. We should all translated translated into a better action around education one hand, but also better view not just on devices, and having authentication tools, as we’ve extremely focused in last few years, but also to bring more so I would call soft detection, that analyze behavioral change that can either either help us to understand that a internally, there is a lease because someone was acting, you know, wrong daringly, or was just negligent. So I think that’s maybe a starting point to understand that, yes, this data supports where we should look after we should look like, after all people that either internally or externally communicating this. Yeah, well put Omri. Chris, what do you have to add here on to the discussion?
Chris Gerda 18:32
So, Omri put a really great point out there, right, cyber and fraud, were there two sides of the same coin. And you have to address both of them. So oftentimes, cyber gets confused with fraud. And you end up overlapping terms, and everyone gets off the same page. But when you look at fraud attempts, if you just spent speak, within your organizations in the simplest ways. Someone’s trying to steal money from us by updating bank information via email doesn’t you don’t have to call it BEC fraud, it’s just exactly what it is. And that helps you understand what’s, what the attack is and how it’s targeting you. So if we think about cyber, that can be attacks on end endpoints to exfiltrate data, right to hack in and install ransomware or steal account information, there’s behaviors there, there’s behaviors that occur within a system that you can put monitoring on. And then on the fraud side of that there’s behaviors of people dual controls in a payables department, the don’t take a bank instructions via email. So there’s that people part of it too, and oftentimes fraud deals with people and, and cyber deals with systems. And so you have to just differentiate that within your organization. They don’t help you reverse engineer these fraud attempts, and then use them to teach.
Craig Jeffery 19:52
Right, so both of both of them are part of the same process other sides of the coin, if you will. Great, great point. Let’s say, let’s move to the next poll question. They’ll pop up on your screen. So fraud controls experience, there’s two questions here, you may need to expand your window. So make sure you can see that the top one is multiple choice, which we use the following controls to prevent fraud. So this is a quick scan of who uses which types of solutions? Or who on the webinar and total, what’s the percentage using those. And then at the bottom, there’s a question about when you think about the vendors you use, particularly vendors related to payments. You know, what, have you seen them experience any the following email takeover, phone phone takeover both or not? This is this is important because, you know, we we leverage, we leverage vendors and central areas and networks. And those become increasing the targets from criminals, but they’re definitely hardened target. So we’re going to capture where that goes. So as you complete those, I’ll just say I never said how many people we wanted to type the word poll or the letters TFC in the box. But we were at I think we’re over 100 now, but let’s go to let’s go to 150 TFC, or poll in the chat box will send all of the poll results out after we’ll embed them into this deck. So they’re on the slides where we took them, you get to see everything. So we appreciate your insight. information there. If you can’t submit it, and you drag the box down to the side, there’s no submit. After you’ve selected both questions, then I’m not sure what to say, Brian may be able to help help in the chat box. We see people submitting a lot of things to the hosts in the panelist, some to everyone. So Brian, let us know how many we have. So we really appreciate that as soon as we’re ready. We’ll go on. Yeah, so Omri, I’m going to start with you here first. Fraud controls, account payment validation looks to be the top on the top one. Any thoughts here? If that’s the if that is one of the elements to protect payments? And then the other side, as Chris was saying, was the human element 50% are doing that? Is that good news or bad news? A bit of both. I think it’s good news, because it definitely investment in areas that we know will help. You know, again, going back to my point around the inherent flaws in your flaw in the system. So these types of verifications help us to detect differently. Many of the cases, that’s the good news, the bad news, but obviously, there is no silver bullet. And I think we tend to think, oh, we have four concern, we will buy a or we will do will introduce process A. And I think a multiple dimensional approach is needed. So I think it’s definitely moving in the right direction. But we need to boost it with for example, behavioral detection on on the monitor behavior, not just the hand side, right? And we need to understand what are the additional controls that we’re putting all four eyes view? So by the way, and ultimately, when we’re it’s not our point of view that technology is here to fix all the problems out there, right? Absolutely not. You need to combine these types of tools with the right processes, and we’re the right people in charge on it. So definitely move in the right direction. And I think if we combine how we started it with the increase risk, I think no one around this virtual roundtable of north of 300 people, I think this is the you know, a silver bullet sufficient for the problem. Yeah, thanks. Sorry. You know, that saying that principle of least privilege come in at 15%. I think when you first start asking about that, that’s the idea of people. And ideas only have access to the information they need to see. They only have the rights and privilege for what’s necessary. I’ve seen that grow from some around five or 6% the first time we started asking for that. I think I’ll be a lot happier when when that gets up over 50%. But that’s uh, that’s my concern there. Chris, anything on the vendors and an email takeover, phone takeover? Any any thoughts on that?
