As a follow-up to the 2021 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan, the Association for Financial Professionals (AFP) recently held a companion webinar, “Beyond Business Email Compromise (BEC): Where Fraud is Evolving.” The webinar provided attendees with a review the latest trends in payments fraud, the tools being used to prevent fraud and, more importantly, from a risk management perspective, where companies can employ insurance to further mitigate potential risk.
The speakers for the webinar included Sue Dean, head of Product Delivery for Commercial Banking and Wholesale Payments, J.P. Morgan Commercial Banking; Tom Hunt, CTP, director of Treasury Services, AFP; Frank D’Amadeo, senior manager and assistant treasurer, Con Edison; Steven Bernstein, manager, N.A. Payables Product Support Specialists, J.P. Morgan; and Lisa Kerr, vice president of Global Risk Management and Business Continuity, Henry Schein, Inc.
The presentation began with opening remarks from Sue Dean: “Fraud continues to dominate, impacting companies of all sizes and across all industries, with our susceptibility increasing as attacks become ever more sophisticated. ... The more we know, the better we can combat attempts and keep ourselves and our businesses safe. Education, training and assessing internal controls are all key.”
Bernstein discussed the increased vulnerability of systems and people over the past 14 months as a result of the increase in remote work. “What we've seen is that there is a ratcheting up on targeted fraud,” said Bernstein, “especially in the B2B space.”
He said that the most common method used is that of phishing, where that actor redirects a payment. This is usually done toward the latter part of the week, so that when the payment settles, they can move the funds out of the designated account and to another part of the world, “… when it's Monday morning here in the U.S., it's already Monday evening in other parts of the world,” said Bernstein. “We're seeing that with increasing rapidity, and I think that is one indication of where normal business operations have been impacted.”
The percentage of organizations experiencing business email compromise (BEC) and/or fraudsters accessing ACH credits using email compromise fraud has either remained static or slightly decreased in the past year, which indicates that greater precautions are being taken. That said, as of June 30, 2021, per NACHA, organizations will need to encrypt, tokenize or redact data when at rest.
“BEC is the number one focus, where the majority of fraud comes in,” said Hunt. The biggest target for BEC is overwhelmingly still wire transfers, followed by ACH credits. “Fraudsters are getting more savvy and smarter, and now crypto is being implemented into that, into the BEC side. Being more vigilant and more prepared for this and proactive is a good thing.”
Unfortunately, the numbers aren’t all positive. “COVID-19-related fraud from registrations was up about 750% from the beginning of 2020,” said Bernstein. “We've seen this in all walks of life and across the board — everything from government CARES payments to business fraud. Preying on the vulnerable is an unfortunate element of this, and so we've redoubled our efforts, and I know the industry has as well.”
Bernstein reported that there has been a great deal of effort by corporates to repel these attacks and threats using dual-level authentication, the texting of pass codes, callbacks and confirmations. “A lot of this seems rudimentary and straightforward, but in practice, it really isn't,” he said.
Data analytics and machine learning are also increasingly being adopted by corporates in order to repel that type of fraud. “We've implemented some tools that are now taking a look at customer patterns,” said D’Amadeo. “If the customer makes payments with a different bank account every month, where they allow us to take money out their bank account, or they use a different credit card every month, we're starting to track patterns of customer payments, looking for fraud in advance of getting burned, in advance of finding out that stolen information was used five or six months in a row. We're trying to cap that.”
J.P. Morgan is seeing “much more concern” over fraud from its clients. “We've made a significant investment not only in our own cybersecurity, but in the tools that are offered clients to leverage,” said Bernstein.
Part of this is machine learning, and the other part is analytics, including prior history, the dollar value and timing of the payment — all of which are fed into their internal processes. “What we're looking for is behavioral history, dollar value and other attributes that we work hand in hand with our clients to identify,” said Bernstein. “Then also, we give them tools where they could filter out, especially on the receipt side, those payments that they want to keep, and those payments that they don't. We give them those leverage tools, much like a lot of financial institutions do.”
Doubling down on end-user education and training and remedial training is something J.P. Morgan reports seeing a significant rise in among its clients. D’Amadeo said that at Con Edison, “We have constant training. There are mandatory distance learning classes, there's phishing test emails, where on a fairly regular basis, we're sent very strange emails that are trying to entice us to give information up. The company has taken this so seriously that now, if we go over a certain percentage of clicks, our bonuses are being reduced as a result of failing to pass the phishing test.”
Kerr offered some advice in regard to insurance: “Partner with your risk management team before you have an event to understand what kind of coverage you have, if you have cyber and a crime form, or if it's combined.” She also advised that practitioners know and understand what their overall limit is, and whether there are sub-limits for some of the elements. For example, “losses resulting from the system being down, that would be cyber. Loss of funds would be crime, and that includes social engineering.”
D’Amadeo added that “insurance companies require you, in advance of any cyber event, to have certain third parties pre-approved,” which may include a cyberbreach coach or third-party law firm.
“It's a good recommendation to have everyone understand what policies are in place, but also you could ask your insurance broker and risk management team if you could have a tabletop exercise. Who would need to be involved? What to do? And then you can also pre-select your vendors and be ready if that day comes,” said Kerr.
For more information on this topic, listen to the full webinar online. Don’t miss the Payments Fraud Symposium, sponsored by Kyriba, taking place at AFP 2021 on Sunday, November 7 at 1:30 p.m. ET. Payments is a central topic of AFP 2021, with educational sessions in the Payments track ranging from making the use case for faster payments; response, recovery and growth strategies for global A/R teams in 2021; and preparing now to accelerate your business with instant payments. Register for the event here.