In 2020 the threat of fraud is continuing to rise despite increased spending, why?

In this episode on the Payments Podcast we’re reviewing the results from this years 2020 Treasury Fraud & Controls survey to understand why fraud is still having a huge impact on us globally, and whether organisations are focusing on the right areas of defence.

 

Transcript

Rich Williams: Earlier this year, we saw the release of the ‘Treasury Fraud & Controls Survey Research Report’ for 2020, which questioned 350 corporate practitioners and bankers as to where their organisation stands in the fight against fraud. Completed with strategic treasurer, we previously went through the findings in depth on a webinar, which is now available on demand on the Bottomline website.

But, today, we're asking the question, why? Namely, why do 76% of corporates believe the threat of fraud has increased in the past year?

Hello, I'm Rich Williams host of the ‘Payments Podcast’ and today I'm joined once again by Julian Laurent, market development manager for risk and fraud at Bottomline.

Hi Julian.

Julian Laurent: Hello. How are you?

Rich Williams: I'm well, I hope you're keeping safe and well yourself.

Julian Laurent: Yes. Yes. Trying.

Rich Williams: So let's start, then, with the finding that most respondents believe that the threat level associated with fraud had escalated in the past year, growing 50% over a three year period, in fact. This was a notably lower figure in EMEA at 36%.

Now, what do you think explains this discrepancy, Julian? Is there less of an issue with fraud in EMEA or are they just doing more to curtail it?

Julian Laurent: I think, you know, it's like every statistic, you have to take it with a pinch of salt. There could be many variables in there, in terms of the means of reporting figures, what is qualified as a fraud or not. So, you know, we're going to go with those numbers, but it's not a judgment on other areas outside of EMEA, just what the numbers are saying here, with the room for error that comes with these sorts of statistics, but I think it's fair to say that EMEA has put a big focus on this and trying to tackle it with many different issues.

So you have a big push in terms of technical advance for validating the client, validating the name, that helps reduce fraud. There is a big push, as well, on the regulatory side to help identify fraud and reducing a lot of the new payment scheme… comes with a compulsory element of fraud detection.

So there's clearly a lot of awareness in EMEA. I think, the regulators are doing a good job to force the communication around this. So, yes, it's probably a case that EMEA might be better. The gap here is huge. So that's why I'm putting a bit of a caveat on the start. There might be different factors, but there is definitely a good wave of information, a good awareness across EMEA.

Rich Williams: Yes, it's really interesting to see that the perception of threat differs so much based on the geography. And I wonder whether training could be a factor in this? So you mentioned a moment ago that fraud is better documented and invested in, in the EMEA region and there's certainly a bit more awareness. So does this mean that employers and employees are trained better to identify, report and avoid fraud in this area?

Julian Laurent: Yes, it’s certainly a regulatory aspect that we have to provide training to staff in the EMEA region, it's part of any FinTech company - has to provide those trainings.

So that for sure influences this quite a lot. I think it's also, again, since there's so much more publicity around it and a consumer protection group, that are standing up and making a very clear statement about what the FinTech organisation and financial institution need to do to protect the customers, are very strong in EMEA.

So, all of that put together is really helping registering that and obviously there’s some very public instances where fraud has been rampant in some large businesses, which, also have a collateral damage to the business, not just to the customer. So I think businesses are very aware and looking for improving this aspect.

Rich Williams: So awareness and an appreciation for the seriousness of anti-fraud measures is one thing. But if we're seeing the importance of training increase, does this mean that organisations are actively implementing controls to prevent fraud, Julian?

Julian Laurent: Yes. There are quite a few controls that we see on a regular basis. Interestingly, though, I'm not always sure that it's at the right level. And this is why we see stats like 32% on the system monitoring or user monitoring, compared to 54% in a wider audience, which is an interesting number.

And I think with that, in my opinion, we tend in EMEA to focus maybe a bit too much on endpoints. Endpoints, in the lingo of cyber fraud and cyber security, is the point of entry to your network. So where actors can try to get access to your organisation. But I think sometimes, which is a bit neglected, is the point of exit and where things get out of your control. And, therefore, if you didn't catch it then, it's too late. They managed to perpetrate whatever they wanted to do.

