Tuesday, July 25, 2023
2:00 PM – 3:00 PM EDT
This is an online event
Chris Wyatt, Finexio
Craig Jeffery, Strategic Treasurer
The ongoing attack methods targeting companies’ information and payments has scaled heavily over time. The uses of technology, including generative AI to help create deep fakes, spoofing, and compromising, have been challenging AP and treasury groups heavily, and this technology is enhancing the criminal playbook. This discussion will dig into some payment channel differences, including checks, virtual cards, ACH, and wires, and the steps you can take to make your payments more secure.
If you encounter any issues with this webinar replay, please contact our team.
Well welcome everyone to today’s webinar titled, The Democratization of Anarchy in Payments. This is Brian from Strategic Treasurer. And we’re pleased you could join us as we take a look at how technology has aided the scaling of payment fraud attacks, and how technology can be leveraged to scale security against these attempts. But before I introduce today’s speakers, I have just a few quick announcements. Zoom offers several different ways for us to interact today. If you would like to post comments or questions viewable by all attendees, please use the chat icon in the toolbar. If you would like to ask your question to just the presenters, please use the q&a icon in the toolbar. You can ask your questions at any time during the presentation and we’ll try to get to as many as we can. But if we don’t get to your question, someone from our team will gladly follow up with you. It will also be a few polling questions throughout today’s webinar, where you’ll be able to select your response from a list of multiple choices. You will need to click the submit button on the polling questions to have your response recorded. You are here for CPE credits, you will need to answer at least three polls today. And last, please ensure that your Zoom display name includes both your first and last name, so we’ll know to whom we should send the credits. Our speakers for today are Chris Wyatt, Chief Strategy Officer at Finexio, and Craig Jeffery, Founder and Managing Partner of Strategic Treasurer. Welcome Chris and Craig. And I’ll now turn the presentation over to you.
Craig Jeffery 02:19
Brian, thanks so much for getting everything queued up, Chris, it’s good to be on this webinar with you.
Chris Wyatt 02:24
Yeah, likewise, appreciate you having us. Looking forward to it.
Craig Jeffery 02:28
And everybody, thank you for taking some time out of your day to talk about this topic. I know we’ve put a couple fancy words in there the democratization of anarchy and payments. And hopefully you’re here for the content not because we use some, some funny words there to get our point across. But let me explain a little bit about that and what we’re going to cover today. So the idea that fraud is escalating is where the phrase anarchy comes in. It’s escalating, and it’s a lawless govern LIS society, it seems in how much fraud is occurring and how that’s escalating. So that’s the anarchy part. The democratization part is how much technology has been become available to more and more criminals, allowing for a sophisticated attack by a broader range of our adversaries. So that’s where we come up with the democratization of anarchy and payments. Let’s go through what we’re going to cover here. That’s the broader theme of what’s happening. Let’s talk about the idea that tech is best used for confronting the criminal threat. We’ll start off with why crime pays. Fraud is both common, it’s lucrative, it’s more automated. And so the return on investment by the criminals is higher. It will spend a little bit of time talking about the criminal labor, the criminal playbook is a fairly simple how they enact their crimes can vary a bit. This includes they can steal data and sell it. If they can get you to send money, they’ll do it if they can steal data, lock down data and cause you to have to pay a ransom for it. They’ll do that as well. And to the extent and when they can either pull you to send money to different places, or can gain control of the payment processes or payment files and payment instructions. They’ll do that as well. They’ll steal money directly or through some type of spoofing. So that’s, we’ll talk about the criminal playbook and cover that at some in some depth. As we look at the implications of tech advancement. I’ve already given you the I’ve already explained what what that is the idea that the acceleration of technology is becoming more widespread. It’s more democratized. And so this is creating the greater threat. And so the implications on the tech advancement on the The defense on the security side are increasingly important to stop and to parry the attackers, then we’ll move on to improvements in fraud attempts, explaining in some detail, we’ll do this primarily by looking at some stories, how the escalation of fraud has occurred. We’ll see if we get through for examples, we’ll do that. We’ve all observed it. There’s more happening, and much more to be prepared from, especially when you look at some of the new technology developments, generative AI, for example, or the improvements of tech that helps us move or provide a method of creating some kind of compromise that accompany then what are the points to consider? We’ll have everybody scared by that point. But when we think about the points to consider, what do we need to protect? And how do we respond to it, we’ll cover a few areas, things like the surface areas, the surface areas and attack where we can be exposed, we’ll look at sophisticated attacks, and what that means, because that requires a sophisticated defense. And then finally, the other concept here is not it’s not just looking at what are the areas and the sophistication of attack and defense. But this idea, this concept that we need to continually scale our defenses. As this is not a end game. It is a continual process to meet the new and current standards. Finally, I can ever finish this intro, we’ll talk about the takeaways, we’ll wrap up the discussion with that Chris will talk about technology, and partners. And I’ll finish up a few points about applying our security principles. So that’s what you’re going to hear in the next 54 minutes. Some details on that. And we’re excited. Thank you for spending some time with us. Chris, here’s a chart that I’d love you to introduce to the to the crowd fraud losses, as we said, are scary, they’re growing, you can’t have a discussion about fraud without having some stuff that gets people concerned, here’s a here’s a slide. What do we need to be concerned about?
