Treasury departments are settling into the reality that the current environment can’t be described as “post-pandemic.” While it’s impossible to say if or when that will change, it’s clear that we haven’t seen the end of workplace disruption. Every new variant appears to be marching us toward a new normal for treasurers where, however begrudgingly, COVID-19 is a fact of life.
Remote treasury has become a crucial tool for treasurers after navigating an abrupt shift at the onset of the pandemic and high turnover amid the Great Resignation. Now that remote and hybrid work appear to be here to stay, however, another force is adjusting to the new normal as well: cybercriminals.
How can treasurers prepare? By aiming to repeat recent history. In the early days of the pandemic, treasurers took proactive steps to fortify newly remote operations with enhanced security measures like multi-factor authentication, third-party reviews, and dual-approval payments flows. It paid off: The Association for Financial Professionals (AFP) 2022 Payments and Fraud Control Report found that the share of firms reporting fraud attacks and attempts actually declined in 2021.
Now that remote and hybrid work appear to be here to stay, another force is adjusting to the new normal as well: cybercriminals.
However, malicious actors are bound to do what malicious actors always do: counter with new tactics designed to bypass these controls and exploit new systems and work styles. In an era of fast-paced and continual change, it’s critically important that treasurers keep up with the latest fraud tactics and security best practices to maintain their hard-fought gains.
Understanding the Risks of Remote
The leap to remote work in 2020 catapulted treasury departments deep into digital transformation. There’s reason to believe it may have triggered something of a virtuous cycle of modernization. Digitization and automation remain high priorities among treasurers.
Remote-compatible operations are a hedge against the looming threat of more pandemic-induced dislocation, but there are secondary upsides beyond even added efficiencies. Treasurers can use digital systems to access a wider array of real-time insights into cash flow and payment activity, for example, which helps them make faster and more informed decisions. And digitization is helping treasurers accommodate flexible work, which could increase employee retention.
But even as the case for digitization solidifies, PwC reports that companies frequently overlook risks and change management processes as they digitize. Many employees access remote desktops with file-sharing tools and applications that could put corporate systems at risk, for example. And considering the relatively new phenomenon of remote treasury, it’s no surprise that remote employees are often left with unclear or ineffective security policies and training.
Despite the risks, the latest AFP data shows that treasurers have been successful at keeping threats at bay amid the upheaval of the last few years. Nearly half of respondents to AFP’s 2021 survey said that remote work had no impact on fraud, compared to less than a third who said it did.
Guarding Against Payments Fraud
More than 70 percent of companies surveyed by AFP were payments fraud targets in 2021. That’s down from the 2018 peak of 81 percent, but it still represents the vast majority. Two-thirds said checks were the payment method most often subject to actual and attempted fraud, followed by ACH debits (37 percent) and wire transfers (32 percent).
Verizon’s 2022 Data Breach Investigations Report found that fraudsters rely mostly on phishing, hacking, and malware to penetrate systems in the financial services sector. One category of fraud, “mis-delivery”—literally emailing sensitive data to the wrong person on accident—stands out as a threat because it’s three times more common in financial services than in other industries.
While mis-delivery is a particularly egregious example, more often than not, fraud is carried out unwittingly through employees. In fact, more than 60 percent of cyber incidents can be traced back to employees, according to Willis Towers Watson, through social engineering scams, accidental disclosures, or inadvertent ransomware infections. All the more reason to double down on employee training and education.
Treasurers may want to take a closer look at their safeguards and training in three areas in particular: email, checks, and ACH payments.
Business Email Compromise
One of fraudsters’ preferred techniques, business email compromise (BEC), stands out as especially common and insidious. Common because nearly 70 percent of respondents to the AFP survey said they’d been targeted in 2021. Insidious because the technique often preys on employees by exploiting their position in the corporate hierarchy.
A typical BEC scam might unfold like this:
– A criminal creates a fake email address and poses as a CFO. (BEC scammers often “spoof” known email addresses by creating lookalikes off by one character, for instance.)