I think sometimes we need to be… It’s easy to get lost in a number of end points because nowadays with technology evolving, there are so many end points, you know, the mobile phone application, online banking, the remote workers; it's almost becoming headless. But it's good sometimes to just slow down a moment and think, “Right, what are these actors after?” They’re usually after three things; your money, your data or your resources, such as, for example, mining Bitcoin, using your power, computers and so on.

But if you look at your business and assess what is the most value commodity that I have that is free for them? What are they more likely to attack? And if it's money, well, you surely do need to do a lot of things to protect the end point as well, but you need to make sure that the escape door to which they might try to run out with your money is also monitored. So it will be a bit like guarding the front door of the bank and assuming that nobody gets in, therefore, there's no need to survey the backdoor.

Well, in this case, this is where there is sometimes a bit of a discrepancy in terms of the strategy around what you protect and how you go about it. In my way, I think you need to protect both doors and then move inward until the measures you set are meeting in the middle and you have protected everything.

Rich Williams: Do you think that, perhaps, businesses or rather the community in general is a bit too blasé, a bit too casual about this? What do you think is the catalyst for the reason why there's such a discrepancy between different geographies?

Julian Laurent: I don't know if it’s blasé. I think… you face sometimes different threats, depending of the behaviour of your customers.

So if you are in a region which is very much, very high tech, very mobile based, very… different means of payment, for example, taking to our ways, and in some other geography, they might be a bit more old-fashioned with it. So your focus has to be slightly different. So it is a succession of factors.

But I think it came with this dangerous world because hackers don't have borders. So if they realise that because your main market is mostly focused on maybe more conservative ways of banking, for example, that wouldn't stop them to try to use tricks that are based on another market and have been proven successful elsewhere.

So in this, it’s really to recognise for the fraudster doesn’t have any borders, they will use techniques that they've developed elsewhere against you as well.

Rich Williams: That's really interesting. So let's move away from the geographical differences now and look at size. So I presume there's a different approach between smaller and larger businesses and we'd naturally presume that larger organisations have got more funds and more resources to invest in advanced anti-fraud controls.

But are they truly more likely to have taken action against fraud, Julian?

Julian Laurent: Again, it's difficult. I think when you look at the stats, it depends on where the businesses are in terms of other aspects of investment that we need to do, like continue to plan, a reaction plan to things like today, the crisis we're facing with COVID-19.

So I'm sure that everybody intends to invest, but they have to set priorities. Interestingly with this, when you tend to do this, you tend to look at it from yesterday's data. So if you have not yet been a victim of fraud, you tend to think to yourself, “Well, okay. We're not a primary target. But we have higher issues with this.”

So the logic will dictate that you then prioritise other things that have been more damaging to your business, historically, before you invest on something, which theoretically damaging. The issue with that approach, obviously, is once you get compromised, and someone does an incredibly, massive damage to your organisation, well, it's too late to do something about it.

So it's a very difficult balance for the companies out there to decide the right mix between what could happen and what has happened and make their decision.

Rich Williams: That's really interesting, as well. So there's obviously a difference between acting before the fact and taking measures after the fact.

And this might seem like an obvious question, but I think it's one that’s important to ask you anyway. Do organisations that have a payment fraud detection solution in place already encounter and see fewer losses?

Julian Laurent: Yes, well, it sounds obvious, but it's not, funnily enough. So, yes, there are 75% fewer losses, when companies install fraud detection, in place, depending on the configuration as well, because like everything, the system can bring great results if you invest in it. You need to spend the right time to set it up properly and to use the machine learning features to their best.

But at least we've seen 75% fewer losses. But what we also see is that not everybody is putting those in place, although this seems so obvious. But they've not always been implemented and that sometimes leaves the door open for a criminal to manage to steal funds still.

So it’s a mixed bag. Are they working? Yes, very well, but you also need to invest in them because the criminals are very sophisticated. They will try to blend within your normal flow. They will try to understand how your flows are working before triggering an attack. They can sometimes infect systems for quite a few months, and really trying to understand what your flows are.

