Treasury Strategies shows how proper planning and protocols can stop business email compromise in its tracks.
As described in a recent webinar arranged by Treasury Strategies and treasury management systems provider Kyriba, a treasury executive at Rockefeller received an email purportedly claiming the company’s CEO was involved in confidential negotiations to acquire a company in the UK and requested an $8 million wire transfer. Sam Pallotta, the treasurer, explained that the request was meticulously constructed and appeared to be coming from the CEO’s email account, even mimicking his writing style and targeting an assistant treasurer on a day when Mr. Pallotta was on vacation. What’s more, the company had a history of acquisitions in the UK.
Noting the importance of the discretion of the deal, the email specifically instructed the executive to tell no one else of the request. Mr. Pallotta said it is uncertain how the fraudster knew he was out of the office, but he suspects his Outlook calendar was hacked. “The fraudulent payment may have been made were it not for the payment protocols that our organization has in place to ensure all wires are legitimate and accurate,” Mr. Pallotta said.
He then provided a lengthy list of protocols, noting the primary one leading to the discovery of the scam required signoffs on every payment by four employees on physical and electronic forms; and when a wire transfer is over $1 million, the CEO must sign for it. “Knowing the CEO would eventually have to sign the physical payment form, the executive walked down to the CEO’s office to discuss the payment with him directly, and at that time we realized this was a fraud attempt,” Mr. Pallotta said.
Requiring the segregation of duties, for instance so that wire payments cannot be released by just one employee, was also key, as was the authorization limit requiring the CEO’s signature. The Rockefeller Group’s Kyriba treasury workstation, which has built-in limits requiring specified employees to input and release wires, also limits the amount an individual can release. No one, for example, can release wires over $25 million, and such a wire requires an exception approved by Mr. Pallotta, and it must be executed by the IT department’s security administrator.
The company also takes advantage of bank controls such as positive pay and ACH debit block, and top management has expressed full support for programs to train employees across the company and widely communicated written policies. RB Erickson, director, global sales management at Kyriba, and also a member of the webinar’s panel, noted that check fraud remains the most common form of payment fraud, but wire fraud is quickly gaining. In 2013, 14% of organizations reported being the target of attempted or actual wire fraud, and by 2015, it was 48%, while check fraud fell to 71% from 82%. Much of the wire fraud is conducted via BEC scams. Mr. Erickson noted that the FBI recorded 17,000 victims of BEC scams between October 2013 and early this year, resulting in $2.3 billion in losses.
In terms of reviewing payment fraud protocol, said Jeff Diorio, managing director at Treasury Strategies, a first step is looking at the components of the company’s payment process and the procedures currently in place.
Also important is putting together a team to respond to instances of payment fraud that comprises a range of executives, such as those from treasury and the controller’s office. And companies should evaluate the potential avenues to attack, whether by perpetrators inside or outside the company. Mr. Diorio recalled talking to the head of cyber security at a large package-delivery company who flat out acknowledged that fraud attempts aimed at treasury simply weren’t a concern, particularly when an attack bringing down the company’s core systems could render it unable to track packages and threaten its overall business.
He added that a BEC attack that succeeds in prompting a treasury executive to wire $10 million to the fraudster was up to treasury to deal with.
“You have to put risks in perspective,” Mr. Diorio said. “In this case, [every treasury department] I’ve worked with has taken on the responsibility themselves [to guard against payment fraud] and brought appropriate parties in to help.”