Chris Wyatt 07:14
Sure, thanks. Well, I think, you know, the, you know, the concern is, it’s sort of ever present and growing. And I know, we’ll touch on, you know, some of the technology that’s, you know, really helping push some of the fraudsters making them more sophisticated, or giving them an ability to really sort of operate at scale. But I think, you know, you can look at these numbers, there’s other, you know, studies that come out of the FTC, that show, you know, unfortunately, you know, as we look for rapid payments, speed, there also comes some dangers associated with that. And I think it’s sort of, to a degree inevitable that the fraudsters are going to continue to try to push, and they’re getting ever better at it, because I think there’s been mentioned, the very beginning that does pay. And so, you know, with the tools that are available to them, now, it is going to become, you know, just more and more, really incumbent upon all of us, you know, think as you mentioned, you know, this idea of security is really a journey, it’s nothing you’re going to be done with and I think with generative AI, you know, technology that’s, you know, looks very cool, from, you know, from a good guy standpoint can be very productive. It’s equally productive for, you know, the bad guys that are out there, and we’ll, we’ll touch on that. But, you know, all the studies that, you know, we’ve looked at in the past, you know, just suggest that the attempts are only going to increase, and I think we will continue to see additional attempts, you know, not even done by humans anymore, you know, it’s good, more the robots that really helped. So unfortunately, drive that 10 billion probably, you know, upwards of, you know, 1520, again, you know, the FTC report that came out, you know, not not too long ago, really showed a huge spike in ACH fraud. That’s where a lot of the money is, I think, as we all know, especially with, you know, the advent of RTP and FedNow, where, you know, payments can be sent very quickly, very efficiently. There’s just going to be, you know, continued emphasis, you know, I know, from our perspective on the fraudster side of the house, you know, looking to find ways to sort of get in the middle and divert those funds to a bank account of their choice and then disappear. So it’s, it’s good, it’s frightening times, but there I think there is a lot of capability as well, to help get after these. You know, the fraudsters as we continue on this journey,
Craig Jeffery 09:37
you know, when you said the bank account of their choice, there’s there’s a lot behind that. It’s not just to accounts that they own, but accounts that they can control, they need to use that to move it to a place to get out of it. Just one, maybe a couple of comments, Chris, as we look at this chart, if you look at from 2021 to 2022, the green bar that’s about it. 50% increase in one year, if you go back from 2018. And you fast forward four years, it’s about a four fold increase. That’s why That’s my base. And that’s, that’s what’s reported. That’s it. Those are scary, scary numbers. And so this, this threat is it’s not just in the numbers that FBI shows, but what people are experiencing attempts and real losses, Chris?
Chris Wyatt 10:28
Yeah, absolutely. I think this really spans all corporates, you know, from large to small, of course, it’s, you know, exciting to grab for the big guys, but SMBs are no, you know, no stranger to a potential fraud, right. And that can be anything, you know, this is 73%, of corporates experienced, you know, suspected fraud. Those are just, you know, the likely suspects, I think, you know, the numbers probably actually higher in terms of bad guys are attempting to perpetrate fraud, and or a lot of these corporates may not even know it, oftentimes, that’s what happens. And and we’ll, we’ll touch on a few examples here of very prominent, very well known tech companies that you’d think, you know, if anybody’s going to have their act together, and, you know, be buttoned up and have the latest technology, I think it’d be them and their victims. And so, you know, I think it’s everything from, you know, synthetic identity fraud. Of course, you know, we touch on so deep, deep fake, that’s quickly becoming a very real thing. But, you know, even the good old business, email compromise, is still widely used. And so it’s not surprising to see that 70 to 73%, of corporates experienced some type of fraud, I would actually sort of, you know, place a bet that that number is actually quite a bit higher. Whether or not it was observed, I think, is really the question. And, you know, are you even, you know, really trying to measure this? You know, effectively, I think that’s another question that a lot of corporate should be asking themselves, you know, as they start to look at what is their security posture? How do they know if it’s good, because oftentimes, that I think, is indicative of how good of a program you may have to, you know, prevent fraud, sort of, you know, within your industry, and certainly within your business.
Craig Jeffery 12:12
That you brought up a couple of good points there. One was, you know, if you look at attempted fraud, like how many companies have been targeted for attempted fraud, maybe maybe it’s not super sophisticated, maybe it’s moderately sophisticated. If you get a chance to spend some time with your it just so group to see how many phishing emails they blocked or changed or, or tracked per day? You would, it scares you to death because you see how much is coming through? Sometimes it’s making it through whatever you use for the inbound side and data loss prevention. It’s a significant significant challenge. Yeah, thanks for your comments on that, Chris. That brings us to poll question number one, this is a double stacked poll question. Because our audience is so advanced, you can answer two poll questions at once. If the both of these are single choice, you can select one from our concern about payment fraud. And over the past year, our candidate fraud has has changed has increased, stayed the same or decrease, select both and submit it. Now I want you to listen before you type anything in the chat box. I’d like you to if you follow if you follow the next one, LinkedIn or you will click the button and follow Finexio or CTMfile fresh today or Strategic Treasurer fresh today. Go ahead and type Finexio, CTMfile, or Strategic Treasurer, you follow all three that’s a trifecta, make everyone happy. CTMfile is our news media arm and just feel free to follow all of them. That’s a really great way for us to all stay connected. And for next year is a good one too. And so I’m gonna ask, we gotta get some for next year’s up there. Don’t leave Chris hanging, too. And that’s a that’s a great way to stay connected through social media, you can connect and see what’s going on. This is really a good way to go. So Chris, I’m gonna put you on the spot as people type those in. And if we get enough people typing a message in, I’m gonna say I’m gonna say 125. Today 125 people typing one of those messages in while we’re doing the polling question. So that’ll we’ll then we’ll send out the responses to all of these poll questions to the audience. We’ll stick it in embed it right in the deck, which you will receive. So, Chris, number one, our concern is very high or high 85% Nobody’s low or there’s I think there’s one response So slow, but it doesn’t benefit there. Their concerns are elevated, they’re attending the fraud webinar about fraud and security. So that might be a little bit bias there. And any comments, any, like comments on that? Or on the second one, increase this about? You know, yeah, 60, almost 60%. Very few thought it decreased in the past year, or they’re concern decreased.
