Q&A: Bottomline’s Christopher Gerda talks technology and the power of networks

The business payments world finds itself in a bit of a conundrum right now in the context of fraud. On the one hand, payment networks and associated technologies enable more efficient digitized operations for banks and businesses and create better customer experiences in the process. But, at the same time, fraudsters are keeping pace, pushing various types of payment fraud and new vectors like insider fraud to new levels. However, even with these new threats, mitigating fraud is possible. How? For some answers, we turned to Christopher Gerda, the Head of Risk and Fraud prevention overseeing the Paymode-X B2B payment network for Bottomline. 

Q: Chris, we’re living through a time when technology like AI, developed initially for better data analytics, is being used for “deep fakes” where electronically manipulated images and voices are taken as the real thing. How has this made life more difficult for business payment networks? Is there a direct connection? 

A: Yes, there is. Technology advances often come with an angle for their functional purpose to be manipulated for criminal activity. They have unintended vulnerabilities, or they unknowingly create new loopholes for fraudsters to compromise. Deep fakes for example are becoming a broad term now encompassing voices, images, and even email conversations. Examples include fake CEO voices used to convince someone to send an impromptu payment or even Chat GPT creating long email conversations using the right lingo and tone to make the appearance of a bank update request more legitimate.   

Q: In this accelerated fraud environment, is there anything banks should do differently? Anything corporates should be doing differently?

A: Let’s address the banks first. To compete in commercial banking, financial institutions must offer security solutions to their corporate accounts. That trend is becoming more and more prevalent. The way I see it, banks that are investing in providing technology and cybersecurity services as part of their corporate banking system offering are the ones that are winning deals. For corporates, keeping your eye on emerging technologies that fraudsters can compromise is very important. Look at SIM card fraud, in which a fraudster gets control of a legit mobile account and uses it to pass Multi-Factor Authentication to reset passwords, gain access to financial accounts and steal the funds in them.  Let’s not forget the bad guy would be on the other end of the phone line even if you did a callback confirmation for a bank account update in your ERP. Across three entire years spanning January 2018 to December 2020, the FBI Internet Crime Complaint Center received 320 complaints related to SIM swapping incidents. In 2021, they received 1,611 SIM swapping complaints.  Paymode-X has been tracking and blocked a marked increase in these attacked. However, fraudsters have pivoted to unsecure online VoIP phone portals as well to takeover business phone systems. 

Q: It seems daunting to have to fight against all these threats. What are some immediate actions companies can take having read this?  

A: I’ve seen threat consortium networks work very well and become critical protections. Paymode-X, for example, is a business payments network that enables AP automation, but it’s also serving a critical fraud protection for customers because it consists of 100%authenticated businesses and bank accounts. As such, it serves as a threat consortium network that protects more and more payers and vendors as the network expands; its size becomes a powerful blocker against fraud. We maintain and secure our network by understanding a business is who they say they from a digital identity perspective both when they first come to us to accept payments and each time they use our product. If there’s an aberration within the network, or some suspicious activity, we see it very quickly. Another example of a threat consortium networks in action would be Proofpoint, which identifies and blocks malicious emails, or Early Warning, which allows for passive account ownership authentication for some of the largest banks in the US.  

Q: Do you think we'll see more companies trying to hop onto those sorts of consortiums?

A: Yes. In fact, I think threat consortium networks will start connecting with each other. Networks will expand, partly because companies know they need to stop fraud but need more data and more partners to do it. Paymode-X utilizes several different strategies to enrich data to identify fraud activity and protects our own infrastructure using threat consortium network products.  Corporates and banks alike can benefit from Paymode-X’s capability to stop fraud and automate payments, but at the same time enhance their own email and cyber protections as well., 

Q: This dynamic that technology is a positive for business as well as an enabler for fraudsters has undoubtedly been a factor in the rise of insider fraud.  What’s your take on how companies can mitigate insider fraud? 

A: Every company should have dual controls on critical functions such as bank updates and money movement and if I could say something fifteen times it would be put multi-factor Authentication on all your account logins to include your phones, both mobile and VoIP.  

Insider fraud comes in several forms. Let’s hit three real fast with a corresponding control: 

One: Ghost employee/vendors schemes run by accounts payable. Here you want to ensure that the principle of least privilege is deployed, no one should have the keys to the kingdom.

Two: Insiders at mobile phone providers issuing SIM Cards to fraudsters to take over phones. Protect against this by going online and adding a PIN number only you know to port your SIM Card

Three: Bank employees accessing and selling customer information to fraudulent third parties to target with check fraud or account takeover. Here you want to have internal monitoring technology for aberrant behavior such as accessing to many accounts in a day or exporting account information.