Cybersecurity and Fraud Protection
How a Treasury Management Officer's Call Saved Almost $200,000
After cybercriminals used a fraudulent payment request to collect a sizable sum from a client, Kelly Jean Lomberk, a treasury management officer (TMO) for JPMorgan Chase, jumped into action to alert the client’s corporate treasury director and prevent a costly loss.
This article was originally published in Commercial Banking’s magazine, Cybersecurity: Making Security Personal.
It seemed like a regular Monday morning for Kelly Jean Lomberk, a treasury management officer (TMO) for JPMorgan Chase in Iselin, N.J. Her day had started as usual—she’d had her coffee and was in the office planning her schedule for the week.
When she received an email from May Guerrero, one of Commercial Banking’s fraud investigators, asking her to call a client to validate a transaction, she didn’t think too much of it. She’d performed these validations before, and out-of-pattern transactions can happen. Guerrero had called the client and spoken with the initiator of the transaction, who confirmed she was “confident” it had been properly validated, but Guerrero wasn’t comfortable and escalated to Lomberk, the client’s TMO.
Going the Extra Mile to Validate
Lomberk picked up the phone and called Steve (full name omitted for privacy considerations), the client’s corporate treasury director. She described the transaction, a payment for almost $200,000 to a new vendor, and asked if it was valid.
The client uses robust internal validation processes. These include in-person validations for new relationships and a callback process for existing relationships that requires calling a contact using a known telephone number. Still, Steve instinctively felt something wasn’t right.
“Steve instantly focused on our concerns and took action,” Lomberk said when asked about the fraud attempt. “He cancelled the payment immediately and began researching it internally.”
The payment recipient was a new vendor for the client and had been validated in person, but the payment instructions were sent via email following the in-person meeting. Unfortunately, the vendor’s emails had been hacked and were being surveilled by cybercriminals.
By exploiting a software vulnerability, the hackers were sending and receiving emails undetected through the vendor’s legitimate email account and were covering their tracks using rarely opened subfolders. The cybercriminals knew when the meeting would take place and timed a fake email, which looked like a follow-up from the new vendor, with payment instructions that would direct funds to the cybercriminal’s bank accounts. Later, the cybercriminals sent another email to the client, this time with a payment request, which the client had processed and submitted.
Implementing New Processes
“JPMorgan Chase uses sophisticated algorithms to detect and escalate out-of-pattern payments,” Guerrero said. “Clients who act quickly—before the payment is released—are more likely to prevent a fraud attempt.”
After cancelling the fraudulent payment and saving his organization almost $200,000, Steve closed the gap in his organization’s validation processes. Within minutes of the call from Lomberk, he added a new validation form to be completed during an in-person review for any new vendor relationship. The form includes a field for contact details to use during verbal confirmations of account instructions.
Lomberk insists Steve is the hero for stopping this fraud attempt. “Not every client is receptive to our validation calls, but Steve not only listened to our concerns about the transaction, he also strengthened his organization’s processes to prevent it from happening again.”