Treasurers must strengthen controls and processes to deal with more sophisticated payment fraud

Covid-19 and homeworking created more opportunities for Business Email Compromise attacks

Author
Date published
October 19, 2021 Categories

The outbreak of Covid-19 in 2020 brought treasury activities, and payments in particular, under the spotlight for companies globally.

With working from home on the rise, treasurers were called to place an increased focus on their company’s Business Continuity Plans (BEC), as face-to-face communication and sign-off approvals were no longer the norm.

Despite firms’ efforts to step up safety arrangements around remote working, the pandemic created more opportunities for fraudsters. A recent survey by the Association for Financial Professionals (AFP) found that 65 percent of treasury executives attributed increased incidences of fraud in 2020 to the pandemic.

“Fraudsters attempted to expose the cracks in these well laid-out BCPs, exploiting deficiencies in communication to extract financial gains via Business Email Compromise (BEC) and by attempting fraudulent bank account changes for vendors,” claims the AFP.

The survey also found that nearly 74 percent of organisations were targeted by payment fraud attacks in 2020. The most prominent attacks were BEC – fraudsters impersonating legitimate executives and organisations in emails, geared at extracting money from companies.

Accounts payable departments proved the most vulnerable to BEC attacks (61 per cent), followed directly by the treasury department itself (13 per cent).

“There was a general increase in fraudulent activities during the pandemic and as a result we were much more stringent with the processes we have in place to guard against this,” says Pasi Kyckling, group treasurer of international pulp, paper and wood products company Stora Enso.

Stora Enso’s treasury department pursued ongoing pressure-testing of its data processing’ controls and processes, while sending invoices to customers and avoiding making manual payments, to deal with a potential increase in fraud.

“This was an important topic for us prior to the pandemic and all the basics have been in place for a long time. We now want to make sure that no matter where people work – if they are at home or working remotely elsewhere –  that we remain very focused on applying and strengthening these processes,” adds Kyckling.

BEC on the rise

According to the recent AFP survey, the most prevalent BEC attacks experienced during the pandemic included emails from third parties requesting changes to banks and payment instructions and emails from fraudsters – posing as senior executives – requesting funds transfer to their own bank accounts.

Educating staff in BEC and training them to identify phishing attempts should now be viewed as critical, says the AFP.

This is followed by increased identity verification when changes are requested to existing invoice or bank deposit information; making call-backs on authorised contact numbers to confirm fund transfer requests; and requiring authorized sign-off from senior management for transactions over a certain threshold.

“We also have strict verification processes in place to deal with requests from suppliers. When changes are requested to any payment details, there is a standard procedure followed to get these details confirmed,” says Kyckling.

However, he also notes that there was a marked increase in fraudulent attempts on Stora Enso’s own customers by criminals impersonating Stora Enso during the pandemic. Fraudsters with ‘a good insight’ into Stora Enso’s business – even the names of the company’s salespeople – approached customers asking them to make payments due to the company into their own bank accounts.

He adds that only one or two letters were switched in the email domains that the fraudsters used, but the treasury team addressed this by blocking out these look-alike domains.

Technology is key

Kyckling points out that technology remains a major part of the solution when it comes to identity management, particularly when dealing with suppliers and customers.

“We are seeing more electronic connections put in place between stakeholders to submit invoices instead of using for example email or post service,” he says, pointing out that banks, when processing payments, have played a major role in safeguarding against fraudulent transactions.

The recent AFP survey found that more than half of organisations are adopting at least two-factor authentication or other added layers of security for payments initiation (57 percent).

Kyckling notes that the use of biometric technology, in which human characteristics such as fingerprints, voices, and facial characteristics are used for online identification, are commonly used in personal banking, and could be expanded into business payments.

Meanwhile, at financial and technology insights group Aite-Novarica, Julie Conroy, head of risk insights and advisory, points out that there is now a move to biometrics in corporate banking.

“We found that a couple of banks are already enabling physical biometrics as an authentication factor in corporate banking, while over half are enabling this in small business banking,” she says.

“In corporate banking, however, there is still a heavier reliance on tokens (generators of a unique code for use in two-factor authentication for transactions).”

Exit mobile version