Chris Gerda 24:26
Let’s see here. So, vendors experiencing that emails and phone takeovers, the phone takeover is going to be increasing, right? That’s I call 2023, it’s going to be the year of the phone takeover. It’s becoming more of a weaker link in the chain because it’s used to approve payments. It’s used that the obtain multi factor authentication, and that’s a critical piece. The email takeovers are the things we’re seeing in our boxes. But you can see the weakness of how many emails are taking You know, we’re not having multi factor authentication on emails and logins from new devices, oftentimes you have to go in and set that up manually. Both that 15% That’s, that’s when you have your really sophisticated attempts at b2c fraud. So to defend against when an email and a phone has taken over, it takes a level of sophistication, password, a lot of payable departments can deploy, it needs partnership to be able to detect some of those sophisticated scenarios. Scary at 15% both. You guys probably have some good stories, those 36 folks.
Craig Jeffery 25:37
Yeah, then those are those would be good to hear that we try have a little compendium about those, put some document together. So if if you’re interested in doing that, you can send a private, private message over, we can keep it anonymous, I think those are great. You know, the email ticker, one thing we see with a, we use a monitoring service that that scores and tracks everything, we’ve noticed how they’ve, they’ve upped the percentage of waiting for email security. So things like SPF records, DKM records, all of this activity that provides assurance that emails are coming from the right place. They’re not adjusted, they’re not being spoofed is one aspect of that not just controlling the email side. But let’s, let’s continue on. So we’ll we’ll close this off. And Brian could tell us if we hit our 150 respondents to that that’s a that’s a low percentage of those that are on so I’m really kind I’m not mean. But let’s move on to the next topic. And this is we love working from home. But you can see, there’s pretty significant concern for those who are concerned about fraud and controls, top concern two thirds business, email compromised data theft, two out of five, about the same for external fraud, you go all the way down to payroll fraud about, you know, 3%. So, and we’re over the poll number. So Omri, why is everybody hating on remote work? I, you know, obviously, I love working from home. But I also must say I love working from the office. And I think there is definitely a trend into hybrid when possible. I think what’s interesting to see here is a trend, a few things that I think as is, again, virtual roundtable can can brainstorm and reflect on the first one can say wait a minute, this is not new, new, we had it a few years ago, we had it three years since or two and a half years since the COVID. The outbreak, but I’ll tell you what is think changing and why guessing with time, it’s actually the different hiring mechanisms. So when we started to move or you know, when we moved to be working from home, or the majority of the of the industry, we actually had a setup, we knew the people who knew continued or we moved them into a different setup. Now we are hiring remotely manual for employees. And I think it has a lot of impact on our ability to have greater control also. We are missing and I’ve chaired last week, a roundtable with internal threat leaders with many of the global banks in London. And I heard two interesting things that I think we should all be reflecting on. One was really not I wouldn’t say shocking me but but reframe a concern I had, we’re starting to see it’s part of the you know, the Gale political and organized crime and moving to forward as a vehicle and payments forward we’re starting to see organized crime trying to hire into financial institutions and key positions in Treasury especially in a big corporations, because they know that actually hiring in is easier today. The end, it’s a big thing that we should all be aware of. That’s why we’re seeing by the way, a higher demand a two solutions for internal threat as as I would say one of the biggest trends if you’d like from acquiring and procurement perspective, the second thing that I’ve heard around remote work from these leaders in the different banks, and honestly agree that one of the main things that have changed is the ability for managers to detect either bad behavior, intentionally or negligent meaning not following a payment approval process. So it’s not a fraud case. But obviously they are more vulnerable to be victims of business and compromised because they don’t follow the practice they you know, it’s easier to do data than because they are unnecessarily installing later latest updates and what many of these senior guys in bank said, you know, you’re missing the managers in the floor, in the trading floor in the treasure room in whatever to detect and analyze these situations. And hence there is a shift if you’d like we need sis seems to be able to detect things that humans sitting next to or walking next to, were able to detect before. So some food for thought. And I think again, this data, a shows it practically either when we say internal and preferred, that’s intentional. We know from actual data that many of the things that actually what we call quote unquote external for like business, similar compromised data theft. While they are not intentional internal fraud, better monitoring of our internal team would be able to see not following certain protocols that making you more vulnerable to for political thought for football. Now, they’re all getting hired in as that’s not too scary, Omri. But that’s part of a fraud and control webinar thing, right to keep people on their toes. Well, let’s move forward to our next next image about fraudulent payments. Chris, I’m gonna invite you to comment on that. This is about fraud monitoring. And this is this is really interesting to us because it’s like, Hey, do we put the proper defenses in there the right types of detection and prevention? The right hand side says have you had a low value, high value, so those in the US think, ACH and wire, for example, for low value and high value? You can see, you know, 29%, had it leave the building 11% are unsure. When you look on the left hand side, do you have a payment monitoring solution that will detect something fraudulent or something anomalous? before it leaves the building? We have a quarter 27%? And to me, that seems like that’s probably, you know, people that are taking a fraud survey are probably for him for companies that are a little bit more attuned to it. But but we don’t know. So this is a there’s a lot of room for improvement, for sure. Here, Chris, your thoughts?
