The release of the recent “Treasury Fraud & Controls Survey Report” by Strategic Treasurer highlights the seriousness of the fraud issues facing the payments industry today. Payment fraud prevention strategies are in higher demand than ever before.
With 57% of organizations agreeing that the threat of fraud has increased and an additional 16% thinking it has significantly increased, it’s clear that fraud is simply going to be an evolving part of the business landscape going forward. But how are organizations protecting themselves and how can they do a better job, despite restricted budgets and conflicting priorities?
To discuss these issues I spoke with Ben Hobby, partner with global forensic accounting firm BTVK Advisory. Given Ben’s extensive experience with fraud investigations, he has seen firsthand the damage that fraud can cause and has valuable advice for organizations looking to evolve their fraud strategy.
SmartPayments: Having read the Treasury Fraud & Controls Report, did any of the findings strike you as noteworthy?
Ben: Yes, there were actually a few things I thought were worthy of additional commentary, starting with the section regarding corporate confidence in security.
I find it very encouraging that organizations have an increasingly positive outlook on their fraud preparedness. I would urge them not to get overconfident, however. The nature of the fraud threat is constantly evolving, and while feeling confident that you’re in a position to defend your organization is a good thing, it can unfortunately also lead to complacency.
“Being prepared” isn’t an end goal. It’s an ongoing activity that stems from keeping up-to-speed on emerging threats and working with internal teams and technology partners who can help you put defenses in place to protect against ongoing threats.
SmartPayments: Staying ahead of threats is a very important point. Organizations too often feel as though “keeping up” is sufficient but that’s just not the case given how motivated and creative fraudsters can be. I know your fraud prevention philosophy largely stems from a “People, Process & Technology” viewpoint. How can an approach such as that help organizations be more proactive with their fraud defense efforts?
Ben: A People, Process & Technology approach to fraud prevention is one of the easiest and best methods organizations can use to protect themselves against all of the most common fraud threats. It’s a methodology that ensures that the three most important aspects of security are always considered in complex environments where oversights can be easily made.
Take, for example, the payment diversion fraud BMW suffered several years ago that ultimately cost BMW £6 million in losses. The situation took place over the course of three years when a staff accountant systematically altered invoices to divert funds into his own bank account. That case is a perfect example of critical people, process and technology issues that, if corrected, could have prevented the entire situation from taking place. Intelligent transaction monitoring could have detected the fraud at the first attempt. Reconciling the invoices against purchase orders, delivery notes or some other form of documentation would have highlighted an exception case for investigation. An appropriately stringent recruitment process would have prevented the perpetrator – an employee with a previous fraud conviction – from being hired.
Ultimately, a People, Process & Technology approach makes it possible to detect key warning signs and help prevent fraud before it can take place.
SmartPayments: Based on that then, you must have some thoughts on the report’s findings that corporate security training is in need of enhancement?
Ben: The human element is absolutely critical when it comes to considering security best practices, especially when you consider the fact that people are often the first line of defense. Look at business email compromise (BEC). According to the report, it has affected 79% of organizations, and no wonder. BEC relies on the fallibility of humans to be successful. Thankfully, providing adequate security training is an easy way for companies to quickly bolster their defenses. Annual training that covers elements such as what good security hygiene practices entail, how to identify suspicious activity and how to respond to an attack is a great place to start.
SmartPayments: And what about technology? The report indicates that new technologies are seeing promising traction. Will new technology help organizations overcome some of the challenges they’re facing?
Ben: New technology will always play an important role in defending against the increasingly damaging threats we’re seeing today. But I do think that there can be a danger in considering technology a panacea. For one thing, technology alone can only do so much (sometimes a simple phone call is the best way to avoid a fraud issue) – the people and process elements of a comprehensive security plan must also be considered. Secondly, new technology can actually breed new types of threats as fraudsters find work arounds to technological defenses. Adversarial machine learning is the perfect example of this, where attackers are intentionally designing inputs that cause machine learning models to make mistakes.
Because threats are always evolving in this way, organizations have to remember that no solution is ever the final solution. As fraud threats change, so must the defense against them.
To learn even more strategies for defending against fraud, check out the whitepaper Ben co-authored, “Securing Payments Across the Digital Enterprise.”