“The move to digital has been a wonderful thing,” JPMorgan Head of Client Fraud Prevention for Commercial Banking Alec Grant told Karen Webster.
“The shift has opened up avenues and payment vehicles for treasurers that make them much more efficient and gives them new business opportunities,” he added.
But there’s a flip side too, said Grant, a challenge in the midst of it all.
As simple and great as the experience can be for businesses, well, things get equally as great and simple for the bad guys.
In the age of remote, work-from-home scenarios, business email compromises (BECs) are on the rise, and fraudsters are preying on the weak links within the corporate chain — the unsuspecting, unwitting employees who click on a link in an email and put everyone at risk. Ransomware has seen explosive growth over the past three years as well.
Industry-wide, the safeguards and the face-to-face interactions — the controls, in other words — that were in place pre-pandemic simply are harder to come by. No one can just walk down the proverbial hall to make sure that everyone’s on the same page about suspicious emails and fraud prevention.
That comes against a backdrop in which treasury departments and their staff can receive hundreds, even thousands of emails a day. The old, telltale signs — errors in syntax, misspellings — are not there anymore. The BEC scams look letter-perfect.
But the enterprises are not at a total loss, not really, with the advanced tech at companies’ disposal, said Grant.
“The fact so many people are working remotely should not in fact make a difference to the controls in place,” said Grant.
There’s real recognition that system-wide controls do indeed need to be instituted company-wide, no matter the firm and no matter the vertical. PYMNTS’ own data underscore that sentiment. Surveys of hundreds of executives revealed that fraud prevention is top of mind and at the top of technology initiatives.
Looking to Pressure Test
At a high level, said Grant, treasury departments and firms should constantly be testing their fraud policies — in fact, should be pressure testing them.
There’s a silver lining to be found, noted Grant, in the fact that even as fraudsters use data to attack firms, those same would-be targets can leverage data to protect themselves.
That same data can be used to educate employees, to “score” them before they ever are allowed access to internal systems. This helps eliminate the risk inherent in the fact that every new person in a firm can cause unintentional damage unless they are properly educated.
“Fraudsters will always attack you in the place where you are the most vulnerable,” said Grant. “You need to build protocols so that staff — when they see something — they hit the button and it goes to the IT department, which isolates the email so that no one can click on it.”
In other instances, companies can set up simulated attacks to see how employees might respond, and how product teams should design new services and offerings with security in mind. Treasury teams can be reinforced to make sure that they never change recipients’ bank account information by any electronic means without independent verification, such as a callback validation procedure.
“If you’d move to validate with a person using some old-fashioned channels like telephone, you could stop 90% of business compromises,” he said.
And there’s value in not plastering your personal details all over the internet, which is catnip to fraudsters seeking to impersonate a CEO who is on holiday (and sends that odd text message directing employees to send money to certain accounts). These are the simple things that people can do to protect themselves and their organizations. Checking emails and websites can help guard against lookalike domains that can be subtle conduits toward misdirecting funds from victims.
Above all, treasurers and chief financial officers must check and recheck their fraud policies with regularity, girding against the attacks that are ever evolving.
As Grant told Webster: “Fraud prevention should be part of your DNA.”