Chris Gerda 31:55
This is a big slide to unpack. There’s a lot here. So let’s start on the have you had a fraudulent payment leave the building? So no, that’s great. 29% Yes, that’s, that’s a one out of three more or less than if had a significant event at the organization and 11% Unsure for those. So I would say if you’re unsure, ask. And if you have one, if you’re in that 29%, you need to ensure that you’re sharing what happened, it makes it real, it was an email and a dual control issue. And we didn’t revisit our policies and procedures with a work from home environment. And that a lot of the times this right side causes that left side to occur. We go from a No, I don’t have a monitoring solution to a need one overnight. And you don’t want to be reactive, you want to be proactive. So partnering with your banks, and the banks are now partnering with a lot of providers like bottom line to secure corporate payments within their infrastructure. This puts you ahead, right, it could be as simple as a, it’s a new payment to a new vendor over $50,000. Right. It’s it could be whatever you set. But it’s important that you protect yourself, because no one knows your business like you do. A bank is going to have a variety of controls in place to block payments, but they don’t know what’s suspicious for your organization. Their monitoring has to blanket a lot of different types of corporates. So there’s a lot of shift to empowering the corporates to take control of their own monitoring within corporate bank applications. But you know, I’m gonna hang on to our poll question. One of the responses was, how many people have an asset of incident response plan or recovery plan, and it was about 30%. And that’s something that we can just make 100% In the next two weeks, right? It’s it’s understanding how do we react when a payment goes out. And a vendor says I didn’t get that payment, or we just see that we made a bank update. And the email that Senate had, you know, two hours combined to make an hour, and we didn’t notice at 4pm. On Friday, we were trying to get on the office and we updated banking information. So that incident response plan, if you have a pencil, take this note. In the United States, you want to use IC three.gov ic three.gov. That’s the Internet Crime Complaint Center. They have what they call a recovery asset team or the rat team. This is the FBI that has links to banks within the United States and they have a great reputation for immediately freezing funds, most fraudulent payments, ACH digital wire, whatever it may be in the US usually hops to a US based bank account before it goes overseas. So it’s important to have that recovery plan. You go and you fill out a little form. If you have a large value payment, that team is going to be involved in 2021. They published stats, they had about 443 million in BTC fraud reported to that team through that portal. They were under a freeze 300 point 9 million of it. So that’s an extremely good recovery rate. But you need to be very fast, you have to have a response plan that’s devoid of red tape that calls a duck a duck, per se, right? You need to be able to say this is fraud. It’s, we have to recall it now. We can’t dance around it. Get to both your bank and that website. That’s part of your response plan, it’s going to help you and then start talking to partners, your banks, the first place to start, how can I implement some monitoring solutions? Start talking to your ERP provider? How can I do some more controls my leveraging everything that I need to or that I have available to me what I pay for?