So you need to apply very sophisticated solutions that looks at multi angles, multi dimensions of your payments in order to make sure you can stop them.

Rich Williams: So that's looking at, I suppose, a software angle there, Julian. So how do we stay ahead of these increasingly sophisticated attempts by these fraudsters and hackers and so on? But jumping back to training, what effect does this have on the prevalence and the recurrence of fraud?

Julian Laurent: Well, it's a very good point. I mean, at the end of the day, you heard me mention that before. We call it the human firewall here at Bottomline and the human firewall needs to be updated.

Sadly right now, there is a huge increase in phishing scams, which rely on the human factor and human concern around COVID-19. So there is a huge increase of website registrations, which is closely monitored because some of them don't have very helpful purposes, here, actually to hack into, to attack systems. Emails that are supposedly being helpful information, which are in fact malware.

Now, they are relying on the fact that people are not as focused at the moment. They're concerned. They need more information and there is now cutting a break when it comes to that from the fraudster. They will exploit this situation to their advantage. So the more training you can give on a most regular basis, finding ways to make it efficient, such as e-learning platforms, that allow you to edit content and make it available to your staff on a regular basis, is critically important.

Rich Williams: So how about ransomware or cyber fraud or malware solutions? How can they help businesses stay a step ahead or stay as protected as they can be?

Julian Laurent: Well, again, it's a mix between technology and the human firewall. So often, what I've witnessed, talking to some of our customers and their employees, so not talking about the security department because they are very well aware, but when you talk to employees, they tend to think, “Well, my company is taking all the steps to keep us safe. So I don't have to worry so much when I'm looking at my work email or so on.”

To a certain extent, it's true. Of course your company will have full firewalls in place, anti-malware, anti-viruses. But what people need to understand and I think today is a good day to make the correlation, is that they work exactly like vaccines. Your organisation software are relying on a database of known viruses, the definition of known viruses.

So when data comes in, they are looking at the code which is coming in, and if it's similar to a known virus, they will then block it. However, it doesn't work when it's a brand new one. So a little bit like if you did get your NHS shot earlier this year for the common flu, it won't protect you against what we're facing today because they are different

And so the antibodies that you have can't stop it. It's exactly the same when it comes to malware, ransomware. So there, again, education, knowing not to click on certain links, to really understand that overall, you have everything in place, there's such a thing called Zero-Day Exploit when it's a virus that’s been used for the first time. No one knows what it looks like. Therefore, we can’t defend ourselves against it.

And so that's important to understand that and that people need to be very careful when they click on anything.

Rich Williams: That comparison of a firewall or as an antivirus solution of being a bit like a vaccine is quite terrifying and certainly extremely topical.

And I think we have to, accept the fact that whilst the majority of communities and businesses will try and strengthen and support each other, malicious individuals and malicious parties will definitely try and exploit people, and more often than not, people are the weak link. We like to help, we like to be responsive. So that's a trifecta of people processing technology. It's often people that are the fallible ones.

So, if we look at how bank mandate fraud or business email compromise can affect a company, these are techniques that can catch out even very well-educated employees if they're trained on fraud. So can you give us a bit of an explanation of how that can be mitigated?

Julian Laurent: Yes. And you’re really right on a comment you made before, that they’re relying on our willingness to act fast and to be helpful and to support. And they're relying on people being busy, multitasking, and that’s very human trained.

Now, when it comes to the fraud mandate, again, training makes a big difference. We see that in companies that have a strong training, there is a fourfold of lower frequency of fraud. But it's also, be aware of other factors such as your supply chain, for example. So I think we talked before in another podcast about the island hopping. This is when a fraudster realises that you have quite strong defences.

So they are going to try to understand what's your supply chain. So, for example, if you have an office with a coffee shop in front, they can sit here and after a couple of days, they will find out who comes and fix your electricity, your plumbing, your coffee machines. Those suppliers might not have invested sufficiently in cyber protection. And, when you receive an invoice from them, you will have been well-trained not to open attachments from unknown sources, but these people are a known source.

