To prevent and detect digital payments fraud, today’s finance and treasury teams can use security tools like multifactor authentication (MFA), dual approval controls, user auditing software, and transaction blocklists and safelists. These features should be combined with standard security components like IP whitelisting, VPNs, corporate firewalls, and antivirus software to ensure complete protection. Finally, regularly training employees on how each security component works is essential for ensuring company-wide adherence to your selected protocols.
Physical Payments Fraud Gives Way to Digital Payments Fraud
Although preventing payments fraud has always been a top priority for treasury and finance teams, the level of sophistication and sheer number of fraud attacks carried out against organizations in recent years has caught even the most seasoned financial professionals by surprise.
Because whether it’s a ransomware-style takeover of a company’s payment systems or the subversive use of a terminated employee’s credentials to extract funds, the modern era of corporate fraud is being perpetrated almost exclusively through digital channels.
As identified in studies like this annual treasury fraud and controls survey, the rise of BEC fraud, malware, ransomware, imposter fraud, and other types of cyber-fraud has grown exponentially in the past decade. This is worrisome because these attacks are more sophisticated than the check fraud or petty cash fraud that organizations have dealt with in the past, and they are also resulting in much greater losses than before. In fact, a 2016 study of hundreds of U.S. treasury groups found that the average loss from a single instance of check fraud was only $1,500, compared to roughly $130,000 for BEC fraud and $1-10 million for system takeover fraud.
Clearly, the potential for larger payouts is helping drive this increase in criminal sophistication, but there are other factors behind the shift as well.
For instance, the widespread digitalization of B2B payments and the shift to electronic payment solutions has created new opportunities for tech-savvy criminals to target companies. Physical cash and checks are no longer the primary target for fraudsters because corporates have substantially reduced their usage of these payment types. Instead, they are now using ACHs, wires, and cards. A limited number have even started accepting cryptocurrency; every fraudster’s dream. And now, with widespread use of mobile payment apps and cloud-based banking software, criminals know that there are billions of dollars tied up in digital corporate payment systems.
As a result, underground organizations, rogue employees, and even nefarious state actors are intensively leveraging expensive software and technology to exploit gaps in these digital infrastructures.
In recent years, their efforts have often proven successful.
From global fraud attacks like the infamous WannaCry outbreak to isolated, “localized” attacks on corporate firewalls, the most dangerous and costly breaches for modern organizations are happening online. And as corporates across the globe increasingly allow their workforces to operate remotely, the opportunities for criminals to perpetrate digital payments fraud continue to grow.
However, even with today’s heightened criminal sophistication and the rising prominence of remote work, our analysis finds that most of the losses sustained by corporates are caused by a combination of preventable security gaps, and a lack of employee familiarity or training with their company’s digital security systems. In reality, if companies are addressing payment and system security the right way, most breaches can be prevented.
A Structured & Multifaceted Approach to Payments Security is the Best Way to Fight Fraud
Thankfully, just as criminals introduce new methods to perpetrate fraud, cybersecurity firms and global payments experts are developing safer and more robust security tools that, when implemented alongside one another, can prevent and detect the vast majority of corporate fraud attempts. Today, most corporates leverage a broad variety of digital security tools that range from IP whitelisting and multifactor authentication (MFA) tokens to user monitoring software and Virtual Private Networks (VPNs). Standard network firewalls and antivirus software are both essential components of digital security as well, provided that companies are proactive in maintaining the latest upgrades and patches.
However, given the complexity of digital payments fraud, there is no single “layer” of security that can block every fraudulent attempt. Instead, it is essential that corporates adopt a multifaceted approach to fighting fraud. In other words, implementing numerous layers of security that balance and check one another is the only way to ensure complete protection. Furthermore, it is vital that a company’s employees are properly trained on how these security tools are used, as the improper or ineffective deployment of a specific security layer by any single user can still result in a costly breach.
So, what are the most advanced security tools and techniques that can help prevent digital corporate payments fraud in 2021?
Here are five crucial elements that we suggest.
Five Ways Corporates Can Protect Against Digital Payments Fraud
1. Regular & Intensive Employee Security Training. Although the technological components of security that we will highlight below are incredibly effective at detecting and preventing payments fraud, they only work as long as the personnel that leverage them are aware of what to look for and how to use them. For instance, if an employee forgets to install multifactor authentication to their account or forgets to delete an old employee’s credentials from the payment system after they resign, the company can be exposed to significant risk. And if multiple employees are negligent in following the company’s security policies, the threat of an actual loss is quite real.
For this reason, corporates must develop an intentional strategy to routinely educate their employees about fraud and cybercrime, especially those that have access and authority over payment systems and data platforms. This education should cover information about the latest threats from fraudulent actors, as well as best practices for utilizing the security systems the corporate has in place to prevent and detect attacks.
