Just stopping payment fraud attempts won't cut it in today's digital payments landscape. Organisations need to be aware of any attempt and be able to track the process it would take. With one in five enterprises loosing over one million pound to payment fraud, processes aren't beating the sophistication of cyber attackers. In this episode we're talking to Jack Gianella about steps organisations can take to better protect themselves.
Rich Williams: We reported earlier this year that for one in five enterprise businesses the financial losses suffered due to fraud totaled over £1m. Now, why would we ask the question, “Fraud; Is ignorance really bliss?”? Well, today we’re going to discuss that.
I'm Rich Williams, host of The Payments Podcast, and today I’ll be chatting about how organisations should be preparing to spot and stop fraud. To explain this topic in more detail I'm joined by Jack Gianella, Market Development Executive for Risk & Fraud at Bottomline.
Jack Gianella: Hello, Rich.
Rich Williams: Jack, thanks for joining us today. Now this episode has quite a bold title, doesn’t it? Now what do we mean by, “Is ignorance really bliss?”?
Jack Gianella: Ultimately, Rich, what we mean here is that even if you're not noticing fraud that doesn’t mean to say that it’s not happening, unfortunately. The point being that it’s not just about losing money from an attack but being able to stop it when something does happen.
So you need to be aware of an attempt that’s taking place, because if you don’t see anything you need to be asking yourself the question, “Is something going under the radar that I'm not noticing?”
Something that came out of Bottomline’s Business Payments Barometer recently was more of a certainty that fraud is actually taking place for corporates.
Back in 2018, of the corporates that we asked questions to in our barometer, 15% said that they had been a victim of fraud in the past. However, 41% of people actually didn’t know whether they had been or not.
However, that statistic completely flipped during 2019 in the latest version of the barometer, where it was 45% of corporates said that they had been a victim of fraud. That’s nearly one in two corporates that we asked had been a victim. However, just 16% said that they didn’t know.
This is a good statistic, in the sense that the reduction in those that hadn’t been sure has completely reduced. Which I see as a really good thing, because you either know or you don’t know, and that’s a good thing. However, obviously quite bad to say that one in two had been a victim of fraud.
The point is just that that, “Yes,” explains that if you don’t know about fraud there is a chance that you're going to be a victim at some point.
Rich Williams: It’s interesting that that dynamic has flipped on its head in the most recent study that was done.
What about those organisations that are adamant they haven’t been affected by fraud? How confident can they be that this is actually the case?
Jack Gianella: I think what we’re being told, and certainly what we’re hearing from our customers at the moment, is that without the right technology in place you just cannot be sure in any way.
The right technology should be able to allow you to track your payments and track your behaviours, in order to see whether you're a victim of fraud or not. Just manual spot checks and manual process just aren’t good enough in this day and age, effectively.
There are real-life examples and quite a few real-life examples out there at the moment. We often see countless stories within the news about fraud. The most interesting ones for me, with this in mind, are those examples that track fraud over a long period of time that are just not being picked up by a business.
There’s a perfect example, I think, from a company that we all know, BMW, that came out in 2015, where an accountant within that business stole money over a three-year period. It was quite staggering actually. Three years of undetected fraud that was not picked up. I think that suggests that technology must be in place in order to try and track these things.
Rich Williams: You mentioned a couple of times there about organisations having the right technology in place. What do you mean by this, Jack? And what’s an example of the right technology?
Jack Gianella: There’s a number of different things that I’d quite like to mention, but ultimately there’s an abundance of different pieces of technology out in the market today in order to safeguard businesses against fraud.
The aim of obviously using such technology is to ensure that you have sufficient processes in place, just so that fraudsters cannot exploit your systems, I think. And obviously that is both internally and externally, the people that can exploit your systems.
The first example that I like to talk about when I talk about technology within processes and systems is Multi-Factor Authentication.
We should probably use you for an example here, Rich. Do you use online banking?
Rich Williams: I do, yes.
Jack Gianella: How do you log in to your online banking? And I don’t just mean a username a password there.
Rich Williams: Sure. (Laughter) I do have a username and password, obviously. Then there’s a card reader as well that I use my current account card in.
Jack Gianella: Great. That is a perfect example. That card reader that you use in order to log in to online banking is an example of Multi-Factor Authentication.
Multi-Factor Authentication is something that as a consumer and user of technology we all come into contact with every single day. This Multi-Factor Authentication is literally just an additional step that users can take in order to secure their account.
Your username and password is your first level, and that is something that you know. So you know your username. You know your password.
The second layer is something which you have. Like you say, Rich, you use a card reader, which is great in terms of an MFA – Multi-Factor Authentication – piece. This can often be your mobile device. It can be a key fob that offers a token and a code. But it’s something which you have as well as the bit of information that you know.