Craig Jeffery 35:46
Excellent, Chris. Yeah, well, we’ll move on, I think I’ll always remember the rat. Just about you know, Chris said, it’s so easy to suddenly get too many, too many of us are driving a car without insurance, right? So. And the relationship between two pages, and again, the combination between technology and people, so 29% is not not good enough number. And I would say, some of these cases, because we know, because they flagged and go to our bank customers, and they tried to find if they can pay back and in some cases, we need to introduce the concept for us of catastrophic loss, which is exactly connected to what Chris said around the processes of recovery, some of these fraud cases, could be not just part and parcel part of running business pilots in the same way that some will become, you know, not usable, or whatever. Some of these fraud cases could be catastrophic to the business. And hence, we need to take it into account when calculating it. So obviously, we we didn’t have here the breakdown between low value and high value and what what was the critical what was the post effect of these four cases? We know it’s north of 10, 15%, that some of these cases are actually catastrophic, or very, very, very challenging to the business. Yeah, very good. So as we we look at another area, you know, this is the idea of network directories. Why do we, why do we have a slide on network directories, if we’re talking about Treasury fraud controls? Well, think about payment processes, some payment processes, many payment processes, create some type of payment file that’s put on a network directory, sometimes it’s taken there from a file management system or SFTP process and then load it to the bank. Sometimes it’s downloaded to a desktop and and then copied into a bank portal or some other portal. So if we think about protecting payments from beginning to end, some of the questions begin with, well, what’s the inventory of all the payment flows you have? How is that how is that payment information custody are cared for from start to finish? We sometimes think about, hey, just at the point of change, when someone’s changing a master data record, well, here are some questions here, network directories that store payment files, what’s going on, less than two out of five have an audit file that can show access and changes to a network directory, that’s not particularly good. We look at the purple line 36%. So you know, just the lower third, actively monitor and review access rights to this directory directory with sensitive information. We think about the principle of least privilege, how do we only allow people access to what goes on? And how do we detect when there’s more rights granted, or less rights granted, that’s an area to watch this is, this is an area where the maybe not the company’s Crown Jewels, but certainly, its payment instructions, which can be changed and sent out cash is a an area that should have a higher level of focus. So just just over a third, and then if you look at the bottom, administrators who can assign rights do not have ability to cover their tracks, by editing or deleting log files, that’s 1/3. Now, now, you may say our IT administrators or system administrators, their motivations and character is above reproach. The motivations are as pure as the driven snow. But But the issue is, if you have an ID that has these rights have the ability to do that, and a criminal gains access to it. They have too many rights. And so this is the principle of least privilege as well. You shouldn’t be able to wipe away your your trailer your tracks, or an ID shouldn’t have that ability in case someone gains that axis. This is an area that’s very, very infrequently looked at. The other area that always surprises us is the the issue of you know, how many payment processes do you have? I don’t know, how can you protect what you don’t know about? In our in our practice, we oftentimes find 60% to 100% more payment processes in our organization than is expected by, you know, payables treasury. it as you go through the process, you find more that I think is a big wake up call, it’s a point of exposure. And this is just good to see where this is, I hope this number moves forward, this is probably an action item for others. And I’m going to jump forward unless we or Chris, you jump in here.
Chris Gerda 40:40
I only see I see an increased use of pseudonyms. So within PaymodeX, we we only provide pseudonyms, we mask banking information, so your ERP will no longer have banking information in it. Therefore, nothing can be changed that would route to another bank account. That’s one way. You also see a lot of larger banks. Now shifting to some pseudonyms, particular with digital bank authentication, they provide pseudonyms and just puts less bank accounts on the ecosystem. That’s a trend that’s going to increase.
Craig Jeffery 41:08
You use the term pseudonyms, just like some people use tokens, you’re replacing that information with a substitute, right?
Chris Gerda 41:16
That’s right, a string of letters and numbers that actually equal your account number, but your account numbers held in a safe encrypted environment in one single location.
Craig Jeffery 41:25
Excellent. I just want to comment, So obviously completely agree with with Chris super connected to what we said before around monitoring worth of the junctions, not just the payments in flight, so to a certain degree, what we’re saying is, well, the question found was, are we protecting the junctions, right? Where things are the places where food can take place? One Food for Thought sometimes when you actually zoom into these statistics and say, okay, only 1/3, of a bit north of 1/3 are actually utilizing it, you realize the differences is not necessarily by the intent of the organization, but actually the technology itself. So we can monitor several of the stuff, but do we have the ability to monitor and we got it more and more from our customers are very focused on finding solutions to legacy mainframe solutions, right? So that I think it’s also a question, how do you have a right, a ability to monitor in the network, even in some legacy places or places that you have, let’s say less built in control to see these changes, especially the legacy mainframe all. Excellent. So we’re gonna move forward to payment network protection. Chris, I’m gonna ask you to weigh in on this. And this is the idea of, you know, Swift, put up a program for everybody on the SWIFT network to protect the network, they set up the Swift CSP, a much longer time period ago, the payment card industry got together and created Payment Card Industry Data Security Standards. And we also see, you know, NACHA, account information security coming up where there’s, you know, high volume users have requirements about protecting data. So here are three, I’ll just say three payment networks, that have all created a set of regulations or self attestation, or requirements for external review to protect the networks that they operate on. Is this going to continue to grow and hit more payment networks? And why are they doing this? What’s the what’s the reason for this? And what can we learn from that?
