Treasury Insights

How treasury and payments  organizations can stay vigilant against cyberattacks

The global shift to working remotely has created real cybersecurity vulnerabilities and that has been compounded by other pandemic-related factors such as supply chain disruptions. Here we cover how organizations can fend off rising threats like financial malware, business compromise email and social engineering.


The global pandemic has set the stage for bad actors looking to exploit the vulnerabilities of remote access, according to David Leach, Head of Cybersecurity and Technology Controls, Asia Pacific, J.P. Morgan.

“Many who are working from home may not have  network security that is as robust as their workplace which makes them potential targets for cyberattacks,” says Leach. “The supply chain disruptions coming as a result of lockdowns have also provided opportunities for these bad actors.”

In fact cybersecurity professionals have observed a 63% increase in cyberattacks related to the pandemic,1 while 54% of employees believe their organizations are more likely to experience a serious cyberattack during the pandemic than they would before the outbreak.2

Much of the increase in activity comes from criminals increasingly exploiting work-from-home situations to attack businesses. For instance, some companies are seeing an increase in fraudulent payments for suppliers or supplies that never arrive.

What are the steps treasury and payments organizations can take against cyberattacks?

Taking action: how to protect your business

  • Ensure vendors are following the same stringent standards in their own environments.
  • Examine controls that are in place to protect money movement, such as controlling access to banking relationships and establishing multiple approval levels in areas such as accounts payable. consider setting payment limits at account and employee levels.
  • Don’t allow multiple users to log in from the same computer to initiate or release payments.
  • Perform daily reconciliation of all payment activity.
  • Consider establishing a program to detect anomalous payments, such as identifying irregularities, and tracking and tracing where a payment is in the environment point to-point, and if altered at any time.

 

Install security programs on mobile devices

Even before the current health crisis, the use of email to deliver financial malware was a dominant attack method with 65 percent of threat groups using spear-phishing to compromise their corporate networks.3 The 2019 AFP Payments Fraud and Control Survey Report found that payments fraud from third-parties continues to increase with 44 percent of business email compromise (BEC) being perpetrated by criminal impersonating vendors.4

Increasingly, cyber attackers are taking advantage of the COVID-19 situation to target individuals and organizations using advanced social engineering, which is the psychological manipulation of people into performing actions or divulging confidential information.

“For example, more recently, we’ve seen a number of mobile applications being pushed out to mobile app stores that are malicious, but claim to be focused on helping individuals navigate the risk of infection,” stated Leach. “Some have taken on an authoritarian approach, demanding that users install the applications in order to comply with government mandates to track their activities. Of course, once individuals install and open the app, their data is then stolen or compromised.” 

“To protect themselves, users are advised to leverage reputable anti-malware and anti-virus programs for their mobile devices and update them regularly, as they would for their home and office computers. Mobile security app such as Lookout or MyPermissions that can scan your device and tell you which apps are accessing your information are helpful as well,” Leach added. “In general, when downloading apps, ensure permissions are restricted to only those capabilities required to operate them.”

 

Encourage employees to report suspicious activities

While these problems are widespread, so too is awareness. In response to growing threats, more than 75 percent of companies have indicated they are adopting stronger internal controls that prohibit initiation of payments based on emails or other less secure messaging systems5.

A recent poll by J.P. Morgan of more than 200 corporate and financial institution clients in Asia Pacific revealed that nearly 92 percent of respondents believe the best method for preventing social engineering and phishing attempts is to train and educate employees against clicking on phishing links and navigating to untrusted websites. In the same poll, nearly 96 percent believed encouraging employees to actively report phishing and vishing attempts, or suspicious activity to the security operations center is vital.

 

Best cybersecurity practices to combat risk

Having strong controls in place to deal with cyber threats is key. It’s important to remind treasury and finance employees of cybersecurity best practices when working remotely. These include securing home Wi-Fi networks, only using company approved communications tools, never sending work documents to personal email accounts, and keeping personal device operating systems and applications up-to-date with the latest versions.

Best practices should also include establishing procedures for authenticating callers, reporting suspicious activity, approving changes to account details or transactions, and being familiar with all procedures necessary for maintaining effective controls that protect the organization.

“Companies need to put strong mechanisms in place to authenticate the party they are communicating with, particularly as it pertains to transactions and business assets,” said Leach. “Employees are increasingly migrating to text messaging applications to communicate. This in turn circumvents traditional call-back procedures, thus creating a vulnerability that bad actors can exploit to spoof a legitimate transaction request.” In short, verify payment requests; don’t move money based solely on a text, email or telephone instruction, even from a trusted vendor.

