Cybersecurity and Fraud Protection

How to Stay Ahead of Fraudsters and Help Protect Your Organization

No matter the size of your organization, you can use back-end fraud prevention tools to spot suspicious fraud activity and help stop a payment loss.


No matter the size of your organization, you can use back-end fraud prevention tools to spot suspicious fraud activity and help stop a payment loss.

Alec Grant, Head of Client Fraud Prevention for Commercial Banking, is responsible for designing and delivering strategies to protect the firm and our clients from losses. By using artificial intelligence and data analytics to detect fraud, the team seeks to enhance the client experience and increase recovery rates across all products and channels—including client education, electronic payments, check and card fraud. 

Q&A with Alec Grant

 

Q: You’ve spent more than 15 years working in the financial crime world. What is the biggest evolution you’ve seen in fraud schemes and the ways cybercriminals target organizations?

A: We are seeing an alarming increase in the number of fraud attempts against organizations. When the Association for Financial Professionals (AFP) Payments Fraud and Control Survey Report started tracking cybercrimes, 68% of organizations reported being targets of attempted or actual payments fraud attacks in 2005. Last year, 81% of organizations reported that they experienced payments fraud, according to the 2020 AFP survey report. That is the second-highest percentage reported in the past decade. While attacks on large organizations get the headlines, it’s much more likely that smaller firms with fewer resources are the most vulnerable.

Criminals are capitalizing on the changing business environment to launch new attacks against employees in the office and working remotely. During COVID-19, we saw fraudsters overwhelm smaller companies with business email compromise schemes and phishing attacks. We also saw a spike in check fraud schemes as payments employees within smaller organizations worked remotely and sent checks to pay staff and third-party vendors. Criminals are devoting significant time to finding and exploiting vulnerabilities within an organization and use the weakest link—employees—as a gateway to gain access to computer systems.

 

Q: What are some of the red flags to identify a potential fraud scheme, and what should clients do?

A: Criminals use a variety of tactics involving email, phone or texting to reach as many people as they can within an organization. They will also search social media profiles to find executives or employees who may have access to technology or payment systems and use that information to friend them.

Threat actors may also attempt to call employees to try and gain information on other employees, perhaps using the pretext of COVID-19 and a person’s well-being. You should never accept a call from an unknown number or reveal personal information to any caller.

In a business email compromise scheme, criminals try to trick an employee to send authorized payments to an account the fraudsters control. Follow your organization’s best practices to validate any changes in payment instructions or account numbers. Never email the payee to authenticate the request as you may be communicating directly with the fraudster and not the intended recipient. Too many clients email the payee to validate the request and don’t realize the fraudster has already compromised the email account and is the person responding.

It’s important for Commercial Banking clients to remember that not using the appropriate fraud prevention tools and internal controls may increase their risk of losses. Clients are liable for all losses incurred for payments originating using any authorized users’ security credentials or the credentials of others who have designated transaction authority.

If your financial institution calls to verify a transaction, take the time to validate again with your payee directly, even if you believe the process has been done. By investing just a few minutes to authenticate the request, you could help prevent payments fraud.

 

Q: Fraud prevention education is necessary for all organizations, but smaller companies may have limited resources or don’t know where to start. What steps can these organizations take?

A: No organization can afford to be complacent about fraud protection. The AFP survey reported that only 60% of companies have a fraud policy in place, which means that many firms learn fraud responses only after an attempt has happened.

There are back-end controls that already exist within your organization that you can implement today. Always use callback controls, back up your data and follow the principle of least privilege for payments processing to help stop fraud.

Your fraud prevention strategy should also:

  • Require dual payment authorization before processing any transactions
  • Conduct a daily spot check of less than 10% of payments to ensure that they went to the correct payee
  • Define and enforce your organization’s escalation process for any suspicious payments requests or changes in banking instructions
  • Require at least two signers to approve changes to your banking accounts

Prevention is the key to avoiding fraud attempts. All employees, including C-suite executives, should follow the same controls and procedures to help maintain a strong fortress. Invest in and require regular fraud scenario training to increase awareness of fraud trends. Ensure all employees take the time to validate and raise concerns, no matter how urgent the request. It only takes one individual to give a criminal access to your computer systems.

Cyber Magazine Fall 2020 Cybersecurity and Fraud Protection