Fraud and cybercrime: how corporations should protect themselves
The recent COVID-19 health crisis forced companies to instruct their employees to work from home, representing both an operational challenge as well as a challenge related to the company’s finance management. Álvaro Bárez, BBVA Head of Global Transaction Banking in Europe, and Julio López, BBVA’s Chief Information Security officer (CISO) at BBVA Corporate & Investment Banking explain in an op-ed piece published in Spain’s El Economista newspaper some of the cybersecurity risks that are particularly relevant given the COVID-19 context. They also stress why it is so important that businesses have robust payment systems to contend with these threats.
Up until the past couple of months, telecommuting was viewed as a growing trend in response to new and changing times. Overnight it became a necessary reality in response to various quarantine measures worldwide. This meant that companies had to close down their premises, and employees had to remotely carry out the tasks they had previously done from a physical office. And this refers not only to the operational aspects of a business’ activity but also everything related to its financial management needs.
It seems clear that we have successfully overcome the technical aspects of this challenge. Specifically, corporate treasury departments have been able to maintain a reasonable level of continuity. And why shouldn’t we admit it: banking has played an important role in this context.
But what might seem normal on the face of it, is actually in fact quite extraordinary. Telecommuting triggers operational risk in business activities, especially for those departments responsible for paying the company vendors. In the current landscape, these departments are more exposed than ever to attempts at fraud and cyberattacks.
In fact, supplier payment fraud is one of the kinds of cyberattacks that has been on the rise for quite a while and that, with the current crisis, has become even more significant due to the risk that it represents. It is increasingly common that large companies use their payment systems to process supplier payment instructions. Basically, what comes in, is run. This is equally likely to happen when the payment area is close by or when it has been distanced due to organizational centralization. The latter would be an example of centralized payment factories where payments are made “on behalf of” the company.
A cyberattack can be produced both in non-recurring and recurring payment instructions. In the former, the scam approach is very similar to the approach used in what is called CEO fraud. A mail arrives addressed to general management and contains a request for an urgent payment for an important purchase, for medical supplies, for example. During the recent crisis, this kind of fraud attempt rose significantly. Once again, crises bring out the best and the worst in people. Urgent payments, no questions asked, to a far-away country, for health and humanitarian purposes. Hurry! How can you refuse?
A similar situation may occur with recurring payments. Cybercriminals can take advantage of the start of a new supplier relationship, or even more commonly, when a lifelong supplier decides to change banks and communicates new account details. In this example, the fraudsters use subtle deceptions and use intercepted mail in order to simulate a vendor by using their familiar names or habitual expressions used between the parties; they don’t raise suspicion despite the small differences in the addresses where the mail comes from.
Example: “We have decided to change bank accounts, so I would kindly ask that the next payment (which incidentally, after a detailed investigation, proves to be the highest amount in recent months that is due to the vendor) should be made to this new account.” Cybercriminals open accounts — or in exchange for a commission they use third parties to open accounts (known as mule accounts) — with all the documentation in order. Their sole purpose is to receive the money intended for a vendor and disappear, never to be heard from again.
The banking industry has made a huge effort to shore up controls that detect this type of fraud, both by investing in people and technology so they can warn companies of suspicious activity and work cooperatively to prevent payment from reaching its fraudulent destination in the event that the payment has already been made. But, if you allow us to use the metaphor: just like the spread of the virus is drastically reduced by the use of face masks when two people are talking, if companies join efforts with banks, this kind of fraud will see a sharp decline in its rate of success. There are different fronts from which companies can launch their defence:
1.- Employee awareness and training.
- Train employees so that they are fully aware of the procedures related with their job.
- Employees should know that they should not cut corners due to any internal pressure.
- The addresses of mails that contain messages should be verified.
- Never provide passwords or sensitive information online.
- Educate employees about the risks of publishing information about their professional lives on the Internet and how they can protect themselves.
2.- Defining the supplier onboarding process and payment processes.
- Vendor onboarding processes should be complete, with a valid mailing address and contact telephone number for the supplier on record.
- Document each step of the the payment process, both for recurring payments and one-offs, and especially how to handle the lack of normal authorizations during urgent situations.
- Without exception, large operations should have at least a double authorization process. Transaction amounts can be adjusted depending on the destination country.
- If a supplier changes its bank account or if a new relationship with a supplier is established, double check directly with the supplier using the validated addresses collected in the onboarding process.
3.- Setting up a robust payment system.
- Use mail scanning tools to detect and block emails that come from unknown domains or that contain malicious content.
- Investigate disabling the html view for critical email accounts so frequent links and email addresses can be seen.
- An alerting system that warns when a destination account never used for a payment before is introduced; this automatically acts as double verification.
The joint effort of banks and businesses is critical for stopping the fraud attempts that we see everyday. And, given that telecommuting is here to stay, it is all the more pressing that these measures are put into effect.
Other interesting stories