In this “new normal” (or “new abnormal”) that we find ourselves in as a result of the pandemic, the number of cyber and fraud attacks have been on the rise, as have their level of sophistication, as “bad actors” seek to take advantage of the situation. As the owners of remittance and payments processes, treasury and finance are right in the center of this issue.
In this month’s blog, our theme is on mitigating cyber and fraud risk in treasury and finance. To that end, APQC recently spoke with Subject Matter Expert Jeff Diorio (Director, Treasury Strategies) to glean his insights about some of the most common forms of cyber-attacks on treasury and Accounts Payable (AP), techniques bad players are incorporating, examples of the tools and technologies that organizations are using to mitigate cyber-risks, and practices/recommendations organizations can utilize to help minimize risk in treasury and finance. Diorio has more than 30 years of experience working with financial technology, global treasury operations, disaster recovery and redundancy planning, and cyber-risk and fraud mitigation. Diorio co-heads the Treasury Advisory practice at Treasury Strategies, working with corporate treasury departments, treasury technology vendors, and financial institutions.
Below are highlights from the discussion.
APQC: What are some of the most common cyber-attacks you see in your work with clients? How do these attacks work?
Diorio: One common type of cyber-attack is known as Business E-mail Compromise (BEC). An example of this is an instance where somebody purporting to be the CEO or another internal senior executive reaches out to someone authorized to make payments on behalf of an organization via email and requests a large wire transfer for an urgent business purpose. It’s reasonable to believe that a company could be in the middle of an acquisition and need a large transfer, but typically this is done through a more formal process with appropriate approvals. These kinds of attacks often seem credible and are sophisticated in their construction. The emails appear to be coming from the executive’s account and are written in a style that effectively mimics them. Attackers might even use recordings of the executive’s voice to give the requests more credibility.
APQC: What are some of the pitfalls or mistakes that make organizations more vulnerable to these kinds of attacks?
Diorio: BEC attacks succeed typically when someone in the organization sends the requested money without following proper payment workflows and obtaining proper approvals, often in violation of their own payment policy. Not having dual-factor authentication in place also makes organizations more vulnerable to this kind of attack. Organizations make themselves vulnerable to payment fraud when they don’t properly validate requested changes for vendor payment instructions. I’ve had people tell me things like, “We received something on bank letterhead,” and I chuckle and say, “You know, my kids can do that.” Just because it’s on bank letterhead doesn’t mean anything.
APQC: How can organizations mitigate cyber risk and payment fraud?
Diorio: One important step to prevent cyber-attacks is putting a really good workflow in place that routes a payment request, gets it authorized properly, and doesn’t transmit payment to the bank until it’s gone through all the proper steps. Companies are putting a lot of these workflow systems in place (a majority are incorporated into their ERP systems) and they work very well. They require dual authentication to get into the system so you can be certain the requests and approvals are coming from the right people.
Another important step is making your processes as efficient as possible so you don’t have an army of people processing requests. Make sure that you minimize the number of people that have access to bank accounts and have rights to open bank accounts. By reducing the number of people, the number of accounts, and the number of banks you use, you will shrink the footprint of what you have to control and the risk will become exponentially smaller as a result.
APQC: How can companies partner with their banks to prevent payment fraud?
Diorio: One of the easiest things a treasurer or controller can do is talk to their banks and ask what tools they have in place to protect against payment fraud. The banks are the entities that are sending the money and processing the payment, and they have very good tools that act as another layer on top of the organization’s preventative measures.
Lastly, I would emphasize that fraud prevention and cyber risk protections are a “C”-level issue. You have to build a culture that takes these things seriously from the top down.
View the entire Q&A interview with Jeff Diorio, including a list of practices to help minimize cyber risk and payment fraud from Treasury Strategies, online.