– The CFO imposter emails a subordinate of the real CFO, asking them to approve a time-sensitive transfer with an air of urgency and authority.
– The subordinate approves the transfer, unaware they did so for an imposter.
If they’re not posing as executives, fraudsters might spoof vendors requesting payment or third parties requesting bank changes or payment instructions. They’ve been known to use malware to spy on email threads containing sensitive billing information, and then they exploit the knowledge to disguise fraudulent payment requests as normal. Recently, the FBI says criminals have even taken to using virtual meeting platforms for BEC activity.
BEC emails are difficult but not impossible to detect if the right precautions are in place. Treasurers can train employees to spot red flags common to email attacks, such as by verifying hyperlinks and email addresses and using a secondary channel to authenticate the requestor. And according to Deloitte, basic IT controls such as multi-factor authentication, virtual private networks, and encryption can go a long way toward prevention. Incidences of BEC have been trending down from a peak in 2018, according to the AFP, suggesting mitigation tactics like these are working.
While the pandemic sparked a sharp decline in paper transactions and B2B check usage, 66 percent of companies were targets of check fraud in 2021, according to AFP.
Inside the office, checks typically follow routine, secure paths to/around/from the office. But outside, they’re prone to criminal interception as employees could, say, accidentally leave them behind on the seat of their car. Or drop them in postal deposit boxes that aren’t secure.
The good news is that there are ways to protect account information when it’s circulated outside the office. Sending check-print instructions to a bank can ensure they’re printed and mailed in a secure environment, while banks’ positive pay services, which match the amount issued for payment with the amount presented for payment, can also serve as a safeguard against altered payee or check amount fields.
A growing number of organizations are using the automated clearing house (ACH) for payment transfers, but many lack the right formula of security controls and processes to keep those transactions secure.
That’s concerning because fraudsters have started shifting away from targeting checks and wires to targeting ACH and other payment methods that users don’t consider high-risk. Proof: In 2021, incidences of ACH debit fraud and ACH credit fraud were up three and five percentage points, respectively, according to AFP.
Treasury managers who access systems from their homes or their own connections could put corporate systems at risk of a breach, but there are ways to identify fraud and safeguard operations. One is to reconcile accounts regularly and increase oversight and security of ACH. Another is to have remote employees adopt their bank’s positive pay service for ACH payments to ensure amounts and recipients have not been altered. Finally, ACH blocks and filters can go a long way toward eliminating unauthorized payments.
Managing Risk in the New Normal
When treasury departments went remote in 2020 to stave off COVID-19, by and large, they did the right thing: They doubled down on security so fraudsters couldn’t exploit the changes. But security is never a set-it-and-forget-it endeavor. In fact, securing treasury operations in this new normal of remote and hybrid work requires heightened vigilance to stay on top of the ways people, systems, and processes yet be exploited.
Security is never a set-it-and-forget-it endeavor.
At minimum, treasures can limit the exposure of account information, secure sensitive documents, and eliminate paper statements. In addition to monitoring and reconciling accounts daily, they can also set transaction limits and email alerts.
To go a step further, introduce strict validation controls, such as third-party check-printing and positive pay services, and, to reduce the risk of credit card fraud specifically, pay with single-use virtual card numbers (VCNs). A dual-approval process to authorize transactions can also serve as an additional backstop, while fraud monitoring services can analyze banking information for suspicious activity around the clock.
Of course, there’s always a chance that even the most secure systems can be infiltrated. Should that occur, separating accounts by purpose, payment type, or department can isolate losses when an account is breached. Adding fraud-related riders to your business insurance policy also reduces out-of-pocket costs in the event of an attack.
But hopefully, it never gets there. As long as treasurers aren’t lulled into a false sense of security after recent successes, they have a shot at forging yet another new normal—one where fraud declines and new digital tools act as safeguards rather than vulnerabilities against crime.
Strike Up a Conversation With a Relationship Manager and Discover Our Differences