How to counter fraud in a digital world.
By Phillip M. Perry
Businesses of all sizes face a growing risk of financial loss from fraudulent internet transactions. Here’s just one example: When the controller of a California business received an email from the CEO requesting an immediate wire transfer to a vendor, the transaction seemed routine. Only after the money was sent was it discovered that the vendor was not due such a payment. And worse, the funds had not been received by the vendor.
An investigation revealed that the sender of the request was a thief using an email address misleadingly similar to the targeted company’s top executive. The supplied banking credentials were actually those of the crook’s account in China. Acting quickly, the controller called the overseas bank to see if the payment could be canceled. What he heard allowed him to breathe a sigh of relief: Because the funds had arrived on a Chinese bank holiday, they had not yet been credited to the thief’s account. The company was able to recover its funds.
Costly Fraud
While our opening story has a happy ending, most businesses targeted by so-called “Business Email Compromise” (BEC) fraud are not so lucky. Of the 11 percent of respondents reporting losing money to such fraud in a recent survey by AP Now, a source of accounts-payable information for the business and finance community based in Newark, Del., only 3.2 percent recovered all the stolen funds. The fraud is increasing rapidly as thieves have learned to cleverly disguise C-level executives’ identities. “Crooks know it’s very, very easy for people to miss slight changes in email addresses,” says Mary S. Schaeffer, AP Now’s president.
The urgent need for effective security procedures was brought home recently by an upsurge in news reports about an especially insidious form of electronic theft: ransomware attacks (more on this later). And reports from the FBI, the IRS and other agencies show that cyber fraud of all kinds poses a growing threat to companies, including small businesses such as florists. Many thieves are after money, but others want data such as company marketing plans or customer information for identity theft.
“Criminals often target smaller businesses because their protections are typically not as strong,” Schaeffer points out. “They are likely to have older, unsafe technology and lack the security personnel to keep software updated.”
Fueling the rise in cyber fraud is the growing digitalization of business transactions, a long-term trend given further impetus by a greater reliance on electronic communications during the COVID-19 pandemic. “Flaws in firewalls and Virtual Private Networks (VPNs), as well as in videoconferencing systems, have exposed more businesses to incursions,” says Robert M. Travisano, an attorney in the litigation practice of Epstein Becker Green in New Jersey and New York. The rapid expansion of devices on the typical employer’s computer network has given cyber actors still more opportunities.
The pandemic has increased risk in another way: “More people are working at home, sharing business computers with family members,” says Eric Jackson, a consulting member of the Cybersecurity team at Withum, a business advisory firm based in Princeton, N.J. “This has created some serious security breaches.” Users not only log onto malware-infested sites they would not access at work but family members also may accidentally open email attachments that install damaging programs.
Electronic Payments
Wire transfers and ACH (Automated Clearing House) transactions are juicy targets for cyber thieves as the business world moves away from paper checks. “The right procedures can help spot electronic payment fraud before the money goes out the door,” says Schaeffer. “That’s much better than trying to recover what’s been lost.”
That key word is “procedures.” Security experts say most business fraud stems from social engineering—a thief’s skillful engagement with a company employee. “Social engineering is responsible for 70 percent to 90 percent of all successful digital breaches,” says Roger Grimes, a consultant at security firm KnowBe4 in Clearwater, Fla. “Yet the average company spends less than 5 percent of its cybersecurity budget to fight it.”
Training your staff in preventive procedures can nip such fraud in the bud. To obviate BEC fraud such as the one in our opening story, for example, businesses can require that wire transfers be validated by a means other than email. “Validation should be done either by calling the [issuer of the payment] using a known number or, if feasible, by walking over to that individual’s office,” says Schaeffer. “However, the pandemic has made this kind of verification more difficult. Calling and verifying sounds easy, but it can be exponentially more difficult when people work from home. Sometimes the right person is not readily available because of his or her schedule.”
Adding to the risk is the fact that home workers often have less-than-ideal or mismatched technology, which can result in costly errors. In addition, security breaches can occur when targeted employees are pressured into quick action. “Employees should be warned to be alert for requests that come in late on a Friday afternoon, at the end of the month or anytime when thieves think they can trick somebody into failing to properly verify a transaction,” Schaeffer advises.
Protect Accounts
Good procedures can also guard against a variation of social engineering in which a caller, pretending to be a customer, requests bank routing numbers to pay an invoice. “People are often only too happy to give out such information because they want to receive money,” says Schaeffer. “However, rather than using the provided information to wire funds into the account, the thief wires funds out.”
Businesses can obviate such wire fraud by requiring account information be communicated only by designated individuals who directly dial the paying company using known telephone numbers. “Another solution is to establish one bank account dedicated to wire transfers, and use it only for inbound transactions,” Schaeffer suggests.
In a reversal of the above fraud, a thief pretending to be a vendor will send an email providing routing numbers for a new bank account where all future payments are to be made. The account, of course, belongs to the thief. “This type of fraud is exploding, and I cannot caution your readers enough to be careful,” says Schaeffer. “You need to get to the right person to verify that the request is legitimate.” Again, verification should be done over a voice line using a known telephone number.
Schaeffer cautions that calling to verify changes in bank accounts or email addresses will work only if a company’s records are accurate. “It’s more important than ever to enter valid contact information in the master vendor file when it’s first set up, and then update it regularly.”
Wire transfers are not the only electronic payment method at risk. Thieves can also use stolen Automated Clearing House numbers to steal company funds. Banks offer a number of services to stem losses. An ACH block will prohibit all ACH transactions for a specified account. An ACH debit block prohibits only transactions initiated by payees. An ACH filter allows ACH debits only to those on a designated list of names. An ACH alert triggers a notification when an ACH debit arrives, enabling a staff member to accept or reject.
