[Editor’s Note: Today’s article is a guest publication from Philip Flores Jr., Senior Vice President at BMO Harris Bank N.A. Ardent Partners is happy to review and feature guest publications from authors across the accounts payable and supply management industry. If you or someone you know would like to become a guest contributor, please contact us at editor at cporising dot com. Thanks!]
In today’s hyper-connected, digital world, companies are more vulnerable to fraud than ever before. In fact, your organization has likely been exposed to a fraud scam first-hand. Have you or a colleague ever received an email that looks legitimate, but asks for an unusual amount of personal information or account credential verification? Emails like these seem odd, and should make you stop and think: Is this a scam? Attempted phishing attacks happen every day, but they aren’t the only forms of fraud. From lookalike sites and data breaches to false invoices and intercepted emails, the fraud landscape is wide and complex. In fact, 74 percent of companies were affected by payments fraud last year alone, according to AFP’s most recent survey.
Whether an individual employee falls victim to a phishing scam or there’s an organization-wide data breach, negative consequence can impact the entire company, including financial loss, reputational damage, lost identity information, intellectual property theft and overall service disruption. While no business is immune from fraud risk, there are various tools and strategies, such as malware protection and education on common schemes, that employees can lean on to protect their organizations from scams. On an enterprise level, executive management needs to be able to identify prone business risk areas, implement concrete measures to mitigate fraud exposure before a breach happens, and have a feasible, well-thought-out recovery plan that is implementable by everyone within the organization. To be effective, these tools and strategies should be visibly championed by executive leadership.
Beware of red flags
To combat both internal and external fraud threats, organizations need to know the warning signs. While it’s natural to picture a fraudster as a hardened criminal lurking in the shadows, the reality is most perpetrators have no criminal history and are long-term employees who are well-liked by their co-workers. The majority are at the employee or manager level, and have been at the company for one to five years. Red flags that organizations should be on the lookout for include employees who have: budget discrepancies, insider knowledge of contracts or bids, a gambling problem or gratuitous spending habits. These characteristics could be indicative of an employee with suspicious intentions and should serve as warning signs for a potential internal threat.
For outside threats, such as breaches from customers or vendors, there are various red flags that could help you identify potential threats before they turn into problems. When looking to partner with outside sources, it’s important to check for:
- Commercial address rather than a home
- Business line rather than a cell phone number
- Mutual connections
Most of these checks are simple, provide credibility and authenticity, and can save a company from unknowingly falling subject to a scam.
Don’t judge a book by its cover: Seeing beyond the scam
With many sophisticated schemes out there – including phishing, business email compromise (BEC) scams, and online session takeovers – how can organizations know what to be on the lookout for? Phishing is especially difficult to identify because it involves emails and websites that appear credible. Without knowing what to be on the lookout for, these scams make unsuspecting employees especially vulnerable.
A popular phishing attack is a BEC scam. These occur when a cybercriminal impersonates an executive, such as a CEO, through email and asks the unsuspecting victim to transfer funds, often through a wire transfer. Businesses that work with foreign suppliers or regularly perform wire transfer payments are especially susceptible to these scams. To be prepared, organizations need to have strong oversight practices in place. Organizations should train their employees to double check URLs to ensure legitimacy, analyze subject lines for anything suspicious, refrain from opening attachments from an unknown source, and make sure the sender domain is accurate. To further combat phishing and BEC scams, having practices that include dual diligence is key: this includes tactics like implementing a mandatory callback policy and ensuring a secondary wire reviewer is approving any wire requests. Most importantly, warn employees to authenticate any email that requests a confirmation of credentials or asks for large sums of money. By simply picking up the phone and calling the sender to verify the request, employees can easily prevent themselves from falling victim to a phishing scam.
Similarly, online session takeovers are incredibly prevalent and dangerous because they appear credible. These occur when an attacker impersonates a legitimate website. The target then unintentionally connects to the rogue site being controlled by the attacker. The unsuspecting victim – unaware that the website is fake – logs in with his credentials, which are then captured by the attacker. The attacker can use these credentials to log into the real website and access the victim’s account. Proper training for employees on how to spot legitimate websites can help combat these types of scams. Further, warn employees about ensuring the website they’re accessing is secure before logging in.
Steps to recovery: Plan of action for fighting fraud risks
Every organization can take steps to reduce the risk of fraud before it occurs. From detection to recovery, understanding today’s fraud landscape and how to spot the various schemes out there are pivotal in mitigating the risk of fraud. To detect fraud, companies need to understand where vulnerabilities lie within their organizations and recognize any potential security gaps. The sooner fraud is detected, the quicker it can be mitigated. Here are four simple actions organizations can take to reduce the risk of fraud:
- Enforce a workplace fraud mitigation policy
- Employ ongoing monitoring to establish norms and spot anomalies
- Implement employee training and controls
- Adopt fraud control tools and practices and incorporate them into daily business practices
However, even with detection and prevention tools in place, fraud can still occur. Once a case of fraud is suspected, organizations should spend the time and resources to investigate and make sure they understand the cause; there may be unidentified gaps in the detection and prevention stages that weren’t previously known, such as an undetected data breach, a suspicious email exchange, or a fraudster preying on an unsuspecting employee. Once this is understood, a timely response will maximize recovery time and minimize damage. Having tools in place to stop fraud as quickly as possible will pay off in the long run. Further, organizations should take the time to analyze the situation to identify areas for improvement for the future.
As the payments world becomes more mobile and digital, the fraud landscape will continue to evolve: criminals continue to get smarter and scams are becoming increasingly advanced and difficult to spot. With both financial and reputation loss on the line, organizations need to stay vigilant in knowing the warning signs and implementing strategies to mitigate fraud.
About the Author
Philip Flores is the Senior Vice President and Managing Director of Treasury and Payments Solutions of BMO Harris Bank. Flores has over 20 years of experience as a banking professional, with expertise in cash flow management, dispersion and collection of funds, risk and fraud mitigation, and integrated business banking.