Fraud is an ever-present risk for any business, regardless of geography. One of the biggest threats to businesses of all sizes is cybercrime. Manipulation of business-to-business payment channels has resulted in an increasingly challenging environment for business owners and controllers alike. Consider the following case study as an illustration of the threat:
Widget Manufacturing does business with a variety of international vendors, and frequently initiates wires online through their bank’s information reporting platform. The vendor relationships are handled by the President of the company. Widget Manufacturing uses a secure online platform with their bank, authentication that requires a token device and dual approval for outgoing wires above $25,000.
One Tuesday morning, the Controller at Widget Manufacturing receives an e-mail from the President introducing her to a new contact at their long-time vendor; Substrate Supply. The President’s e-mail appears to be from his Blackberry as it has a few mis-spellings, but is otherwise unremarkable. The Controller follows up on the introduction, and enters the new contact into the vendor database.
Two weeks later, the Controller receives an e-mail from the new contact at Substrate Supply including updated wire instructions. With the next invoice (for $30,000), the accounting manager initiates the wire payment, and the Controller approves it. Because the wire is going to a new destination, the bank calls the Controller for verification and the Controller approves again.
The following month, the old contact at Substrate Supply contacts the Controller inquiring about a late payment. It’s quickly surmised that the $30,000 wire was fraudulent, and the chance of recovering those funds is very low.
Fraud on the Rise
This type of “masquerading” fraud is increasingly common, and prevention requires a keen eye and diligent adherence to processes. Masquerading fraud is far from the only type perpetrated against small and middle-market businesses. In the last two years, there have been many high-profile crimes committed by cyber-fraudsters, including the rise of Ransomware attacks and Executive or Vendor impersonation.
- Ransomware – The most common type of fraud perpetrated are ransomware attacks, where attackers lock all files on a computer system and demand payment to release the files. The most notable of these attacks was the WannaCry attack in May 2017, which infected more than 230,000 computers in over 150 countries.
- Business Email Compromise – The most expensive attacks in recent years are business e-mail compromise attacks, that tricks a financial officer of a company to wire funds to a disreputable recipient. One of the most public attacks was on Bangladesh Bank in May 2016 with a heist of $81 million.
- Distributed Denial of Service (DDoS) attacks – Incapacitate companies by sending so much traffic to their websites or systems that servers are overwhelmed. These attacks are prolific and disruptive.
Special Considerations for Cross-Border Companies
Payments that cross international borders are especially susceptible, as accounting staff can be separated geographically, and there are often silos of country-specific financial information. Additionally, criminals may target a company that operates in another geographic jurisdiction to complicate intervention by law enforcement.
Prudent steps to take
Though the threat can be daunting, there are experts available to advise you and simple steps you can take to mitigate your risk. Your banker should be able to offer guidance on all the steps below.
- Educate all employees on current payments fraud practices
- Institute company-wide internal processes to prevent fraud
- Migrate check payments to electronic where possible,
- Use more secure check stock, including watermarks and dual signatures
- Reconcile accounts daily, segregate accounts to limit potential losses
- Institute the usage of Chip enabled corporate cards and merchant processing machines
- Be skeptical of unusual phrasing, spelling or formatting anomalies in e-mails
- Always use an out-of-channel verification for changes to payment instructions (phone and e-mail)
- Implement fraud protection services such as Positive Pay and ACH Monitoring
- Adopt a multi-layer authentication for access to bank services and payment initiation
- Restrict company network access for payments to only company-issued PCs
- Dedicate a PC for payment origination (with no links to e-mail/web browsing/social networks)
For more information on this topic please contact Lauren Schellinger, Vice President, M&T Bank, Commercial Banking, Relationship Manager. Lauren can be reached at: 716-848-7398 or Lschellinger@mtb.com