Fraud Never Sleeps
3 takeaways that will help you stay vigilant and prevent a social engineering fraud from costing your business millions.
J.P. Morgan, Chubb Insurance and PaymentWorks recently came together for an enlightening panel discussion on the state of fraud today. The bad news? Fraud isn’t going away – in fact, the FBI tells us it’s a $43 billion dollar problem. The good news: There are tangible things you can do to protect yourself and your organization.
Here are my top 3 takeaways from the discussion that will help you stay vigilant and prevent a social engineering fraud from costing your business millions.
Did you know that changing bank details via email accounts for 95% of all fraud? According to Alec Grant, a Managing Director and Head of Client Fraud Prevention at J.P. Morgan, this is the easiest type of fraud to commit, and also happens to be the easiest to stop. How? It’s as simple as having controls and putting processes in place. Last year, J.P. Morgan saw more than $500 million of attacks in this space. While clients still lost money, simply having a verifiable process in place that included calling the vendor, they were able to prevent a vast majority of social engineering and vendor impersonation frauds. “If you take away nothing else from this session, go back and make sure you have a process, and more importantly, test the process,” said Mr. Grant.
Christopher Arehart, SVP and Product Manager at Chubb, also sees a lot of the aftermath of these types of attacks and frauds. His statistics were sobering: “Unfortunately, when it comes to insurance coverage for fraud, it is so small and minor. For the $43 billion in fraud that is lost over 65 months, just $1.2 billion is the annual premium for all fidelity fraud in North America.” In other words, the losses far exceed the premiums.
When Chubb developed the fraud insurance market, they had hoped it would be a fairly quick movement. People would see the money going out the door and suddenly make a change in process. But unfortunately, what they are seeing is the exact opposite. They are seeing a desire to have speed, and make payments quickly. The need for speed has resulted in an electrified process, and the fact is there is no such thing as secure email.
Mr. Arehart says that multi-factor authentication (MFA) on connections is critical to stopping this problem, but agrees with Mr. Grant that most important is building an internal process that actually makes the payment process secure. This should include creating an actual verification process, and not relying upon inbound information, no matter how legitimate it looks. When enough information gets sent to AP that looks legitimate, if there is not a process in place, nine times out of ten, they will make a change. “At the end of the day, the frauds are not stopping. We see millions of dollars paid, even in the limited insurance market that exists for this problem.”
A surprising amount of change activity goes on at a typical vendor desk. When you take into consideration that a typical mid-market company has 10,000 vendors, that indicates they also onboard more than a thousand new vendor additions each year. Additionally, most vendor desks see about 30% of their active vendors changing one or more elements of their info each year. So, there’s a tremendous amount of work, and in order for the vendor onboarding and management process to be done correctly, the people on the vendor desk are expected to make a lot of phone calls to verify banking information.
“I don’t think it’s so much about efficiency, it’s much more about effectiveness. I think in this day and age, especially after the pandemic, where you have a lot of people working from home, most organizations that are trying to defend themselves from fraud are bringing a knife to a gunfight,” said Thayer Stewart, CEO of PaymentWorks. “And in many cases, these perpetrators are foreign-sponsored actors using very sophisticated techniques, and to expect humans to go toe-to-toe with this is unrealistic.”
There are technologies available from companies, including PaymentWorks, that allow organizations to collect this information in a secure way by automating the vendor onboarding process and making readily available verification technologies like MFA and IP blacklisting available to them at a lower cost than if they invested in them on their own. “I would encourage people to look at technologies to solve this problem, and not outsource the problem.”
That said, moving to technology isn’t about headcount reduction as much as it is about just protecting your organization. It’s about maintaining the headcount that you have and opening up opportunities for people to work on more strategic issues rather than slogging through those vendor forms.
The fraudsters are adaptable, so you need to be one step ahead of them and make sure that you’re thinking outside the box on how to protect yourselves. Steve Bernstein, Executive Director, J.P. Morgan gave this anecdote: “When the first iPhone came out, the screen was going to be plastic, and only weeks before the launch, Steve Jobs said, ‘I want the screen to be glass.’ To great expense and great change, and I’m sure a few mild heart attacks from his staff, they were able to adapt. And I think what we’re seeing in the marketplace is the need to adapt to the changing times.”
What exactly does being adaptable look like in practical terms? One big example is moving away from checks to ACH, real-time payment and single-use cards. Fraud goes in cycles and one of the trends that we are seeing right now is a much higher attack rate against checks because so many people still use them.
“If you still have checks in your ecosystem, and I think the consensus is there will be checks for at least the next 10 or 20 years, as much as we would like not to have them, we’re all going to have to deal with the fact that reconciliation must be done within a 24-hour period… and that means the day after Thanksgiving as well,” said Mr. Bernstein.
The bottom-line: Where you can automate do so, because sooner or later those manual processes will be beat.