“I suggest putting ACH debit blocks on all accounts where debit activity is not needed,” says Schaeffer. “Limit ACH debit activity to one or two accounts, and check those accounts each day. Businesses have 48 hours to notify the bank of any unauthorized transaction.” (Consumers enjoy a 60-day notification window).
Damaging Malware
So far, we’ve addressed some of the fastest growing security breaches stemming from social engineering, but cybersecurity experts suggest that businesses also take the following measures. All of them can help reduce the chances of being hit with ransomware, a form of malware that requires targeted businesses to make costly payouts to either regain access to encrypted data or prevent the release of business information to competitors:
1. Beware malware-ridden emails. Phishing emails trick recipients into clicking a link to a toxic website or opening a compromised attachment. The result is the installation of a keylogger software that collects keystrokes for critical bank account information.
Solution: Train employees to handle all emails with suspicion.
2. Update hardware. Old computers and routers offer access points for hackers. “Anything older than, say, 15 years was designed without security in mind,” says Jackson.
Solution: Replace old equipment with new models.
3. Patch software. Outdated versions of operating systems or office programs are riddled with security bugs. “Unpatched software is involved in 20 percent to 40 percent of all digital breaches,” says Grimes.
Solution: Update operating systems and software programs with the latest versions.
Insurance Policies
No business—large or small—can eliminate the risk of cyber fraud. The right insurance, though, can lessen the blow when a breach occurs. “Insurance can protect businesses from so-called ‘first-party risk’ of their own losses,” says Diane D. Reynolds, partner at New York-based law firm McElroy Deutsch. “Policies can also protect against losses to third parties such as customers and vendors, obviating lawsuits against the insured company.” (For more details, see the sidebar, “Reducing Risk with Cyber Insurance.”)
Even the best insurance policy is no substitute for operating procedures that help stop cyber theft in its tracks. All employees, from the head-person-in-charge on down, need to be trained on the most effective responses to thieves who are skilled at social engineering. “The one piece of advice I have is to always be suspicious,” says Schaeffer. “Make sure everyone knows that if something looks a little odd, or if someone asks for something out of the ordinary, speak up. It’s better to go overboard on security than to go the other way.”
Reducing Risk with Cyber Insurance
While no business can eliminate the risk of cyber fraud, insurance can save the day when a breach occurs. Many common commercial general liability (CGL) policies already address some areas related to digital transactions. Security experts, though, advise seeking better protection. “Cyber coverage in existing property polices is often limited,” says Robert M. Travisano, an attorney in the litigation practice in the New Jersey and New York offices of Epstein Becker Green. “Moreover, policies can differ from carrier to carrier, so shop around for a dedicated cyber policy.”
The typical cyber policy will cover money lost to cyber thieves. In the event of customer data loss, policies may cover breach notification, credit and fraud monitoring services, and the costs associated with restoring and recreating data, as well as with hiring a PR firm. Especially important is coverage for business interruption. “Statistics show that most businesses are not back to normal operations for at least one month after an attack,” says Diane D. Reynolds, partner at New York-based law firm McElroy Deutsch.
Even the best dedicated cyber policies may have potentially costly coverage omissions. “If you have a policy but haven’t closely checked it lately, you may not have the coverage that you think you do or that you need,” says Mary S. Schaeffer, president of the accounts-payable consulting firm AP Now in Newark, Del.
What seems like good coverage at one point may not look so attractive down the road. “As cyberattacks evolve, so will insurance,” says Jessica Averitt, partner in the Houston office of law firm Baker McKenzie. “Companies need to review their policies to ensure adequate coverage in the post-COVID-19 world. For example, a few years ago, provisions related to ransomware were rare. But after some recent high-profile attacks, such coverage is more common.”
The good news is that more carriers are entering the field of cyber insurance, increasing the competition for customers and improving terms and premiums. With a decade or more of loss history to analyze, carriers are fine tuning their premiums to make policies more attractive. “I have not seen any policies in the past year or so that I thought were overpriced,” says Reynolds.
An important caveat: The terms of a cyber policy will be invalid if the covered business cannot illustrate compliance with a good security plan. Insurance companies are tightening the screws in this area. “We are seeing more carriers who will not even issue policies unless a business has security controls validated by a third party,” says Eric Jackson, a consulting member of the Cybersecurity team at the Princeton, N.J.-based business advisory firm Withum. “And when an incident occurs, carriers will often send inspectors to investigate the insured’s security posture before paying a claim.”
QUIZ: Cyber Defense
How solid is your cyber security program? Find out by taking this quiz.
Score 10 points for each “yes” answer. Then, total your score, and check your rating at the bottom.
1. Have all personnel been trained on security protocols, including correct handling of suspicious emails?
2. Do changes in a vendor’s or customer’s bank account information for e-payments require verification by voice telephone call to a known number?
3. Do you require non-email validation of wire transfer or ACH requests?
4. Have you established one bank account dedicated to wire transfers and blocked such transfers on all other accounts?
5. Have you limited ACH debit activity to one designated account?
6. Have you established ACH filters, blocks and alerts where appropriate?
7. Do you regularly update vendor master files?
8. Have you replaced hardware older than 15 years?
9. Do you regularly patch software programs?
10. Have you taken out a comprehensive cyber insurance policy?
WHAT’S YOUR SCORE?
• 80 or more: Congratulations. You have gone a long way toward securing your company funds and data.
• Between 60 and 79: It’s time to fine tune your security procedures.
• Less than 60: Your business is at risk. Act on the suggestions in this article.
Award-winning journalist Phillip M. Perry has published widely in the business management press. You may contact him at linkedin.com/in/phillipmperry.
