Fraud and Financial Crime Management
Ensure your security with and protect your institution from fraud and financial crime while complying with changing regulations.
John: Hello and welcome to the Payments Podcast. My name is John Gaffney, I will have the privilege of hosting today’s episode titled ‘Cracking the case on AP fraud and business email compromise’. You know, not many types of business-related fraud grab the attention of the FBI or Interpol, but business email compromise is dangerous enough to warrant their attention, as well as other enforcement agencies, as I have mentioned.
It is one of the high-profile examples of accounts payable fraud which continues to demand vigilance for banks and corporates across the globe. Today I am joined by Bottomline Chief Security Officer Chris Gerda, who will address the rise in BEC, as well as other types of accounts payable fraud, and he will recommend some strategies to make sure it doesn’t happen to your company. Chris, welcome.
Chris: Thanks John. Happy to be here. Great topic.
John: So, let me give some background before you start. If you are not familiar with business email compromise, it is defined by the FBI’s IC3 division as, ‘A sophisticated scam targeting businesses that perform electronic payments, such as wire, or ACH transfers. I am going to guess that includes all our listeners today, ‘In addition to diverting funds, BEC perpetrators may also target personally identifiable information, W2s, and this could be exploited, resold, or both. This type of fraud can range from quick one-time hits to sophisticated infiltration schemes that unfold over months or even years.’
So, Chris, let’s start at the top and kick off with a little bit of drama here. A recent reported called business email compromised a cybercrime pandemic with 64% increase in attacks over the last year. Is that too dramatic?
Chris: I think that is it like the flu, or the common cold. It is not too dramatic, but this is something that has been here for a long time. Business email compromise it is not going away, year over year, you can see statistically that it is the most damaging fraud to businesses in the United States, far outweighing other frauds on the ic3.gov website as far as damage.
So, we will talk about pandemics because we are in the midst of one. I think that you are definitely seeing attacks up though, specifically the past two years. Why? A lot of the communication has changed. We have moved from in-office to at home. We have migrated the ways we communicate, maybe from a desk phone to a voice over internet phone. We have had to do more things through email, less things face-to-face and any time you see that, you see surges in attacks.
Everybody in the United States saw phishing emails, specific to COVID. Consumer to business, that is where it starts. It just really started hitting home, and we started to see behaviour changes in how companies or organisations are thinking about protecting themselves.
John: Does the shift to digitisation, whether it is real time payments, or P2P, we use more Venmo and Zelle than ever. I mean these new products, does the adaptation of them make more vulnerable to fraud?
Chris: Any time there is a new product, or even not just a new product, but something that makes something easier to use. I have a saying, “Ease of use, equals ease of fraud.” Right, so it might be a great user experience, but if you haven’t thought through all the layers, and you are not taking a security first design centric approach, you will have massive influxes in fraud, and you can see those stories as the peer-to-peer payment networks rolled out in the United States as well as in the UK without validation methodologies.
Without an understanding of how that flood was going to affect them. We have to apply that same type of logic to business payments which have an extremely large single payment value perspective, versus a consumer payment, and make sure that we have a ton of layers to block those out, that is really what we are here to talk about today.
John: Chris, if you could characterise the context of how business email compromise fits within the more general issue of AP fraud, is it dominant?
Chris: Yes, I would say so. Business email account compromise is account payable’s nemesis, arch enemy. It sits right next to your brand-new vendor that you are going to pay, and a fraudster is going to impersonate them. Right, so it is like a business identify theft for that first payment, and then business email account compromise fraud is when you have that really hard-to-detect, email hack or fake email that looks really close to the real email.
The conundrum here is that business email account compromise fraud exists and hides in the same place that accounts payable does business which is within emails and phone calls. We have seen a lot of sophisticated attempts on the rise particularly over the last 2 to 3 years around phone takeovers, and those things being the keys to the kingdom now as we all get multi-factor authentication codes sent to them. That is really where the easy fraud is living today, in those phones, and in those emails
John: Chris, talk about MFA a little bit, multi-factor authentication, excuse me, but how much does that help, and do you see businesses pivoting to more usage of that?
Chris: It helps a great deal. It is probably the number one way that a business, or a consumer, right, in your personal lives, you really have to think about this too. It spills over into our business lives, so adding multi-factor authentication to every platform you use, particularly your emails, your log-in to your phones. So, your log-in to your Verizon, or T-Mobile, or AT&T sites, you have got to put that extra layer of security on there. If you are using the internet phone and you are going online and logging in to have that access, multi-factor layer is really critical.
This is blocking out the majority of the frauds. The fraudsters really go for those MFA codes though when it comes to businesses though, they are going to actually try and socially engineer those by calling you, trying to get you to give them the code over the phone, things like that. Those are really hard-to-detect pieces and that is why you need a lot of layers.
I will talk about that throughout, but within Paymode-X specifically we have been doing vendor authentication as a service to stop business email account compromise fraud for quite a while. We had a lot of pivots and changes into our methodologies to detect those types of sophisticated fraud, and they have had to be updated, and by updating and changing with the different patterns, we have had a good track record.
Over 3 years, over a trillion dollars in payment processed with no fraudulent payments in our authenticated network for businesses. But it is really important that we are adding, changing, updating layers, because some of these situations are almost like no-can defence in a sense, so you have to have a lot of controls in place.
John: Yes, there have also been some high-profile cases here of business email compromise, there is a town in New England, we will leave unnamed, that apparently got hit for about $2m from AP fraud. Could you tell us if there is a common thread as to what organisations might do in regard to BEC, and other types of fraud? What is common about what they do wrong?
Chris: The common thread is human error in conjunction with taking changes for banking information via email. So, you have to have other pieces of authentication so that you understand who you are talking to, is it the real business? Is it the real person? That is really critical, and those are the massive common failures that occur. Any time you have a manual process that is also a place where that human element can fail.