Chris Wyatt 15:27
Yeah, you know, I’d say, you know, for for the first one, good. It’s, I think it’s important, of course, to, you know, be concerned about fraud. Yes, this may be slightly biased audience, but I think that’s okay. I think it’s great, you know, the folks are showing up and, you know, cognizant of this, I think, you know, looking at a broader sort of world of the corporate world. I don’t know, that would be significantly lower. But I think that’s on everybody’s radar. I think it’s, you know, again, it’s almost mandatory, because, again, you know, someone from a last set of stats that, you know, again, 75 or, or more are having suspected fraud. And I think, to your point, Craig, you know, again, emails coming in, you know, people trying to, you know, constantly hack you every single day, for an excuse No, no different the number of, you know, spam and deflected emails that, you know, we get from our email blockers is significant. And, again, we’re not an enormous company, like a lot of those out there. So, not not surprising, good to see that. The concern is increasing, I think it should, and I know, you know, we’ll talk about this because I do think the threat vector is increasing, or there’s just new ones that are out there that have never been seen before, then I think, you know, again, this is going to be like generative AI, you know, the GPT style models that you can basically infinitely scale, and they don’t get tired, they don’t get, you know, discouraged, they’re more than happy to sort of keep keep at it. So I do think it’s good to, you know, to see this increased vigilance. And I think it’s a really, again, on this journey, just going to be that much more important that everybody stays abreast of the latest technology, making sure they’re using proper technology, and processes to really sort of mitigate and manage, you know, any potential fraud. So it’s encouraging, because, I’ll leave it there.
Craig Jeffery 17:13
Great, well, thanks. And just for those who are keeping track, we need 47. More, the next year is or one of the other names that we have in there, let’s, let’s put some more follows on for next year. Be nice to our, our, our guest. So thank you for doing that. Thanks for those comments. It’s really, really pretty interesting. Chris, I’ll start us off in the criminal playbook. These are the four, four common areas, the plant things, take money directly system level fraud, I’ll give a story of people getting control of systems and being able to send money out directly. That’s like, that’s ideal, right? You don’t have to, you don’t have to fool somebody, you don’t necessarily have to wait for a long weekend, to try to convince people of some issue you, you do it when it’s at the time and place of your choosing the upper right hand section convince you to send money to social engineering, phishing, all of that activity is we’re getting very used to it. But the attackers have gotten better, right? I convince you to send money, you have the controls to do it, I can’t maybe break all of your controls, and send the money on my own. But I might be able to convince people with authority to do that. steal your data and sell it is cyber theft, can I steal it, I can sell it. And then ransomware as I lock up your data, and charge you to unlock it, or they use encryption. And now you’re stuck your servers, your desktops are stuck, including your backups sometimes. And sometimes the bottom two are a combination of those. Right? I lock up some data, I stole some data and lock it up, I publish a little bit and say I’ll publish a whole bunch more data. And unless you pay, and the longer you wait to pay faster, that’s going to go up. So those are those are some of the most common criminal approaches that they have in their playbook. Chris, I wanted you to weigh in either dive in and more of these or, or share some of your thoughts on how criminals approach approach our companies.
Chris Wyatt 19:28
Yeah, sure. I mean, it’s, it’s always unfortunate to hear, you know, I’ve spent quite a bit of time in the healthcare space, and you know, where ransomware happened with multiple, you know, some of our, with some of our customers and literally, you know, holding a hospital hostage, you know, not a great not a great story, but also really shows, you know, there’s no morals, there’s no ethics here. And so I think, again, you just have to be incredibly vigilant in terms of how you’re protecting your systems, and really your company. And I think, you know, the other important point here is we’ve got to So, four sort of key areas of fraud, but I think it’s important to remember, like, these aren’t mutually exclusive, one can lead to another so I can socially engineer and really, you know, get into your system, you know, compromise your email, and then I can go steal all your data, go and sell it, I can also then lock down your system, you know, sort of hold you, ransom. So I think it’s important to understand that, you know, it’s, it’s potentially just one, but one could lead to another. And, you know, sort of getting out multiple ways that, you know, again, potential fraudsters can impact your business, which, of course, is nothing anybody wants, but I think it’s, again, just why we need to be so vigilant in terms of how we’re looking for fraudsters internal and external, too, I think it’s important to realize that is, you know, good as we hope most of our employees, our internal fraud does happen quite frequently. There’s a lot of temptation there, especially if you’re moving large sums of money, or dealing with large sums of money. It’s, you know, you can think it’s easy to, you know, take a little bit, but so I think the more we can, you know, again, just focus on these core areas. What do you do to help mitigate and manage, you know, potential fraudsters is, again, it’s really incumbent upon all of us.
Craig Jeffery 21:17
Yeah, some some good points, I see, we got some questions popping up in the q&a box. But you know, as you’re talking, Chris, one of the thinking mind, you know, we’ve always heard the phrase land and expand that is sometimes used in sales or marketing, we get a key customer and you can sell to others. But this idea of compromising one system, or one point, and then moving laterally throughout the organization, once I’ve got one system compromised, I use that to gin up more credentials, and more access and a company. So that’s a that’s another method or tactic they use. Once they gain access. They tried to to expand and do more damage. Chris, I didn’t know if you wanted to start to answer this now or later, I’m happy to jump into it says, with all the protections in place to prevent fraud, what more can be done to reduce the amount of fraud? I’ve got a real answer, I got a silly answer too.
