If you think that the effort to fight fraud and financial crime is limited to banks, think again. One of the things that struck me about Bottomline and Strategic Treasurer’s recently released 2022 Treasury Fraud & Controls survey is that corporates are becoming just as important as banks in the fraud equation. Evidence: Business email compromise is raging, insider fraud is going up and that should concern corporates as the work-from-home environment persists. The data in the report shows me that corporates are improving their anti-fraud efforts, but could profit from a few lessons from their financial service partners.
But first, the data. Although there are some bright spots, the fraud threat landscape is still treacherous. Eighty-four percent of all respondents believed the threat from fraud has increased over the past four years, and 78% have experienced fraud attacks. And when it comes to comparing banks and corporates, according to the report, “banks seem to have been more diligent in their defenses since they appear to be performing better at preventing and detecting fraud than their corporate peers.” For example, 75% of all corporates have been attacked by social engineering-related fraud, compared to 70% for banks. However, “virtually no banks indicated that they had suffered losses where employee termination was a consequence from BEC, social engineering, etc, suggesting possibly that education within these highly regulated, compliance-driven organizations have had an effect in stopping damage from forms of fraud that their corporate customers still suffer.”
Why is this the case? Are there strategies banks are deploying that banks are not? I don’t think so. I think the reason can be found more in business dynamics than any one anti-fraud technology. For example, I think it's long been the expectation that banks would be willing to take the risk on fraud, and in turn protect their corporate clients. That is not the case anymore. We know that banks are asking corporations to do more to prevent fraud. Another example: regulations. Banks are highly regulated when it comes to fraud prevention. This can be seen in the November 2021 mandate that required UK banks to publish data on their performance in relation to APP scams as well as on reimbursement levels for victims.
Now corporates are under the microscope as well. In the UK look no further than the March 14 implementation of strong customer authentication (SCA) requirements that were part of the original PSD2 package. It will affect retail companies who now must route transactions through the 3D Secure protocol to guard against fraudulent transactions. And it goes beyond the UK. Consumers will continue to put more pressure on businesses to put processes in place to protect employees and customers from fraud.
As stated earlier, corporates can learn from their banking partners. According to the report, one of the tactics to co-opt can be found in the bank categories prioritization of employee awareness and education, which 23% of banks are adding to their fraud defenses. According to Thomson Reuters, Organizations with fraud awareness training are 20 percent more likely to receive tips through formal reporting mechanisms. So it’s a good start, especially for internal employee fraud, which was found by 18% of respondents to the survey.
But it’s not as simple as employee awareness for corporates. There’s a technology aspect as well. Corporates now have to utilize bank-grade technology against fraud and I think we have made massive strides as an industry in being able to empower corporations to deal with fraud in a better way. And we have a good base to start with. The Treasury Fraud & Controls survey showed that both banks and corporates report a higher severity from fraud attacks (29%), but 59% believe they’re better prepared to handle them. The way I see it, it’s very significant that corporations are more optimistic about their defenses because it means more of them have the tools in place to help them deal with it.
Now, back to employee training. Very important, in my view, but it comes with a caveat. At the end of the day, there is no silver bullet for fraud prevention and detection. Training the workforce is just one solution. It’s not enough because fraudsters will always look for the biggest most vulnerable opportunity. For this reason, corporates need to constantly evolve their fraud prevention strategies. Fraudsters don’t stand still. Corporates shouldn’t either. Any employee training program should keep that constant evolution in mind and focus on empowering employees to be able to react to fraud when it happens and slow it down when detecting it.
The Bottomline: Corporates need to make sure employees are empowered to fight against fraud and at the same time embrace technological solutions that can help us deal with the onslaught of rising fraud vectors like business email compromise, which was an urgent concern for 73% of corporate respondents. They need technology that is readily available which looks for unusual behavior every hour of every day. They need technology like record-and-replay to fight insider fraud. And they need to integrate payment monitoring solutions that detect potential fraud before it leaves the building. Corporates have the ways and means to stage a stronger fight against fraud.