You’re a corporate treasurer and you get a call from the CEO about to board a plane requesting you to bypass controls and make a payment to a certain supplier’s account. It definitely sounded like him and his itinerary shows he should now be boarding a flight to Hong Kong. What further steps can you take to confirm the CEO’s identity?
Trick question. The correct answer is never bypass treasury’s payment controls. Bob Stark, vice president of strategy, at cloud treasury software company Kyriba, warned members of The NeuGroup’s Group of Thirty (T30) at their meeting in late November that fraudsters have gone so far as to find someone able to mimic top executives’ voices, then coordinate the call to immediately precede a period, such as boarding a plane, when the executive will be difficult to contact.
“These sorts of fraud happen—and they do happen—generally because there’s a weakness in applying the controls,” Mr. Stark said, adding that treasury executives must assume that fraudsters will try to figure out a company’s payment process in order to get a fraudulent payment through without it being flagged.
One member said that he’s been concerned more about supplier email spoofs, which seek to persuade corporate finance staff to send payments to a different account controlled by the fraudster. Stark responded that so far there’s no perfect technology solution to verify suppliers’ bank accounts, although there is progress being made. Another member said his firm verifies all such payments with a call back, and Mr. Stark cautioned that the call-back number may not be the correct one.
“The fraudster could have compromised your company’s system, gotten into the ERP (enterprise resource planning) system, and changed the bank account and the number you would call,” Mr. Stark said.
Mr. Stark provided the group with several suggestions to prevent payment fraud. One is protecting access to systems and data, using two-factor authentication to access banking services. Another is single sign-on, where the IT group controls the log in process, and a third is IP filtering, also used by banks, to flag unrecognized computers and asked for additional information.
Especially important for corporates is making sure data is encrypted, whether it is in transit or resting within company’s own firewalls or stored in the cloud. Mr. Stark noted that many of the publicized corporate data heists simply wouldn’t have mattered had the companies encrypted their data. He added that treasury management systems (TMSs) typically will encrypt data using a key, and banks will have their own keys. Those keys could potentially be stolen, he added, but they’re typically very well protected, and the keys tend to be too complicated for algorithms to figure out.
Mr. Stark recommended outsourcing the encryption of data to third parties, noting that Dropbox and Google Drive both encrypt data exchanged over their websites. “Kyriba staff use Dropbox, which supports single sign-on and data encryption, to share information with counterparties,” he said.
A fairly obvious component of cybersecurity is payment controls, and most companies probably have them in place. The issue, Mr. Stark said, is the consistency with which those controls are applied, because often companies will have multiple systems making payments and even different technologies within treasury, plus each bank likely has a different system to connect to. Some companies employ a so-called payment factory, which collects payments company-wide to standardize before sending them to the banks. Others may require applying the same control policies across the different technologies in use. Either way, the key to preventing spoofs such as the CEO impersonation is standardizing how payments are initiated, approved and transmitted to the bank, across all payments, all geographies and all people, Mr. Stark said. The more exceptions to those policies, he added, the more opportunity for fraudsters.
A fourth precaution is screening payments, which Mr. Stark said is as much about compliance with internal policies as it is about preventing fraud. Screening against lists provided by the Office of Foreign Assets Control (OFAC), the European Anti-Fraud Office and others is important but only the tip of the iceberg, Mr. Stark said, adding that companies really need to develop the ability to screen against custom scenarios. Such scenarios may include a domestic transfer whose beneficiary’s bank account is in another country, or a first payment to a new or newly updated bank account, or an international payment to a country where there is no known supplier.
“Those are the types of scenarios you want to build into your payment processes,” Mr. Stark said. “It’s important to have algorithms that look at the scenarios and recognize when something has changed, for example, a payment going to North Korea when it should be going to the US. In my view, machine learning will be absolutely key to doing this.”
Ultimately, companies must align payment workflows with payment policies, so if a policy says payments should only go to approved suppliers in approved countries, then all payments to non-approved countries must be stopped. Or if the policy is for treasury to approve or reject payments initiated by accounts payable within the ERP, then any payments modified after import must be stopped.
Mr. Stark concluded his presentation by noting that:
–The threat of fraud has raised the bar for CFOs to ensure internal controls achieve compliance with internal risk policies and external regulations.
–Treasury controls and procedures need to be aligned with the organization, not the exception to the rule.
–Standardized payment controls are critical to combat fraud.
–Payment policies must exist within the workflow, automatically screened in real-time.