Like I say, it seems a simple thing, but actually it’s just adding more and more steps in order when you're logging in to secure your processes.
Rich Williams: I log in to my personal online banking, as we mentioned there, very quickly, conveniently, using some form of Multi-Factor Authentication, along with my password of course. Now is this the same experience that an organisation might expect from a payment system, for example?
Jack Gianella: Yes, absolutely. We’re talking about one extra layer. So the user experience is normally seamless and just adds seconds onto your login process.
I've just mentioned a couple of the examples that lots of companies use. Those token providers, the pieces that offer you a code to enter, they just add a simple step. So you're using an extra security level but your user experience is still very good and very quick, in terms of doing that.
Rich Williams: Great. So that’s one really simple example of using the right technology, Jack. What’s another example?
Jack Gianella: Another great example of additional security could be using technology to segregate duties within any sort of process, a payment process, whatever. This is all about separating user access and functions within a process. Effectively meaning that one individual cannot perform all of the actions across a process.
If we’re talking about a payment, for example, I cannot log in to my payment process, submit, upload, and create the same payment. I can’t just complete that action in one go. It needs a second pair of eyes and a second user in order to do this.
I've mentioned the BMW fraud example earlier on today. It’s a really good example of this. This one accountant that I mentioned stole money over three years.
First of all made one payment. Changed the bank account details. One payment worth £30,000. And was able to do it successfully. Following that he made 58 different payments over that course of time, eventually stealing over £6m from BMW.
The point here is if he had segregation of duty he would not have been able to perform that change of bank details to his own bank details without somebody else having to approve that.
Again, this feels like quite a simple step, just adding somebody else into the process, just to approve any changes, any different payments that have been made, but it really helps to secure the solution and the process, I suppose.
Rich Williams: That seems like another simple and logical precaution for an organisation to take.
What about any automated checks that someone could put into place? Obviously, that second step of approval needs a second or more pairs of eyes, but presumably there are going to be things that finance professionals won’t spot, like if an account is blacklisted, for example.
Jack Gianella: Another really important factor of a proper secure payment process would be the transaction monitoring that happens within the payment process.
I think I made the point earlier that manual spot checks just aren’t good enough in today’s society. It doesn’t matter whether you're making small payments, and a few of them, up to a lot of payments and large amounts. You cannot rely on a human getting things 100% right anymore. Just in general. We’re all human. We make mistakes. We all do every day.
The point here is having something technically that can perform 100% transaction monitoring for every little check really. This is just as much for anti-money-laundering as it is for error as well.
What you're looking for here is technology to check common types of fraud and error. So you want something to check the file and the payment just as soon as it goes out… Well, before it goes out of the door effectively.
You're looking for the likes of duplicate payments, for example, from an error point of view, but also things like private blacklists from an AML point of view.
We always recommend that our customers check the likes of first-time payments, for example, because if a fraudulent activity encounters somebody changing details that might be to somebody that has never been paid by the business before. Therefore, a first-time payment check is an ideal check to carry out.
Again, you mentioned blacklists when you asked me the question, Rich, and a blacklist is something that a company can populate for account details that they do not want to pay.
For example, during a supplier payment, Rich, you would never want your own employees’ bank details to be involved with that supplier payment. So adding a blacklist that corresponds to said supplier payment full of employees’ bank details would really help secure that payment.
Again, going back to the BMW example, if BMW had a blacklist that incorporated their employees’ bank details those fraudulent payments would never have been made.
Again, it’s just something that a business can provide and add extra checks in order to make their processes that bit more secure.
Rich Williams: And it would be configurable, I assume. You would screen employees against a supplier run and suppliers against a payment run for staff, for example.
Jack Gianella: In an ideal world, absolutely, yes. You would want them to be completely configurable to the different payments that you’re making.
You would want to maintain said blacklists. Even for your payroll payments, for example. You wouldn’t want somebody being paid that’s left the business. Like you say, being able to configure them and maintain them on a constant basis really helps.
Rich Williams: That sounds like another simple and effective measure to take into consideration.
Let’s talk about the data itself now. Data’s a very hot topic and certainly has been for the last few years.
Now, with particular reference to GDPR, there are significant fines that can be levied against a company for a breach of this. What can be done to mitigate that risk?
Jack Gianella: Absolutely, Rich. A really, really important topic as far as fraud goes.
It’s really important to realise that fraud’s not just about stealing money. It’s obviously a large part. But data is such a key part of fraud. And what damage can be done if data gets into the wrong hands.
Protecting personal data while it’s at rest within a business’ network is vitally important, and we would always encourage our customers to encrypt that data.
When we say, “Protect that data,” encryption normally would render the data completely unintelligible. So it would make an open payment file into something that if it got into the wrong hands just cannot be worked out as what the personal data is.
