Updated June 2017
Many of us have read and witnessed how cybercrime and fraud has become one of the most significant risk management topics for corporates. However, despite all the hype and talk, I find it surprising how many corporates are still unaware of the risks, or strikingly unprepared to mitigate these risks.
Conducting cybercrime does not necessarily require sophisticated IT or programming skills. Of course there are lots of sophisticated ways such as viruses, worms and ransomware programs. But for example business e-mail compromise (BEC) attacks may require limited technical skills, since in this attack the attacker doesn’t necessarily even need to break your e-mail or intranet.
In business e-mail compromise attack, or “CFO/CEO attack”, the attacker finds a way to present himself as an important person inside your company, usually via fake e-mail identity. The e-mail account might be hijacked in sophisticated cases, but sometimes it is enough to use fake e-mails and hide it well, which requires only limited IT skills. Enabled by the false identify the attacker will then ask ledger team or treasury to initiate fake payment orders. It should not be a surprise to anyone that faking a personality has become much easier since we started to share everything about ourselves in the internet. When the scam is personalized professionally to find weak spots of your company, and then applied over and over again to other corporates as well, criminals increase their changes to succeed.
Another side of the coin is internal fraud. Internal risks related to payment processes can be mitigated into acceptable level by any corporate just by following few basic principles. But surprisingly many fail in here. As an example I have witnessed too many payment processes, even by stock listed corporates, where batch files are manually loaded into internet banking portals. Although file and folders sharing policies can be applied to minimize the risk of someone changing the payment data on its way, that process is fundamentally wrong. Any professional risk policy should recognize and seek ways to completely eliminate such processes.
How to start minimizing payment related risks?
I would state that corporates whose financial back office is de-centralized are in general more exposed to cybercrime and fraud. Since, as a consequence of de-centralization, implementing preventive tools and processes is much more time consuming, and of course costs more money. And unfortunately in a de-centralized company it is easier to say it is none of my business how the others are doing this. The centralized payment factory can be surprisingly powerful way of mitigating both external and internal payment related risks. And of course the most obvious reason is that with the payment factory you are creating a single hub to connect to your banks.
Let’s focus on the business e-mail compromise first. At first there seems not to be a clear link between the payment factory and the attack. But in fact these attacks can be mitigated a lot by implementing best practice payment processes. Meaning processes where payments to only registered creditors are accepted (with four eye principle) from A/P. Or especially manual ad hoc payments are filtered, and in suspicious cases stopped before execution with various filtering and preventing techniques. When these preventing techniques are in use, the attacker can be stopped by the payment factory.
Payment factory will also eliminate the weakness of manual file transfers. The safest way is to implement interfaces directly from ERP systems to your payment factory, and secure the material all the way. Of course automated file transfers or messaging solutions cost some money, but can you really afford taking the risk of not being compliant with standard security levels? Especially since modern tools have brought almost every bank to your reach via SWIFT and other means.
What comes after the minimum level is reached?
Once you have taken the first critical steps of securing your cash flows with industry standard processes and automated interfaces by payment factory, it should be time to consider more. As processes or systems will never be 100 % bullet proof it is equally important to detect already happened fraud. For instance automatic reconciliation offered by payment factory will help you to catch exceptions rapidly since your bank account will be always fully processed end of day against your G/L account. And going forward advanced on behalf functionalities of in-house banking concept can make banks almost invisible to your subsidiaries, which will even further strengthen group’s control and transparency to cash and cash flow processes.
Taking first steps in mitigating payment related fraud and cybercrime is relatively simple. The above mentioned risks are only the top of the iceberg. Therefore I would encourage every corporate to take the step and decide not to allow bad internal processes or inadequate tools that cannot support the industry standard financial processes.
Jukka Sallinen / OpusCapita
Jukka Sallinen is a cash management domain expert with a strong hands on background from international and complex payment factory and SWIFT projects. Previously Jukka has been working in various R&D roles, focusing on bank and ERP integrations and security topics. Jukka holds a Master of Science degree in software engineering and data security.