Chris Gerda 43:31
So think of the three on screen PCI, NACHA, CSP, data protection, right? They’re saying, if you want to participate in our payment network, you have to have certain cybersecurity standards. And we’re going to make sure that you have those in place. And there’s huge businesses that pop up to make sure you get up to standard so you can use those networks. There’s a wholly different type. Again, remember that that coin, there’s a cyber side and a fraud side. So there’s another fraud side of this network protection. And so to answer the for both sides of the coin, yes, this is going to increase, especially in the United States, as we ramp up real time payment networks that are coming out. Same day ACH, immediate payment, all types of immediate payments, FedNow, etc. Participation in those networks precludes that you’re safe, secure from a cyber perspective. But from a fraud perspective. Network, we weird it’s a very common term to have these large networks. That means that Omri had said earlier great point about organizations making an impact on a better society with the people that are part of them. And so PaymodeX Bottom line, one example that so every single network that has a ton of data, so big data equals big fraud protection, so we can use data from one customer to protect another to know when a bank account is updated, and that’s not actually normal because a lot of other people pay it at an Different account number. The same with email monitoring. So a lot of us use solutions. And Craig, you mentioned it earlier of detecting malware or viruses being sent in the those companies that provide those services are garnishing information threat information from 1000s 10s of 1000s of corporates and banks and all over their customers, they go that click Oh, that’s a fish, right and their email box or Oh, that’s weird. That’s malware, I don’t like that report it. And then if that’s sent out to a bunch of other places, they can go in and proactively pull that out. inboxes overwrite the overwrite the bad link, make sure that you’re safe. So there’s a continued approach to network protection. You see it in the United States with companies like proof porn or early warning plaid, and to bank validate or protect emails, you see an PaymodeX, it’s a lot of network threat protection, we could tell one of vendors and imposter because the real customers already our business. And in the UK, I would I would say you see it a lot as well, in the legislation of the confirmation of payee bank sharing information to form a network of verified accounts. It’s a continued trend. The battling against privacy, though, always a little scale of that.
Craig Jeffery 46:20
Excellent, Chris. All right. So we’ll move forward on this Faster Payments, create a significant number of concerns 53% see this as an issue on the faster payment side? Your thoughts? What follows speed? Make it you know, speedy comment to that I think the are the majority of the own fair that I think I’d be interested to see if we had a way the 47% and asking why not? I’d be interested to see because folders for speed I think to a certain degree. It’s not the increasing for I would say maybe the bigger risks for increasing Fortran just the speed of payment. I think maybe that’s explained the 47% I’m definitely part of the majority. We just saw it in action in the UK when UK move to Faster Payments rather than late and numbers rocketed? I think the question that the question in front of us and I agree with with grades, it’s very interesting and relevant to follow the UK here is how things like confirmation of pay and the ability to pay back for victims, even if you know, under cases of abysmal compromise, in case they haven’t, you know they comply with some of the activities will be interesting to follow. But you know, to make it a spin the answer won’t follow speed. We should always remember that and make sure we have the processes and technology in place to detect it. Quick, quick question on that. So fraud follows speed is that defense defense means we need to be quick to stop a fraud. I think Chris gave an example earlier, like, follow up immediately, you might catch it before it leaves the US banking system is that fraud tries to go the fastest, most irrevocable processes is that what you’re saying? Absolutely. And I will say also that many of our many of the things that we need to change detection cyber, we have here around the virtual roundtable people that are responsible for that in the organization and ask themselves, do we have? You know, okay, let’s, let’s, let’s assume that people will be more safe, more risky. Fair enough, then I’ll ask them, have you updated your processes and technologies to support the change? I think there is definitely a call of call for action on that forms. Okay. All right, we’re gonna jump to our final poll slide, which is a multi part one, I believe. So this first one is select one. And the second one is a multi choice, you can select multiple ones in the bottom. So we have enough people who’ve responded TFC or poll. So we are well over the 150. So thank you, and Brian, no need to count anymore. So that’s awesome. So go ahead and answer those in the chat box. Brian, if you want to put up some connections for for LinkedIn, that