How Well Do You Sleep at Night? Are Your Global Cash Flows Safe From Cybercrime and Fraud?
Payment Fraud Prevention, Cash Management, Payments and Financing
Updated June 2017
Many of us have read and witnessed how cybercrime and fraud have become one of the most significant risk management topics for corporates. However, despite all the hype and talk, I find it surprising how many corporates are still unaware of the risks, or strikingly unprepared to mitigate these risks.
Conducting cybercrime does not necessarily require sophisticated IT or programming skills. Of course, there are lots of sophisticated ways such as viruses, worms and ransomware programs. But for example, business e-mail compromise (BEC) attacks may require limited technical skills, since in this attack the attacker doesn’t necessarily even need to break your e-mail or intranet.
In business e-mail compromise attack, or “CFO/CEO attack”, the attacker finds a way to present himself as an important person inside your company, usually via fake e-mail identity. The e-mail account might be hijacked in sophisticated cases, but sometimes it is enough to use fake e-mails and hide it well, which requires only limited IT skills. Enabled by the false identify the attacker will then ask ledger team or treasury to initiate fake payment orders. It should not be a surprise to anyone that faking a personality has become much easier since we started to share everything about ourselves on the internet. When the scam is personalized professionally to find weak spots of your company, and then applied over and over again to other corporates as well, criminals increase their chances to succeed.
Another side of the coin is internal fraud. Internal risks related to payment processes can be mitigated into an acceptable level by any corporate just by following few basic principles. But surprisingly many fail in here. As an example, I have witnessed too many payment processes, even by stock listed corporates, where batch files are manually loaded into internet banking portals. Although file and folders sharing policies can be applied to minimize the risk of someone changing the payment data on its way, that process is fundamentally wrong. Any professional risk policy should recognize and seek ways to completely eliminate such processes.
How to start minimizing payment-related risks?
I would state that corporates whose financial back office is de-centralized are in general more exposed to cybercrime and fraud. Since, as a consequence of de-centralization, implementing preventive tools and processes is much more time consuming, and of course, costs more money. And unfortunately, in a decentralized company, it is easier to say it is none of my business how the others are doing this. The centralized payment factory can be a surprisingly powerful way of mitigating both external and internal payment-related risks. And of course, the most obvious reason is that with the payment factory you are creating a single hub to connect to your banks.
Let’s focus on the business e-mail compromise first. At first, there seems not to be a clear link between the payment factory and the attack. But in fact, these attacks can be mitigated a lot by implementing best practice payment processes. Meaning processes where payments to only registered creditors are accepted (with four eye principle) from A/P. Or especially manual ad hoc payments are filtered, and in suspicious cases stopped before execution with various filtering and preventing techniques. When these preventing techniques are in use, the attacker can be stopped by the payment factory.
Payment factory will also eliminate the weakness of manual file transfers. The safest way is to implement interfaces directly from ERP systems to your payment factory, and secure the material all the way. Of course, automated file transfers or messaging solutions cost some money, but can you really afford to take the risk of not being compliant with standard security levels? Especially since modern tools have brought almost every bank to your reach via SWIFT and other means.
What comes after the minimum level is reached?
Once you have taken the first critical steps of securing your cash flows with industry standard processes and automated interfaces by payment factory, it should be time to consider more. As processes or systems will never be 100 % bulletproof it is equally important to detect already happened fraud. For instance, automatic reconciliation offered by payment factory will help you to catch exceptions rapidly since your bank account will be always fully processed end of the day against your G/L account. And going forward advanced on behalf functionalities of in-house banking concept can make banks almost invisible to your subsidiaries, which will even further strengthen group’s control and transparency to cash and cash flow processes.
Taking the first steps in mitigating payment related fraud and cybercrime is relatively simple. The above-mentioned risks are only the top of the iceberg. Therefore I would encourage every corporate to take the step and decide not to allow bad internal processes or inadequate tools that cannot support the industry standard financial processes.
Jukka Sallinen / OpusCapita
Jukka Sallinen is a cash management domain expert with a strong hands on background from international and complex payment factory and SWIFT projects. Previously Jukka has been working in various R&D roles, focusing on bank and ERP integrations and security topics. Jukka holds a Master of Science degree in software engineering and data security.
Read more blog posts about Payment Fraud Prevention
The Ever-Present Risk of Payment Fraud - Where Are Your Blind Spots?
03 - 09 - 2018
Half of companies have fallen victim to payment fraud or economic crime within the last two years. Where should you focus to increase the safety of your payment process right now?
5 Concrete Tips for Preventing Payment Fraud
15 - 12 - 2017
It is the eleventh hour to start focusing on the safety of your payment process if you want to avoid financial damage. Here are 5 actionable tips for preventing payment fraud.
How Much Revenue are You Losing to Payment Fraud?
30 - 06 - 2017
Payment fraud is an ever increasing part of doing business and though we are all aware that it is occurring, we often do not understand the size and scale of the problem.
Other content you might be interested in:
Reduce the risk of payment fraud
on demandUnderstanding the risks of fraud in your corporate payment process is vital to preventing fraud in the first place.
Are your cash flows safe from fraud? The proactive approach to fraud prevention
Our ebook on fraud prevention takes a comprehensive look at corporate payment security and helps you keep your cash outflows safe from fraud in the evolving threat environment.