So there is an element of, we need to look at our supply chain, evaluate what the capabilities are, and then make a decision on how we accept their billing. In some extreme cases, you might want to revert to letters and paper invoice only, if you know that one of your suppliers has done zero investment into cyber protection. So there are complicated factors to review but we need to understand not only who is it that is sending me something, but also who are they in terms of their technology awareness and how much protection they have in place.

Rich Williams: I suppose the underlying factor of all this is that there is no end game. There's no final boss you can complete and sit back. You need to constantly adapt and constantly be vigilant, perhaps even more so at times like this, when people will exploit the vulnerable, whether it's the vulnerable person, the vulnerable process or the vulnerable technology.

Julian Laurent: Absolutely. Yes.

Rich Williams: So as we start drawing to a close now, Julian, let's finish by looking at sanctions screening. It’s a topic that organisations are slowly increasing their understanding of and placing more importance in. Now, originally, this was the responsibility of the banks themselves, and we're seeing this shift into the hands of companies now.

So how are sanctioned entities and countries prevented from being passed through a payment process?

Julian Laurent: So that was very staggering data there when we saw that 1 in 12 companies have paid a sanction company. That’s 8%. This is huge. it doesn't seem like it, but that's monumental. And when you see… if you put that in perspective on how much money there could be and what it could finance, it's quite a scary thought.

I think that the perception that sanction is a bank job is probably the issue here. Sanctioning is everybody's job. Yes, the bank are more equipped because it's a bigger part of their daily business. But as a business owner, you are responsible to whom you are doing business with, whether you are buying from or paying. It’s anytime you are selling, even, your product, you have to be conscious that you are selling something of value that could be re-sold in exchange of cash that can then be used for other reasons.

So what we found is that a lot of corporates get caught up by thinking that this is a banking job. It isn't. As a matter of fact, depending on your jurisdiction, if you are attempting to trigger a payment to a sanctioned entity using your bank, they might have a duty to report. Well, in most instances they do, to report this to the regulator to make an incident report.

So even if you block the payment, they still need to report the fact that this was attempted and you have to make sure that you have your own sanction programme in place so you do not submit payment to a sanction entity or accept payment from a sanctioned entity Depending on your jurisdiction, you’re not allowed to sell. So for example, US technology, even if it's a technology, it’s not allowed to be sold in a certain region and for corporations, that's a huge amount of work.

I'm not even going to get started on dual-use goods because then we need another podcast for that.

Rich Williams: (Laughter) Any closing remarks, Julian?

Julian Laurent: No, I think, you know, it's, difficult times for sure, but there are people here to help. By all means, we always invite our customer to come to us. We’re taking steps to raise education when we can, we're keeping a close eye… but just take the time. People need to take time to evaluate what's happening overall. The fact that things are a bit stressful and people are loaded, it's always best to just take a breath, check again and be sure to do the right thing.

Rich Williams: Julian, thanks very much for joining me today and I'm sure we'll welcome you back onto the podcast again, in the very near future.

Julian Laurent: Thank you.

Rich Williams: For those of you that would like to delve into the Treasury Fraud & Controls Report in more detail, you can download it for free from the Bottomline website, and you can also check out the on-demand webinar, discussing the numbers, with our partner who compiled the report, strategic treasurer.

On behalf of Bottomline Technologies, we hope that all our listeners are taking appropriate measures to stay safe and well during these difficult times and would encourage anyone who is concerned with their business continuity, best practices, general support, or even would just like to chat to please speak with us.

Unfortunately, that's all we have time for today. We'll be back with some more podcasts very soon. And in the meantime, you can listen to more episodes and all things payments at the touch of a button, using your preferred provider, and we'll see you all next time.

Want to learn more about Bottomline's fraud and financial crime management?

Give us a call.

Our solution experts are here to help.

+44 118 925 8250

Chat with us.

Chat with one of our solution experts. We'll recommend the right product to fit your needs.

Please note, you'll need to accept analytics cookies to use our chat function.

See how we can protect your business.

Tell us a bit about you and your business and we’ll get back to you with all the information you need.

footer curve