2. Multifactor Authentication (MFA). MFA is one of the most popular forms of digital security in use today because it is incredibly effective at preventing the fraudulent takeover of user credentials. This is important because if criminals are able to exploit the credentials of employees with authorization for generating and approving electronic payments, they may be able to use those credentials to initiate fraudulent payments under the guise of a legitimate employee, thus making it much harder to detect their actions.
MFA helps prevent the theft and exploitation of user credentials by requiring multiple forms of authentication during the login process. This could include something a user knows (such as a password), something the user has (such as a security token or fob), or something the user is (i.e. biometric thumbprint or retinal scans). In practice, this means that instead of only entering a username and password, employees may also be required to submit a fingerprint scan using a digital key fob, or enter a randomly generated passcode that is sent via SMS (text) whenever a login attempt is executed.
By leveraging these layers of unique identifiers, companies help ensure that even if an employee’s username and password are stolen, criminals will still not be able to thwart the additional security measures needed to access their account.
MFA is a tool that has gained widespread adoption for payment systems in both consumer and business environments. Where corporate finance is concerned, any TMS, ERP, or other payment solution used to manage transactions should have MFA enabled for every user. Although simple text message codes work well, more sophisticated retinal or fingerprint scans are the best way to ensure system access is only granted to the specific employee for whom each account was intended.
3. Dual or Multi-User Payment Controls. Should a fraudster or rogue employee successfully exploit user credentials to access a payment solution, there are still a variety of preventative measures that can be deployed to stop them from extracting funds. One of the most common involves the use of dual controls.
The concept of dual controls is likely not a new one for treasury and finance professionals. In the realm of payments, dual or multi-user controls split the authority to execute a transaction between multiple employees. This is so that a single user cannot manage the entire payments lifecycle on their own. By requiring 2-3 employees to review and approve each payment before it is executed, the risk of a single actor being able to fraudulently withdraw funds is eliminated.
To ensure maximum protection, segregation of duties is key. Corporates can assign specific users to initiate, review, and approve transactions in their payment system(s). Unique users can also be assigned to manage payments from different regions, banks, or departments. This way, no employee has authority over the entire process, and if a rogue actor tries to initiate a fraudulent payment, the personnel that review each transaction will spot the inconsistency and can halt the payment before it is executed.
4. User Auditing Software. While the use of dual controls is intended to prevent fraud from occurring, one of the leading methods used to detect fraud is through the use of system-wide user monitoring and auditing software.
User auditing software has become a core component of many corporate payment systems because it keeps a complete log of every action carried out by each specific user on the platform. This includes what information they enter or what screens and dashboards they visit. This way, administrators, auditors, and compliance teams have complete transparency into evaluating potential fraudulent actions that occur through any specific user account.
In instances where fraud has occurred or where when administrators are alerted to suspicious activity, having these user audit logs can prove crucial in tracing activity and determining whether someone’s account credentials have been jeopardized, or if a rogue employee is attempting to misappropriate funds.
5. Payment Safelists & Blocklists. One way to prevent payments from ever being delivered to suspicious or unknown that are not associated with the business is by implementing payment “safelist” and “blocklist” controls. These controls can be configured directly within the various payment platforms that offer them, and they work by placing parameters over which internal bank accounts can be used to send payments, and which 3rd party individuals and businesses are approved to have payments sent to them.
Payment safelists and blocklists are advantageous because they give companies total control over which beneficiaries, individuals, and entities can engage with the business. In practice, any payment that is initiated to a party that is not on the safelists will be flagged for inspection, and any payment going to an individual or business on the blocklist will be immediately halted.
Find a Payments Solution That Gives You a Multifaceted Security Architecture
When combined with other recommended security features like the use of VPNs, firewalls, and IP whitelisting, the above security tools are very successful at preventing fraudulent attacks. Of course, much will rely on the ability of your staff to properly utilize the tools at their disposal, so training is vitally important.
However, once the proper solutions are installed and in use across the company, you will be able to monitor all of your system’s user actions, transaction activity, and data transmission globally. You’ll also be able to identify fraudulent threats in real-time, halt and review suspicious payments at the touch of a button, and review all of the transaction details for every payment initiated through your systems. Ultimately, this multifaceted approach to security will create an environment where criminals must obtain multiple forms of code and identification in order to infiltrate your systems, rather than just a single exposed username or password. This will make it exponentially harder for them to target your firm.
Although the adoption of these next-gen security features is rising fast, many organizations are still stuck with archaic security systems that expose their technology stack to significant risk. In a world where the majority of treasury and finance workflows now occur online, an outdated digital security architecture is simply no longer acceptable. In the modern era, corporates must implement cutting-edge digital security to keep their assets safe. And if you feel your company is lagging behind, it is vital that you act swiftly.