Treasury and finance organizations would be well served to conduct regular resiliency tests and training exercises to build increased preparedness among staff and ensure technology can effectively support contingency situations. Once employees have been trained, actively test them. For example, send employees targeted phishing emails, then require those who clicked on the compromised messages to take additional training.

This pandemic has set the stage for bad actors looking to exploit the vulnerabilities of remote access

David Leach, Head of Cybersecurity and Technology Controls, Asia Pacific, J.P. Morgan

Vigilance is paramount

Fending off cyberattacks and fraud is a never-ending battle. In the context of the current global business climate, with so many working from home, the need for vigilance is as high as it has ever been.  

“It is critically important for organizations to update and test cyber and fraud response plans to ensure they can meet both internal and external challenges,” said Leach. “It’s also vital that employees be educated and aware of the different schemes and threats to prevent them from being duped. Lastly, organizations should look to implement automated controls, which eliminate human vulnerability. Such controls and straight-through processing better position organizations to mitigate threats that more often than not target people rather than technology.” 

 

J.P. Morgan’s Multi-Layer Cybersecurity Approach in Payments

When it comes to mitigating cybersecurity threats, all points along the payments continuum must to be protected. Banking partners are a vital part of that continuum. J.P. Morgan utilizes the most advanced, cutting-edge technology to detect fraud across high and low value payment types. The bank takes a multi-layer approach to protect client’s invaluable assets:

  • The first security layer utilizes advanced capabilities and partnerships, protecting the perimeter, leveraging industry intelligence, and sophisticated malware and brand protection methodologies.
  • The second layer focuses on cash management, relying on J.P. Morgan’s secure, state-of-the-art access portal, partner banks and Line-of-Business direct links.

In the next phase of this approach, the bank maintains the integrity and availability of payment transactions through robust internal platforms:

  • The third layer involves leading-edge payment controls, which covers back-office payment system controls.
  • The fourth layer focuses on internal technologies, such as innovative behavioral analytics, fraud detection and email control systems.

The bank completes cybersecurity protocols leveraging strong industry partnerships to build resiliency across the payments ecosystem:

  • The fifth layer involves verification, creating a secure and seamless client verification experience.
  • The sixth and final layer is geared around recovery, focusing on investigations practices and recovery capabilities.

When combined, this comprehensive approach allows J.P. Morgan to offer clients reassurance that it has a committed banking partner protecting payments at every step along the way. 



To learn more, please contact your J.P. Morgan representative


1. The Impact of the COVID-19 Pandemic on Cybersecurity, Information Systems Security Association, July 2020. 
3. Symantec Internet Security Threat Report, 2019.

Navigate Disruption With A Treasury Resiliency Strategy

In times of crisis, adequate liquidity is critical to maintaining business continuity. Here are four key focus areas for treasurers to navigate operational disruption.

Read Navigate Disruption With A Treasury Resiliency Strategy 

Disclaimer

This material was prepared exclusively for the benefit and internal use of the JPMorgan client to whom it is directly addressed (including such client’s subsidiaries, the “Company”) in order to assist the Company in evaluating a possible transaction(s) and does not carry any right of disclosure to any other party.  In preparing this material, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us.  This material is for discussion purposes only and is incomplete without reference to the other briefings provided by JPMorgan.  Neither this material nor any of its contents may be disclosed or used for any other purpose without the prior written consent of JPMorgan.

J.P. Morgan, JPMorgan, JPMorgan Chase and Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, “JPMC”). Products or services may be marketed and/or provided by commercial banks such as JPMorgan Chase Bank, N.A., securities or other non-banking affiliates or other JPMC entities.  JPMC contact persons may be employees or officers of any of the foregoing entities and the terms  “J.P. Morgan”, “JPMorgan”,  “JPMorgan Chase” and “Chase”  if and as used herein include as applicable all such employees or officers and/or entities irrespective of marketing name(s) used.  Nothing in this material is a solicitation by JPMC of any product or service which would be unlawful under applicable laws or regulations.

JPMorgan Chase Bank, N.A. Member FDIC.  

JPMorgan Chase Bank, N.A., organized under the laws of U.S.A. with limited liability.

© 2020 JPMorgan Chase & Co.  All Rights Reserved.

Cybersecurity