would be excellent. No need to type poll or TFC, everyone will get it because of the 160, 170 already typed it in so just say thank you to them when you meet them at a conference. All right. So we’re, we’re doing just about right on time. Tell us or show us Brian when we have enough answers so we can see what the results are. No, but nobody needs to type poll or PFC, we’re good. Alright, so yeah, so just just really quickly, um, spending more spending significantly more, we’ve got 29% plan to do that. Keep that in mind, keep that 29% in mind for some additional data that will show in a minute. And then if we slide down for Where do you plan to spend more number one business email compromised, system access, and then bank transaction fraud, transaction controls, and bank rec are a third and 1/5 at the total, the total list there. So we’re going to let you mull that over on yourself on your own. We’re going to move to our next slide. Thanks for answering these poll questions. We appreciate your both participation and eagerness for the data. Now this one, we’re gonna start with you, Omri and then go over to Chris, but spending more so giving them more this number was 30%, pretty close to our group 55% of the same. So for the most part, there’s a general increase a net 25 28% of firms are increasing their spending on a treasury front control. And why why are they doing it? Number one management’s are concerned about the threat level. And number two, the horse has escaped the barn so they can put a lock on the barn door. So they have a recent incident that occurred. So let’s, let’s start with you, Omri. Very, very briefly to comment on that. First, I think it’s even more impressive, if you put it in the context of I wouldn’t call it recession, but definitely different view of spending of many organizations. So if you think about that, and I’m sure the virtual roundtable group, you’ll feel it very clearly, we need to fight maybe harder for budget, a, what we’re successful because I think we were able to do a good job in last few years to articulate the risk for the business as a whole. It puts actually more, I think, responsibility on us to make sure as an industry, that we have a comprehensive view on how we spend, by the way, both on people and on technology. But if you think about that many of the organizations generally spending less, on many things that they see the need to spend on security, cyber fraud, more than before. So if you really put that in context, it really puts on us a greater responsibility to ensure the investment is done properly, comprehensively. And I would say something that proves both internal and external elements of risks throughout time. And you, Chris.
Chris Gerda 52:53
The management level of concern is something I hear about, particularly often, when I when I speak with governments, that is one of their top levels of concern, protecting taxpayer dollars. Oftentimes, there’s a recent security incident. In the United States, particularly following the government legislation coming out on cybersecurity and spending and infrastructure cyber infrastructure development, you hear the word cyber, that’s the one side of the coin, the other side is a lot of that has to do with identity, particularly digital identity. And that’s the validation of who a person is, or who have businesses and partnering with providers that can secure your payments. That’s a critical part of that spending bill coming out. It’s going to add new threat networks, it’s going to add funding for governments globally ability for corporates and certain NGOs to get access to beef up their plans. But interesting, when we think about Barack fraud prevention, spending a lot of the times you can digitize your payments while increasing your security in parallel. So you’re actually helping reduce costs with digitization of payments, but you’re also in parallel increasing your security. When you compare two things that often are dichotomous, which is like more digitization and, and more security one usually weighs on the other. But when we’re switching to ACH and virtual card, we’re actually securing our payments more with with threat networks and the ability to validate who a vendor is rather than than having the checks out there. One of the questions that came in earlier was around the increase of fraudulent check activity in the United States, particularly with mail theft, when so what we’re seeing is fraudsters have the ability to intercept checks in the mail. It’s a huge check and you have positive pay on it. They’re able to defeat positive pay now by adding a new fictitious business or DBA Name from a state website to an existing business account and adds the name of the business whose check they intercepted to that account, and then it passes positive pay. So there’s always a weak link and getting away from checks and more digitalization increases your security increases your reconciliation time, which is a huge piece of figuring out if a vendor got paid or didn’t get paid in, in, it can really help with a spending plan, and your budget. So if you’re having trouble getting budget, you can pair security budget with automation, not make it a cost center, but actually a cost benefit. That’s a way to really sell some of these.