Chris Wyatt 22:16
No, go for it. Yeah, go for it. I’ll chime in. But go ahead.
Craig Jeffery 22:19
Well, one of those answers was, you know, there, there was a, I can’t remember what show it was, there’s probably like Twilight Zone and some guy found a genie, I think they refer to him as a geny. And he had three wishes. And his first wish is that it stop all conflict or war. And so the genie granted in the wish, and then he was the only person on the earth, there was no pee laughs. And so he of course, had to use a second wish to bring everybody back. And as you would expect from from that, then granted, the genie is a freedom. So I don’t think we get rid of fraud entirely without getting rid of all people. That way, think about that, what more can be done to reduce the amount of fraud? I think there’s, I think, a couple of the points that we talked about, you know, there’s there’s technology, which is viable. There’s there’s the human element, both of those areas, that tech that we use, and the people that we have, we need to make sure they’re being upgraded constantly. So that’s training on the humans, that’s making sure we have the best tech and multiple layers of that tech. There’s not that there’s only a single silver bullet for everything. But it’s that it’s that it’s that mindset of the threat is escalating. I’m going to make sure I’m upgrading and stay in front of it, upgrading my people, upgrading my tech, leveraging the power of networks, leveraging tech that can detect anomalies. Chris, I’ll bring it over there before I use up the rest of the time.
Chris Wyatt 23:49
Yeah, no, I think I think that’s, that’s good. And I think certainly, too, you know, so there are a lot of different protections you can put in place. Right. And I think, to your point, some of its technology, some of its people, and then you have process, and I think it’s important that you may have the best, you know, people in technology, but if you’re not following the process, if it’s not auditable, you know, things can start to fall through the cracks relatively quickly. Right? Because I mean, one, you know, one payment could be, you know, that gets lost or you know, fraudster gets, it could be, you know, six figures, seven figures, eight figures, who knows. So I think it’s important to make sure to, as you’re, you know, continually evolving this, you know, your strategy, you know, using technology, people and process, really making sure that you’re sort of adhering to, you know, what, what, what outcome you’re really driving towards, which would be, you know, ideally 00 fraud, because, you know, the bad guys to your point are not going to stop but they’re continually going to look for different ways to go after you. So making sure again, you’re on this journey, you’re not done. And then I think to benchmarking yourself, like really making sure that you know, the protections you have in place. How do we in how do you know that that sort of industry leading industry standard, like there really is nothing more you can do? I think it’s important to always sort of self reflect and make sure that you in fact, are doing as much as you reasonably can for your business.
Craig Jeffery 25:09
Yeah, thanks for the question. Thanks for the answers, Chris. Now, Chris, you know, this kind of is a slide that we land on that we have to set up questions, what can we do to prevent fraud? And this is a, this is a progression slide, how do we progress and understand our response methods?
Chris Wyatt 25:30
Sure, sure, I think we can all sort of remember the early days when just you know, sort of fraud via email, sort of was almost humorous, right, we get the guys in Nigeria, you know, telling you win the lottery, or they’ve got a bunch of money they want to send you if you just did this, you know, fairly basic, in terms of, you know, the level of sophistication, but I think it’s important to remember to, especially in a b2b context, again, these payments can be very large. So just one, you know, if fraud hits you one time, that can be, you know, a very significant hit to your business, cause massive disruption, certainly, you know, impact insurance, impact your relationship with your vendors, you know, even really the financial viability of your company. So I think it’s important to understand that, you know, the criminals that are out there, understand that they know, there’s a lot of money to be had. And so there, they will make investments just like you do, you know, if you’re doing r&d or product development, whatever it is, they are making significant investments to capture that from you know, they’re not shy to go spend a significant amount to, you know, test, iterate, and, you know, find the best methods to sort of go go after you along with all the other sort of corporates that are out there. And, you know, with things like GPT, and, you know, the large language models that we’re hearing about, I’m sure we’ll touch on this more, but the attempts are going to get more and more sophisticated, it’s not going to be sort of a clunky written email, you know, that if you actually look at it, this is clearly not written by anybody that you know, knows English, the fraudsters are going to get very sophisticated, and emails will be perfectly written, not only in terms of just spelling, but the intonation, the messaging is all going to be very salient and shouldn’t, is going to resonate way too much, it’s going to feel real. And so I think, again, it’s about evolving your processes, evolving your technology stack to make sure you’re able to really look at these. And in the past, you know, so speaking of resources, a lot of it was human driven, you know, you’d have farms of people, you know, in various countries attempting to perpetrate fraud. Whereas now, it’s you can easily spin up servers, many, many servers are instances where they can continually look to attack you, and the tools are cheap, they’re getting cheaper and cheaper every day. And even for those folks that are into open AI and chat, GPT, the prices are coming down. It’s just getting cheaper. And that will continue to be a trend, certainly as there’s more and more sort of proliferation of that type of technology. And then I think the last one, you know, when we look at demands a high sort of level of technical acumen that’s really becoming less and less the case, I’m sure a lot of you’ve heard about low code, no code environments, but it’s becoming increasingly easy for, you know, folks like me, who, you know, know, a little something to become very sophisticated very quickly, with the help of a lot of these new tools that are out there. Like I don’t, I don’t write a lot of code. But guess what I can now you know, leveraging somebody like a chat GPT if I if I need to. And so I think it’s important to really understand that. This is, you know, again, back to the democratization of this is becoming that much more easy to, you know, act like a coder leverage the capabilities that, you know, typically were reserved for sort of very specialized and highly trained, particular set of people.
