Kyriba: Four musts to protect against cyberthreats.
You’re a corporate treasurer and you get a call from the CEO, who’s about to board a plane, requesting you to bypass controls and make a payment to a certain supplier’s account. It definitely sounded like him and his itinerary shows he should now be boarding a flight to Hong Kong. What further steps can you take to confirm the CEO’s identity?
Trick question. The correct answer is never bypass treasury’s payment controls. Bob Stark, vice president of strategy at cloud treasury software company Kyriba, warned members of The NeuGroup’s Group of Thirty (T30) at their meeting in late November that fraudsters have gone so far as to find someone able to mimic top executives’ voices, then coordinate the call to immediately precede a period when the executive will be difficult to contact, such as when he’s boarding a plane.
“These sorts of fraud happen—and they do happen—generally because there’s a weakness in applying the controls,” Mr. Stark said, adding that treasury executives must assume that fraudsters will try to figure out a company’s payment process in order to get a fraudulent payment through without its being flagged.
One member said that he’s been concerned more about supplier email spoofs, which seek to persuade corporate finance staff to send payments to a different account controlled by the fraudster. Mr. Stark responded that so far there’s no perfect technology solution to verify suppliers’ bank accounts, although there is progress being made. Another member said his firm verifies all such payments with a callback, and Mr. Stark cautioned that the callback number may not be the correct one.
“The fraudster could have compromised your company’s system, gotten into the [enterprise resource planning] system, and changed the bank account and the number you would call,” he said.
Mr. Stark provided the group with several suggestions to prevent payment fraud. One is protecting access to systems and data, using two-factor authentication to access banking services. Another is single sign-on, where the IT group controls the login process, and a third is IP filtering, also used by banks, to flag unrecognized computers and ask for additional information.
Especially important for corporates is making sure data is encrypted, whether it is in transit or resting within the company’s own firewalls or stored in the cloud. Mr. Stark noted that many of the publicized corporate data heists simply wouldn’t have mattered had the companies encrypted their data. He added that treasury management systems (TMSs) typically will encrypt data using a key, and banks will have their own keys. Those keys could potentially be stolen, he added, but they’re typically very well-protected, and the keys tend to be too complicated for algorithms to figure out.
Mr. Stark recommended outsourcing the encryption of data to third parties, noting that Dropbox and Google Drive both encrypt data exchanged over their websites. “Kyriba staff use Dropbox, which supports single sign-on and data encryption, to share information with counterparties,” he said.
A fairly obvious component of cybersecurity is payment controls, and most companies probably have them in place. The issue, Mr. Stark said, is the consistency with which those controls are applied, because often companies will have multiple systems making payments and even different technologies within treasury, plus each bank likely has a different system to connect to. Some companies employ a so-called payment factory, which collects payments company-wide to standardize before sending them to the banks. Others may require applying the same control policies across the different technologies in use. Either way, the key to preventing spoofs such as the CEO impersonation is standardizing how payments are initiated, approved and transmitted to the bank, across all payments, all geographies and all people, Mr. Stark said.
A fourth precaution is screening payments, which Mr. Stark said is as much about compliance with internal policies as it is about preventing fraud. Screening against lists provided by the Office of Foreign Assets Control (OFAC), the European Anti-Fraud Office and others is important but only the tip of the iceberg, Mr. Stark said, adding that companies really need to develop the ability to screen against custom scenarios. Such scenarios may include a domestic transfer whose beneficiary’s bank account is in another country, or a first payment to a new or newly updated bank account, or an international payment to a country where there is no known supplier.
“Those are the types of scenarios you want to build into your payment processes,” Mr. Stark said. “It’s important to have algorithms that look at the scenarios and recognize when something has changed, for example, a payment going to North Korea when it should be going to the US. In my view, machine learning will be absolutely key to doing this.”