This has obviously got a couple of really key benefits. The fact that that data cannot be viewed means that the personal data within the file is protected.
As you say, this is a huge thing when it comes to GDPR. A business can be fined up to 4% of their global turnover over GDPR if personal data is breached.
We’ve read recently about the likes of British Airways and Capital One that have been exposed to huge data breaches, and encrypting this data is a really, really important process.
Encrypting the data as well obviously locks the file down. So as well as protecting the personal data it also protects a fraudster being able to edit any of that data within the file. If they wanted to change their own bank details and make a fraudulent payment, they would be unable to do that if the data was encrypted.
Rich Williams: In my head I'm picturing one file unencrypted being a list of names and account numbers, for example, and the encrypted file being like an opening scene to the matrix, just uninterpretable code. Would that be a fair example for a layman?
Jack Gianella: Without a doubt, yes. It’s complete gobbledygook, if you like, for want of a better term. That’s exactly right.
So when you say, “What can be done to mitigate the risk of both data breaches and fraud?” It’s really important to be able to lock files down using encryption, I would say.
Then when you do that, securing the transfer of that data into a payment system for example, really does firm the process up.
Rich Williams: You mentioned there about that secure data transfer. Could you explain a little bit more about how that’s beneficial?
Jack Gianella: Yes, absolutely. What I mean here is how data is transported around a company’s business system. From where payment files might be created, for example, into their business payment process and their solution to do that for them.
Secure data transfer effectively ensures that that process of transportation is completely automated. So it completely removes the need for a human to interact with a payment file at any point. Obviously securing the process, in the sense that if there’s no ability to hack that file at any point all the better for the company.
Not only that, but it also would save the business a little bit of time. The file would come out of a business application or wherever it’s processed, and it would be uploaded automatically into their payment solution. Like I say, saving the business some time and completely securing that bit of the process.
Rich Williams: So it’s a combination of security and efficiency as well?
Jack Gianella: Absolutely, yes. Exactly that.
Rich Williams: To summarise then, Jack, we’ve looked at a more secure login process for the system itself, segregation of duties within the system, securing data at rest and at transfer.
What else can be done?
Jack Gianella: Yes, absolutely. My final bit of advice would be based around people, really, and monitoring the behaviour of employees that have access to data and the payment process.
I might use you as an example here, if that’s okay.
Rich Williams: Sure. Go ahead. (Laughter)
Jack Gianella: Obviously, we must promote trust in our own employees, and it’s quite a contentious issue this, but 80% to 90% of a typical fraudster would actually be somebody that’s been employed by a business for a little while. Which is why I say yourself, Rich, because you’ve been with Bottomline for a little while now, I think. Making you somebody that fits the bill for this.
There’s something called the fraud triangle. The fraud triangle has three pillars, obviously.
The first is the opportunity to be able to execute a fraudulent transaction.
The second is their pressure and their own personal situation that allows them a little bit of a, “Ooh, am I able to commit a bit of fraud here?”
Then the third is the rationalisation, so their justification of being able to perform something quite bad, in the sense of performing a fraudulent transaction.
I suppose the point being that you don’t ever know somebody’s personal situation. It’s obviously awful to insinuate that somebody could perform this sort of act, but there’s never a reason to not be too careful here with the people that have access to your own personal systems, the data that we previously discussed, and just that they would have the opportunity to perform something like this.
So regular checks on the likes of things that we’ve already discussed. Segregation of duty, for example. Just making sure that a certain person cannot gain access to performing something that could have a detrimental impact on any business really.
Rich Williams: That’s really interesting.
A disclaimer for our internal auditors. My bank account is entirely clean. Please do help yourself and take a look. (Laughter)
Jack Gianella: Glad to hear it.
Rich Williams: That’s quite a bombshell to finish on, Jack.
Unfortunately, that is all we’ve got time for today, but it’s been a real pleasure talking with you. Thanks again for coming and speaking with us.
Jack Gianella: Absolutely, Rich. Thanks very much for having me.
Rich Williams: Well, we’ll be back with some more content very soon. In the meantime, you can listen to more episodes and all things payments at the touch of a button using your preferred provider. We’ll see you all next time.
Research ReportBusiness Payments Barometer 2019
The 2019 Business Payments Barometer analyses the latest trends and most burning payment initiatives set to impact organisations of all sizes. Now in its fourth year this annual index surveys over 400 financial decision makers across Great Britain.
PodcastThe Bangladeshi Bank Fraud: How did it happen?
Cyber-attacks are common news in this era, you’re more likely to take a hit online than be mugged in the street. What makes this story interesting is the lengths and preparation that were put into this heist (like any good film) and how it uncovered a weakness in a payment system that moves millions of payments around every day.
For Customer Support and Services click here.