Craig Jeffery 55:36
Great, well, we’ll jump onto the next slide. And, Chris, you can you can start us off there. But this is, you know, what do we do with centralized Fraud Management, you know, a group, as well as some type of anonymous line, particularly for internal internal fraud.
Chris Gerda 55:56
Yeah, I’ll be very brief on this, I want to make sure we get some takeaways here. Make sure you have just a centralized big red button on everyone’s desk, where they’re comfortable slowing down a payment, where it could be of any type, any urgency, when you think of how we get as humans into that business email account compromised scenario and send out a fraud payment, it’s often because of pressure, opportunity. And we just need to make sure that our cultures have that ability for anyone to say I feel uncomfortable with this payment, and hit a button. Right? And then it goes to a group to investigate. And everyone’s going to be okay with that the vendor that you’re going to pay is also going to be like, oh, yeah, I could see why that was an issue. That’s really important. Centralized hotline, that’s, that’s a great place, right? You can contract with places to get some of that. It helps with insider fraud, particularly. And a lot of the times insider fraud is detected and anonymous call lines, it’s a little piece of the puzzle. It’s taboo to worry about a co worker, like doing something but if you have a way to say I see something, I want to say something anonymously, that that is helpful. That’s what I have there. Omri?
Craig Jeffery 57:14
Agreed. See Something, Say Something and and, again, that’s where combination of technology and and processes and people can help. Especially I think, we’ve seen it I’ve mentioned before, high adoption into internal risking solutions for mitigating these elements. Excellent. So we’ll jump to the next one. So this is these are the key takeaways. And I think we’re gonna go Omri, Chris Omri, Chris, just to keep you guys on your toe, toes. Omri, go ahead. I think, lots to lots on us, as an industry, lots on us as a group of experts. I think we are getting better, we need to say technically we are getting better against the threat that is increasing. My point of view is that if we have the right people in place, the processes like some of the processes you mentioned before, and the technology to detect it well, better off I think what we’ve seen throughout the day to day is in some places, we have the right people, but obviously their processes are not the technology. And I think having one different judge almost to create a map and to do it, obviously. And I would say maybe as a summary of my perspective, this is not the end of the discussion. This is the beginning of the discussion. And I know that with many of you will continue exploring together how we find solutions to this problem, how we’ve worked together to detect fraud and keep organizations safe.
Chris Gerda 58:50
Validation of vendors, that’s a way to say control the moat around your castle. Essentially, we don’t have to worry so much about the payment if we absolutely know where we’re sending the money first. Using large networks for email protection, critical. Using networks to that help you validate in those sophisticated scams where you have the email taken over, the phone taken over, right? We we catch a lot of frauds for customers where the business’ email is taken over, but we can see that from a mile away because we have a large network using a large amount of data to protect everyone. Stay on top of those those policies and procedures you have. Start looking at IP addresses. Make sure you know how old a domain is if you get a new vendor asking for an update to banking information. Throw that thing into whois.com and see if they created it yesterday brand new email domains number one red flag for fraud. Simple tips to keep you safe.
Craig Jeffery 59:51
Chris, cover multifactor authentication in two sentences and then Omri do to look on both sides right after.
Chris Gerda 59:57
Put multifactor authentication everywhere in your business and personal lives: emails, phone logins, particularly your internet phones need to go in and manually put your multifactor on. This should be a critical protection required of anyone, especially if they’re using a cell phone for business purposes. They spill over, we see it all the time. All right, to you, Omri.
Craig Jeffery 1:00:23
Again, and that’s connected to the fact that we need to look on things from both external and internal perspective, meaning that we pour five different elements and we could provide a rise right risk going into that, and some of that can trigger for example, the multi factor authentication and then get the feedback. But we need to remember when we talk about multifactorial and it not necessarily will help us with intention, internal risk, and it can actually mislead us, if we are very focused on business income wise and these types of risks will actually again, we know that the Authorized Customer will do transaction. So again, combine risk from internal and external risk, and utilize whatever is out there and keep evolving. Thank you, Omri. Thank you, Chris. Thank you, everyone, for joining us. In the chat box, you’ll have the link and we’ll turn it back over to you, Brian.
Well, thank you, everyone for joining us today. The CTP and FP&A credits, today’s webinar slides, and a recording of today’s webinar will be sent to you within five business days. And as Craig mentioned, be sure to download the infographic and request the Treasury Fraud and Controls Survey Report by clicking the link in the chat box. Thank you and we hope you have a good rest of the day.