Craig Jeffery 28:58
Alright, that brings us to our second poll question slide, we’ve got one on this particular slide. So our AP processes, highly automated, mostly automated, some heavy manual aspect to our AP process. It’s mostly manual, or I’m unsure, so pick the one that is closest. And so you know, we are 33 away from our total required responses to send you all of the poll results. That’s how that’s how it’s going to be. So we need a few more. Glad to see many you guys are falling for next year. Hopefully, you’re not just typing for next year. You’re following Finexio or CTMfile. That’s, that’s just our hope. Yeah.
Chris Wyatt 29:44
We try to put out relevant content to us, you know, specifically around this. So if you are interested, we do quite a bit of blog posting, etc, that you know, sort of hones in on particular aspects, you know, things that we’re sort of covering broadly here. So, we’d love to have you guys be involved.
Craig Jeffery 30:02
So on the AP process, so we’ve drilled down, there’s a number of payment processing companies from payroll, AP treasury, different operating areas. So here it is, kind of a mix of mostly automated, highly automated is pretty good group here. But we still got about 20 27% said no, it’s mostly manual or some heavy manual aspect. Any any comments before we slide on to some of the developments in broad?
Chris Wyatt 30:33
Yeah, interesting to see, you know, this is I think this is always sort of a interesting topic of debate, you know, certainly something that, you know, for next week, we think about, right, because traditionally, when, you know, a lot of companies we talked, we think about sort of AP automation tends to be a lot of like, what’s happening on the front end of my automatically ingesting invoices, you know, don’t have an automatic approval process, matching to POS versus, you know, sort of later sort of downstream, when you’re not somebody will make payments, you know, actually pay the bills, and getting maybe a follow up for another, you know, session, Craig at some point would be alright, well, now, when you’re actually making the payments, how automated Is that is that you’re clicking a button is, are you still printing checks, we’ve worked a lot of businesses that are 100%, check still, you know, they’re printing 10s of 1000s of checks, you know, on a Friday, trying to get get those in the mail. But, but it is good to see, you know, a lot of the companies out there embracing automation, I think it’s important, you know, certainly in the realm of being able to better manage fraud, its technology is really gonna be your friend. And it’s almost, you know, it’s not a nice to have at this point, it’s really a necessity. So great, great to see that. Most of the companies there and you know, at least we got 65 ish percent, really embracing technology and looking to automate things, because that’s really going to reduce the workload and the cognitive load on your team, especially if you think about how do we manage fraud?
Craig Jeffery 32:00
Excellent. All right, that brings us to developments in fraud. We have a couple slides that Chris is going to take us through the content. So fraudulent emails, the first one, Chris.
Chris Wyatt 32:14
Yeah, fragile. I mean, I think a lot of us have seen this, you know, business email compromise is really not a new concept, unfortunately. But the sort of evolution has gotten significantly better. And so I think when you think about the content, you know, again, we sort of harken back to, you know, the Nigerians or there’s sloppy content, you know, from potential fraudsters who maybe English isn’t the first language. I think what you’re seeing what you’re going to be continuing to see is ever increasing sophistication, not only just in, hey, I’m spelling everything correctly, but the grammar is correct. But then even the messaging is correct. And it’s not like not only is it just correct, but it’s going to have context. And so I think, you know, as we start to think about some of the technology that’s, you know, continuing to evolve, it’s not only Hey, can I just send an email that looks, you know, good, and is asking people for some money, but it’s going to have context to say, Hey, this is I know, this business is working with this business, and it’s Bob or sue over there, that, you know, we need to get in touch with. And so I think that’s where, again, hyper vigilance, no, you know, understand that this is coming, is going to be incredibly, incredibly important. And so the believability, I think, you know, sort of what are the effectiveness slide is only increasing. So, you know, it’s really, it’s going to increase across the board. So I think, again, making sure you’re, you’re really prepared for that, where it’s likely bots that are coming after you, I don’t know if any of you’ve heard of worm GPT, sort of the latest and greatest for the bad guys. What it’s capable of, it’s training itself to be bad. So I think if you’ve looked at some of these generative AI models, right, they’re trying out a bunch of, you know, let’s say Good, good information, good data. But the bad guys are also now able to go train, you know, things like worm GPT, which are, let’s call them bad bots on specific data to hack your system compromised, you become much better at Spear phishing. So I think again, it’s it’s just incredibly important that you watch out for continual evolution of email fraud. It’s gonna be it’s gonna be interesting times for sure.
Craig Jeffery 34:33
Yeah, and as we move to the next developments in fraud, Roman numeral two, you know, there was a question. Is there any research that identifies whether fraud is more prevalent in a decentralized or centralized organization? If so, which or environments the organization created a risk? I guess I would say just a couple of things to this to answer this in round I think we have enough time to answer it. Yeah. So generally, it’s Say I’m not sure if the research but the data supports the fact that the centralized is riskier environment. I know from an intellectual argument it is there’s more points of exposure. And so that lends itself to the surface area of attack is bigger, and not everything is looked after. I know that anecdotally, I’m just wondering if we have, we can manage our survey results and cut our U ‘s treasure in AP, decentralized or not, and then track that down to the experiences that would be a really, really good thing to, to look at. But it’s, it’s, it’s certainly not better being decentralized. In terms of like, multiple systems, multiple processes. Yeah, there’s, there’s more things about bots, but I’ll let you cover this. This next slide about content creation and social engineering.