So, specific right, because this is a town that had an issue, if you even look at some of the government infrastructure plans that are going through the legislature now, looking specifically at budgeting for cyber security spending for cities, towns, governments, and that type of cyber security spending it is not just for, “I need to create a firewall.” Right, it is for, “I need to partner with someone to secure my payments that I am making in a digital environment.”
Those are key partnerships that will help cities, towns, governments, stay ahead of fraud in a digital payment space.
John: Is it fair to ask this question Chris, if you had a room-full of banks and government officials, and corporates, big room and they are going to ask you what are the two things I can do when I go home, what would they be?
Chris: The first one, I say the same every single time I talk, put multi-factor authentication on everything. I said it earlier, I will say it again, you have to set it up sometimes. Organisations may not actually have that on as a standard. They may make it optional. You have to go in and put it on. Emails, phone plans, phone updates, payment approvals, all your voice-over-internet phones, layer it everywhere. That is going to protect you significantly.
The second thing, you know, bank updates can never be done through an email. We have heard that before, right? So, thinking of an organisation, you may have a small footprint, you might have a small AP department, you are doing a lot of other things, you are wearing of a lot of hats, “What can I do to somehow check and balance my small organisation against an accidental human error? Letting something through, thinking someone else did it when they actually didn’t make the call back.”
Make a google form, something that simple that requires someone to put their initials right next to, “I performed a call back on this phone number, and I know this is the business phone number because I have verified it in my ERPE and there haven’t been any updates.” Right? Just a simple sign-off on that. That goes to the next person who is going to approve the payment to the new bank account to see, yes, they did this, they did this, they did this and that is critical.
I will add something even further that we see very often when a fraudster compromises a vendor’s email, the real email, they are going to email you, and they are going to put their phone number in the signature line. Never ever take the phone number from the signature line unless you validate that off of a source that you validate yourself.
We have to think about flipping the script on the way the fraudster wants to communicate with us. We communicate the way we want to communicate with the vendors that we are going to pay.
John: I like flipping the script, that is good. That is cool. So, when we talked earlier, we talked about defence strategies which you have just re-enforced, but we have also talked about BEC creating an identity gap, could you talk about that a little bit?
Chris: Yes, we are talking about some tips and now we are talking about strategy. Long-term thinking. “How do I protect my organisation that may be processing multi-million-dollar payments every single month?” So, business email compromise, let’s break it down real simple.
It is creating an identity gap that exists because of a lack of visibility that an AP department will have. Fraudsters are trying to convince you that there is no identity gap that exists. What is an identity gap? It is anything that is missing that would confirm someone is who they say they are.
So digital fraud prevention strategies, Paymode-X as an example, bridge that gap for you in a way you can actually trust, by identifying the vendor through correlating physical, digital, and banking information together. We are talking dozens upon dozens of correlating things. Then we get to know that vendor, and over time, as your vendor is submitting more invoices to you, and you are making more payments, and they are drawing those payments down, for instance in the case of maybe a virtual card, we are getting to understand that vendor’s behaviour more, and more, and more, right.
So, because of that the bad guys don’t have any dark corners to hide away in when they are forced through all of these digital gates. The real vendors pass through, and the fake ones get snared very quickly because they come in with spotlights of aberrations in their behaviour.
John: Interesting identity gap. Let’s look into the future, I mean, we talked about dark places, they can’t hide but the whole theme of darkness runs through this here, but is there any evidence that AP fraud will be effectively countered? Are you optimistic about that?
Chris: Yes, I am quite optimistic about it. You see internationally you can look over to the UK, and you see they have confirmation of payee. Confirmation of payee is banks being able to ping other banks to validate account ownership and that works pretty good, right, but it is still not largely, broadly, done so you have to use all of these other correlating pieces.
What we are really looking for, what makes me feel warm and fuzzy about countering this more, and more, and more, is I think that authenticated networks like Paymode-X, that create trust, will end up ruling the payments world because you have to have security before you can have automation. Authenticated networks where vendors can come in, prove they are who they say they are, and then payers can trust who they are paying. Then everyone participating contributes to the overall size of the network, but trust in a network.
Really what happens is email becomes a thing of the past. Phone conversations become a thing of the past, and you are not just securing a payment, you are securing all the communication that has to do with the business interaction, from the invoice to maybe some communication, some chat back and forth about what could be going on, and the payment itself. It is all business communication.
Ticket out of email, ticket out of phone calls from phone numbers you don’t know, from people who sound like the person you talked to last time, and you put it in a trusted platform, where all of that can take place, that is Paymode. So, it all goes down away from where the fraudster doesn’t like to be, right. It is in a place that they can’t convince you because they have too many gates to get through. It removes all of the low hanging fruit from their potential targets.
John: So, automation and authentication would be the two things to take away here?
Chris: Authentication and then automation.
John: Okay. Got it. I want to thank everybody for listening. Chris I would like to thank you very much for the insight, and the optimism, we are going to end on a positive note. So, thank you very much.
Chris: Thanks John it has been a pleasure being here. I hope everyone can take away some good tips, it is a great topic.
John: Yes, we think they will. This episode again was cracking the case on AP fraud and business email compromise, once again with Bottomline Chief Security Officer Chris Gerda, thanks to him again. Thanks for listening, and we will see you next time.
Uncover the current insider fraud landscape, its consequences for banks, and the best strategizes to respond to the challenge.
Our solution experts are here to help.+44 118 925 8250
Chat with one of our solution experts. We'll recommend the right product to fit your needs.
Please note, you'll need to accept analytics cookies to use our chat function.
Tell us a bit about you and your business and we’ll get back to you with all the information you need.