2016 was a great year for the cyber fraudster and 2017 could be just as rewarding - unless of course, organisations start doing more to protect themselves from attacks, both internally and externally.
The past 12 months have been big in terms of fraud headlines, starting with the Bangladeshi Bank heist last February and, more recently, the ABB internal fraud. Less sensational – but no less impactful – stories prior to that include Yodel’s payroll fraud, the payment diversion fraud in States of Guernsey, and BMW’s insider fraud.
Regardless of whether they were external threats, internal threats or manual errors, these headline-grabbing incidents are a wakeup call for organisations of all sizes and across all industries. They are a real reminder to take payment security more seriously, whether you’re protecting your own money or somebody else’s. Encouragingly, Bottomline’s latest research report found that there is greater concern of payment fraud, suggesting a higher level of vigilance and a significant focus on internal fraud.
So how bad is it? In a 2016 survey of finance professionals, 84% admitted that fraud controls were so lax within their organisations that they could easily commit a fraud if they were inclined to do so. ACFE confirmed that 70% of fraud committed is due to weak internal controls. These are truly shocking facts that are worthy of a few sleepless nights.
Even more alarming? When you consider who’s most likely to attack you and how long it will take for you detect and investigate potential fraud.
According to KPMG, a typical fraudster is never someone you would suspect. In fact it’s probably the guy sitting a few desks away from you with the #1Dad mug on his desk. Most fraud is perpetuated by males, most likely 30-46 years old, working in finance, employed for 6+ years and in a position of authority. And the fraud he’s perpetrating is not the sensational kind you see in the headlines, either. Instead, it’s patient and boring (although no less devastating), involving multiple transactions over a long period of time.
What’s even worse is that it is likely to take 270 days, on average, to detect fraud and an additional 105 days to investigate it. By the time that’s done you’re 12 months down the line. And if luck’s on your side, you’re likely to recover only 10% of the losses incurred. Consider that the median loss caused by a single case of occupational fraud is £120,000 (ACFE) – this means you’d only recover a measly £1,200.
To add insult to injury, gaps are expected to be closed quickly, damage mitigated and business continued. The Tesco Bank fraud in November illustrates the pressure that organisations are under to resume Business as Usual following such incidents.
With finance fraud on the rise, corporates need to think like canny fraudsters in order to improve their defences and tighten controls. But where does one start? Here are four tips to get you on your way:
Undertake regular fraud risk reviews, including an assessment of potential data-driven indicators. Review each step of the payment process in turn – looking for gaps, loopholes, and collusion opportunities. Ensure that cyber security and fraud prevention reviews and improvements are regular exercises that help maintain your organisation’s basic cyber-hygiene.
People: What training do your teams have around general cyber hygiene? Are they able to easily identify suspicious requests and behaviour, and are you encouraging whistleblowing? Check whether security credentials and devices are being shared amongst employees. Consider roles that have too much end-to-end responsibility and implement segregation of duties.
Process: How easy is it to setup fictitious suppliers, customers, employees in your systems or to modify beneficiary details? Ensure your payments process is fully automated and the opportunity for manual interception and data manipulation is minimal.
Technology: Do you have systems in place that monitor and can easily detect transactional anomalies such as new payments, duplicate amounts and/or beneficiary accounts, blacklists? Encrypt payment files moving across your network. Carry out automated bank validation and verification further up the process rather than at the point of submission.
Whilst this list is by no means exhaustive, it’s a start.
The time to face up to fraud is now. Keep one step ahead and implement a fraud strategy on your terms and start to monitor transactions, user behaviour and workflow with real time alerts and reports. Make a concerted effort, across the business to plug potential gaps and block suspicious payments before they leave the building rather than investigating them post fact.
Avoid becoming a headline-hitting fraud static by safeguarding your company and doing all you can to make 2017 a really tough year for the cyber fraudster.
About Bottomline Technologies
About Bottomline Technologies
Bottomline Technologies (NASDAQ: EPAY) helps businesses pay and get paid. We help our customers to make complex business payments simple, secure and seamless.