Chris Wyatt 36:01
Yeah, so I again, I think it’s, it’s this blessing and curse. I think, you know, especially if you’ve dealt with any of your sort of marketing team or sales team, it’s very easy now to create high quality content. And, you know, again, the fraudsters are aware of this. So again, if you think about, you know, creating very relevant, again, emails to folks that, you know, again, think about this have have context, have the appropriate imagery. They can spoof videos. I mean, just quick, quick, quick aside, Mike. My kids over the weekend sent me this video of Tucker Carlson talking about the latest Call of Duty patch that came out. Nobody was happy with it. Evidently, it was a it was a it was a bad patch. And initially I’m looking at it’s like, I’m like, why is Tucker Carlson talking about Call of Duty, and it wasn’t Tucker Carlson. It was a deep fake, but it was remarkably good. And this was put together by, you know, basically kids, the voice was perfect. Even the video was good. Lips weren’t quite there. But again, I think it goes back to, you know, if kids are able to do this in a matter of minutes or hours, imagine what the bad guys, you know, that have a lot of resources can do, and will continue to do as the technology evolves. It’s really remarkable. And so I think that’s why it’s important, you know, certainly from a b2b standpoint, from an AP standpoint, making sure you really know who you’re talking to, you know, is it truly, you know, Bob, on the other line, did you really get that email from ABC company that wants to update their banking information. So you know, you send the funds here, there’s a lot of just novel technology that’s coming out that we’ve never seen before. And so that the more you know, again, vigilant, it’s a word that we keep using here, you can be and staying abreast of what’s happening, right, because all of us, everything that you see, that’s really cool. Um, so the AI, you know, deep fakes, that is great for society, and will be super beneficial. There’s always that dark side to that you have to at least be aware of. And so in the back of your mind, be thinking about, wow, what if I wanted to be a bad guy? Because there’s now specific language models to the degree that you guys are into this that will go and just create content, and you won’t know where it’s coming from? And it’s, you know, it’s, it’s happening today. So, you know, spread things like fake news, right. So I’ll take the Tucker Carlson example. Well, you could do that industry specific. It could be about a company you work with, it could be about a supplier or a vendor, you’re paying it can invent fake news. And it can, the bots can reference this fake news. And it becomes very believable very quickly. Unless you’re, you know, really fine tuned. So it’s, it’s frightening. It’s daunting. It’s, you know, it’s fascinating, but I think it’s again, just stay vigilant, stay abreast of what’s happening, because the world is changing extremely quickly.
Craig Jeffery 38:52
Yeah, if you want to continue, like, what do we do to response to the deep fakes this progression? And we think about payments to these areas, have I set up a vendor, I make a change to vendor information or, or counterparty information, and then I execute payments. Yeah.
Chris Wyatt 39:09
And I think this goes back to what we sort of mentioned earlier, which is, yes, there’s the technology, there’s the people, and then of course, the process. And so there is a lot of great technology that’s out there, you know, from validating bank account information. I think a lot of us has you have used something like plaid. You know, a lot of us don’t like the intrusiveness, but there are some significant benefits to that, you know, you as a business. There’s lots of other services out there that will help validate, you know, accurate banking information tied to a specific business, versus you just sending payments out in the blind. I think it’s, you know, really important that really almost any company is doing that. You know, the space we’re in, we see invoices, all you know, all day every day, and it’s amazing how many still just have something on the bottom that says, hey, send the money, send the money here. Here’s bank account. Here’s the routing information and the number of our customers that we deal with that but are actually validating that is very few. So, you know, that’s one of the things we take very seriously. out of band validation. These are things like, you know, knowledge based authentication, you know, What car did you have 10 years ago, there’s a lot of tools out there that, you know, you can leverage, you know, and basically ask you over your vendor to help validate them validate the business relationship, you know, that you have with them. And then, of course, you know, making sure you know, if you are sending money to a bank account via ACH, making sure it’s going to the right place, you know, that bank account is actually associated with the person who intend to pay the segregation of duties. Again, super important, again, that prevents sort of man in the middle type attacks or potential internal bad actors, where when one person is sort of vetting the information, but it’s another person that’s actually making the change, and are double checking, I think that’s, you know, that’s really important. And then, you know, other there’s other of course, there’s lots of different types of validation, you can do any internal data you have. And I think we’ve got it here in terms of confirmation, like, what what was the last two payments, you know, that we sent to you think things have become very difficult for a vendor or even, you know, very sophisticated chatbot to know, I think are very important. Of course, things like encryption, you know, if suddenly from email, to how you’re sending your data, all your traffic is certainly incumbent upon all customers, to, you know, vendors, etc, to make sure you’re managing that. So there is a lot of good there, there is a lot of good technology. But I think too, it’s like, if you’re not using it in the right way, you’re not managing a process effectively. You know, things can fall apart very quickly. And again, they just just need to get through the door, they just need a crack. And so I think it’s important to make sure you are really reevaluating frequently, what are we doing? How do we know what’s working? And how do we make sure we’re staying abreast and you know, evolving? You know, as this landscape continues to evolve.
Craig Jeffery 41:53
There’s so much there to cover. And there’s so many questions we want to ask you. This is another double stack, we started with two, then we went to one that we did to the double stack. These are both select all, but apply the top one select all apply the bottom one, please select no more than three, you may need to expand the poll question boxes, make sure you can see that there’s 368. In the second question. The first one is our payables process has automated payment generation of following types. And then the second one is we’re going to StrategicTreasurer.com doing a flash survey on timely topics. We’ve done these a number of times, what topics would be most interesting or helpful to you now, so please pick up the three that will, the lead will factor in what what research is done. And just so you know, on the, as you answer those questions, after you’re done, there still is the ability to follow one of the entities for Nexio CTM files strategic treasure, we have eight other people to put in there. While people are answering that, Chris, there’s a couple of questions. I’ll try to go through them quickly. Feel free to jump in at the end. It’s question is, do you think that ACH debit blockers and check blockers help against payment fraud? Absolutely. When your bankers make suggestions about technology that prevents fraud, you need to listen to them, they don’t get rich on those, but they can protect you significantly for a very, very small charge, it’s really wise to listen to your bankers, they are your friends, they have aligned interest for that against the criminals. There’s a while there’s a bunch of other questions that I’m gonna have to let that slide to another time. But I know we’re over the top four responses, which is awesome. Thank you, thank you for following our different entities and resources on LinkedIn. So thanks for that. Let’s go ahead and submit the responses. We’ll see where they are. I’m gonna just say a few things on this one, Chris, because I know we’re gonna we’re gonna move to stories, since we’re sharing this with everybody. automated payment process, pretty interested in ACH is the number one method and then something like other rapid payments and virtual card are in the 12 and 26% range. Pretty interesting to see that manual manual processes for wire transfers. What’s the top survey that they want? Number one, generative AI and Treasury finance. So across the board number two, looks like it’s payments security. Of course that’s this crowd right payment security, AI and then forecasting forecasting such a big one. So thank you everyone for answering those. We will be putting out some some research shortly. So thanks for doing that. Chris, this turns into some stories. Um, I’m gonna, I’ll just, I’ll start really quick on the cheque side, I know we’ve got to get through a lot in a short period of time. Checks are easy to create fraud, they tend not to be very large dollars, they’re extremely high volume, the highest volume for fraud. We’ve criminals about this forever, it tends to be more lowbrow, or less sophisticated. I remember the first fraud case when it’s working in a company that I saw, I remember the forger and spelled the person’s name wrong, they put two extra letters in their first name, you got to be a little more careful than I was scraping $1,100. And I remember that’s when I really learned about older and due course. And it was pretty easy to say the check cashing companies exhibit good care, because how could they have checked the ID when the person added two letters to their first name, especially for a large amount? So that’s one one story, you have to follow the traditional and new methods of protecting checks. And they’re just a mess checks are a mess, Chris, go ahead.
Chris Wyatt 46:10
Yeah, on the ACH side, you know, the one that really stood out to me, you know, last March was Google and Facebook, got hit for over $100 million in fraud, so basically phony invoices. And then they were asked to send money to a fictitious company, over in Taiwan, like nothing was a Taiwan, Taiwanese electronics company. And they, again, if you think about these two major, major companies like leading the way in AI, et cetera, et cetera, probably have all the security, maybe a lot of your data is actually sitting in a Google Cloud or, you know, something akin to that. And they got hit for $100 million, and didn’t find out. And this wasn’t like a one time hit happen over and over and over. So I think it just goes to show that, you know, putting, you know, better policies, procedures, practices, technology in place, isn’t just for the little guys. It’s, it’s for the big guys as well. And that was one that really struck struck me, which then says, Wow, okay, if Google and Facebook that have endless resources are getting hit, what’s happening, you know, everybody else that you know, does not have the same type of sort of resources and capabilities that they have. So I’ll give it back to you.
Craig Jeffery 47:24
Yeah. So on the wire side, many of you have probably heard the example of the Central Bank of Bangladesh. There’s a lot of other cases that have happened that are not that didn’t hit the news, quite so, so heavily. So this was where the criminals gain control of the payment system, not only use the principle of AI, gain control, and so I can send payments out when it benefits us. In other words, we need the most amount of time to get funds out of the regular banking system. They also created a process, they understood the controls that they would get confirmations back for payments. So they built a program to delete confirmations. If it had been if they had sentence, they put a code in there. And they built some code to take any returned message that had information that they had sent the wire and it would delete that. So it wouldn’t send the confirmation through the through the process. So it provided them more time to prevent the discovery. Sure, it was under a billion dollars worth of requested transfers. Certain certain methods stopped it. So only $101 million was sent out $20 million was recovered due to good security now due to someone typing, making errors in their typing, typing foundation to Foundation, a person caught that and returned $20 million. So as an $81 million net loss for the Central Bank of Bangladesh. Now virtual cards are newer on the scene, Chris?
Chris Wyatt 49:03
Yeah, they you know, maybe just, you know, sort of quick, you know, reprieve prepare, not not so much a story about AFP recently came out with their annual sort of report on fraud. I think JP Morgan helped sponsor that. But I think it’s freely available to anybody that wants to go search it, but one of the things that really struck me, you know, looking at that is, you know, basically the payment methodologies and, you know, what, where’s fraud being perpetrated? I think we talked a little bit earlier that, you know, ACH fraud, in terms of dollar value is really increasing. It’s basically like skyrocketing, which, which is alarming. I think we’ve all heard about check fraud. I think that continues to be like 60 plus percent, sort of all the attempted fraud that’s out there, you know, quickly followed by Ach, you know, both credits and debits. That you know, again, pretty common. The good news, for those of you that do leverage virtual cards, significantly less we’re talking to single digit fraud. You know, and again, multiple reasons, because of that you’ve got the card networks that are there, you know, again, there’s a lot of fraud security tools that are there. And the unique nature of virtual cards tend to be single use, you know, right. So it’s not like I steal a credit card and keep running it up, you know, to a particular balance, tend to be for fixed dollar amount wants to use, it’s gone. So I think that’s, that was very striking, you know, especially given the last survey poll, but we saw a lot of folks using wire checks, Ach, you’re not nearly as many using virtual cards. But, you know, as the data goes in from a security standpoint, there’s significant controls, makes it very difficult for fraudsters to leverage and use virtual cards. And exposure is also very limited, because again, there is a finite dollar amount along with an expiration. So just just food for thought for you now. So all those corporates out there, if you think about your sort of AP payments, you know, how you address those, but because the fraud vectors are very different, in terms of you know, the exposure that you’re potentially putting on yourself, and even potentially, your suppliers and vendors.
Craig Jeffery 51:09
Right, so what are some of the things we need to be mindful of? What are some of the strategies? Chris wanted to start us off with the first two? I’ll, I’ll cover the last one. Yeah,
Chris Wyatt 51:18
I’ll try to be try to be quick. So your surface area of attack again. So this is, again, which payment channels are using? Again, we just touched on it. But I think it’s very important to consider how are you visually vetting for those folks that are using ACH and wire. Again, those tend to be once the money is gone, it’s gone, you may have security, meaning you can try to work with your bank. But typically, once the fraudsters have your money, it’s gone. If they put it in an account, and then they immediately remove it, they shut down shop, and you know, the odds of you finding it are, you know, slim to none. So, then you’re calling your cybersecurity insurance. Guy and, you know, try to work try to work something out. So I think it’s important to understand sort of where you’re potentially exposed. And then your defenses, right, so this goes back to the technology process, people, the services, really making sure that, you know, you’re if you’re handling this, that you have a good handle on it, you have a proper thing, but as a program, you’re managing this program to not only be sophisticated and strong today, but again, evolve towards the future. So knowing what’s coming, right, it’s good that I think a lot of you want to get into Hey, what’s what’s a I mean, for sort of my team or Office of the CEO, AP teams, etc? You know, how does that you know, impact treasury? Those are great questions asked, it was super interesting, interesting to see what, uh, you know, Greg, you guys come up with, because, again, it’s, it’s constantly evolving, it’s, and it’s happening at a very rapid rate right now. So I think it’s, again, just important to make sure you’ve, you’ve got a good handle on that. And if you don’t ask, you know, go look for help, you know, there’s, again, there’s a lot of tools out there, a lot of vendors out there that are, you know, are there to help, you know, protect you make it make you stronger, make you more safe.
Craig Jeffery 52:57
Yeah, part of that looking for help with tools, is also this this mindset of how do we defend against continually, are increasingly sophisticated, in an increasing number of attacks, because all these attacks are automated and leveraging tech, it’s this mindset of how do I continually improve my physical defenses? My technology defenses? What do I do for structure? What kind of bank services do I use? How do I have and review what goes on very, very, very important to take that type of mindset. And with that, that brings us to a few final thoughts. So this is summation. So what we said maybe a little bit in there, but a few things to leave you with, as you go back to your, the rest of your day, what you might need to do to protect your payment processes.
Chris Wyatt 53:53
Yeah, I can kick it off real quick, just you know, on the technology side, but I think as we’ve been talking about, things are happening extremely, extremely quickly, like, like, like never before. So, you know, really staying abreast of what what is occurring, because again, it’s becoming easier and easier for fraudsters who maybe aren’t sophisticated to act very sophisticated very quickly, and to do things that they’ve never been able to do before. Right. So again, think spear phishing, you know, where they’re trying to get your information or one of your employees information. In these chat bots, remember, they will remember all the conversations that can have a very innocuous conversation with one of your employees and start to learn who they you know who they are, and go Google them, right? Figure out everything on LinkedIn, who’s you know, who are their friends, you know, what are they what are they into? So just Just be prepared for, you know, increasingly sophisticated attacks upon the company, and, you know, bring the right technology to bear right, it’s, it’s, I don’t think we need to be frightened, you just need to be on top of it. Because there’s equivalent technologies that can help prevent and mitigate the risk. So I think just being open and honest with yourself up out what this potentially means, Will is really the first step and how you address it effectively, overtime.
Craig Jeffery 55:09
Yeah, and this as we talked about technology and then partnering with with people who, who can help, you know, assess the environment, the structure, getting training, payments, specific security training. On a regular basis, recurring basis, these are foundational, important elements of a company and their care, and stewardship of the most liquid resources. And then, when we think about security principles, all of us think about them to some extent, some something more or less than others, we have, we do have a, an ebook, as well as a physical book on some of the 12 security principles, and why those matters. But just to be quick, on a few points, the principle of least privilege reduces the total exposure. This is you don’t grant IDs or people access to more data or systems than is necessary. And this is really, this really ties into the surface area of attack. And how criminals use if they if they come into a system and land, they gain access to someone’s credentials, and they have way more power than they should have or may have way more access, they can use that lever that to the detriment of the company is a good principle generally, but this one is sometimes not thought about in the same way. So reducing the reducing your surface area of attack is one element of following principle of least privilege. Layers matter. So one, one Id one system, one protection is compromised, you have others to protect, because your individual layers of protection will be compromised. At some point or there’s a there’s a potential for at least one of them to be compromised. Multiple layers, they can work quite well. And so So update your list of what are you doing? Here’s the principles we have, where are we doing well, what do we need to do have an assessment about what needs to be done from a technology partnering security principles standard. If you’re involved in payments, you have a really challenging job. And it’s not getting easier because of the democratization of anarchy and payments through technology. With that, I want to turn it over to Brian with my thanks to you, Chris, for your great input. everybody for listening, participate in the chatbox really good discussion there. It’s it’s fun to see news articles pop in, and other other content there. So thanks for making the community effort. Really good here. So thank you so much. And back to you, Brian.
Thank you, Craig. Thank you, Chris. And thank you, everyone for joining us today. The CTP credits, today’s webinar slides, and a recording of today’s webinar will be sent to you within five business days. And for more on the democratization of anarchy and payments, be sure to listen to our episode of the Treasury Update Podcast just released with Finexio by clicking the link in the chat box. Thank you and we hope you have a good rest of the day.