Sound risk management strategies crucial for financial sector during COVID-19 cyber threats
The natural cycle of a growing company often includes adding more staff, expanding customer base and tapping new suppliers. However, COVID-19 disrupted much of this process and the way developing organizations can operate. As businesses transitioned to remote work environments at the cusp of the pandemic, additional challenges surfaced for corporate finance professionals who suddenly were working from less controlled networks and an immediate need arose to protect organizational financial processes, including the treasury function, against potential threats. The need for effective risk management is critical for finance professionals and that is especially critical now.
Put simply, working with customers and vendors or adding or changing employees and customers and vendor relationships to your roster, particularly while working from home, creates added complexity and exposes your organization to additional risk for breaches, information leaks and fraud ― topics that are top-of-mind for most companies. In fact, cyber fraud activity has escalated since COVID-19 began. Data released by the FBI’s Internet Crime Complaint Center (IC3) at the pandemic’s rise on April 1, 2020, outlined that the IC3 received and reviewed more than 1,200 complaints related to COVID-19 scams. Further, on April 6, the IC3 issued a Public Service Announcement citing that cybercriminals are targeting organizations that use cloud-based email services to conduct Business Email Compromise (BEC) scams in order to compromise accounts and request or misdirect transfers of funds. According to the most recent annual 2019 Internet Crime Report, the IC3 received 23,775 complaints regarding BEC-related payments fraud, with over $1.7 billion in losses ― figures that will likely grow in next year’s report as a result of the confluence of factors from COVID of working from home, using unsecured WiFi networks and reliance on email communications.
COVID-19 also has spurred some companies to accelerate their timeline for adopting electronic accounts payable and receivable methods, as there are few people in offices currently who are able to receive or print and send checks. With more users of electronic payments comes additional opportunities for breaches.
Even prior to the pandemic, financial professionals were emphasizing protection against looming technology threats in 2020. In a TD Bank survey of treasury and financial professionals at the AFP 2019 Treasury & Finance Annual Conference, 40% of respondents identified that payments fraud and cybersecurity risk are the highest on their list of threats in 2020 and that these threats are unlikely to vanish. As a result, cybersecurity and fraud protection was named as a top area of treasury investment, with 22% of survey respondents planning to spend on security enhancements.
In fact, the potential for breaches, such as BEC, will only become more costly as impacts of cyberattacks and payment fraud can range from hundreds of dollars to hundreds of thousands of dollars in losses. Not only are these damaging to the company’s wallet, but also to employees' and the organization’s reputations.
Combating these risks means that companies need to step up their defenses. While there is no guaranteed solution or protection method, every participant in the business financial ecosystem ― financial institutions, third-party payment processors and companies – must do their part to help prevent and minimize cyberattacks and payments fraud. This means that although some businesses already have some amount of risk processes in place, smart organizations need to invest in and operationalize their fight against cybercriminals to safeguard remote work functions now and bolster practices for the future.
Monitor, Review and Double-Check
One of the easiest – and least costly – security measures organizations must do to protect against underlying issues is check and double-check any financial reports. It’s critical for someone in the company to review and reconcile bank accounts daily to scan for discrepancies in amounts or frequency of transactions in order to help reveal any suspicious activity almost immediately.
Regularly keeping tabs on balance sheets and bank accounts is critical but there is a first step that can help prevent suspicious transactions before they occur: verify any new or unusual requests. While it is easy to rely solely on email in the work-from-home environment, any request to change a payment account, payment frequency or payment address should be verified by phone. Cybercriminals are adept at impersonating others and assume that in today's world of fast payments and speed to complete tasks that someone may not take additional steps to verify identity or information. If an organization does not have a method in place to confirm this, a first priority should be to create protocols for verifying new or changes in payment information that holds all parties accountable.
Isolate the Finances
It’s necessary to build secure, flexible systems in your business – the bigger the organization, the bigger the risk. To keep all channels running effectively, segregate employee functions: no employee should be responsible for both recording and processing a transaction. This can be done by limiting the number of people who can authorize purchases to ensure quality control and accountability. Businesses should have between two to five individuals, depending on company size, who own these responsibilities to keep the sending, receiving and reconciling of payments separate. If the organization does not have these resources, consider hiring an accounting firm or external party who is accountable for such a task. After all, having one sole person that handles bookkeeping functions such as client receivables, payments, invoices and records make it easy for cases of fraud to go unnoticed. In addition, set a dollar limit that each person in the treasury or finance function can authorize and have two-person authorizations required for larger sums.
Having data in too many places at once, especially on a private remote network, can create potential holes for breaches and fraud. According to a recent report by Abnormal Security, digital invoice and payment fraud attacks increased more than 75% in the first three months of 2020 – a scary reality for a world transferring much of its information to technology and online systems. Consider designating one computer to be used exclusively for banking transactions and restrict all other Internet and email access. Similarly, employees should not access company financial information on any other computer unless given permission. Restricting access to financial information outside of work-approved computers secured by a virtual private network (VPN) will help block the most common entry point for cybercriminals. Further, implement proper computer shutdowns and precautions to eradicate weak spots over days off as weekends tend to be an ideal time for bad actors to do damage.
Common Sense Fraud Prevention
While we all claim to have a firm grasp on safeguarding ourselves and our organizations as we further adapt to remote functions, many overlook sensible tips. Create strong passwords, change them frequently, and prohibit the use of shared usernames and passwords. Do not use a shared or household computer to access company financial records or accounts. Make sure to immediately terminate login credentials if an employee leaves the business. Do not click on links in emails or text messages that ask for bank account information or verification. These are often phishing scams, as a financial institution would never email (or text) a customer to obtain or update this information. If encountered, it’s best practice to email your organization’s IT team or contact the financial institution directly outside of the message to confirm legitimacy.
As the economy reopens, these best practices need to transition back to the office with a company's employees. Conducting ongoing education and training for employees about fraud and how to spot suspicious emails can also help keep the organization on the same page when it comes to mitigating risk. If needed, consider forming and maintaining a risk and fraud management committee to oversee employee activity, test their ability to spot phishing emails and keep tabs on the latest cybersecurity technology. After all, cybercriminals are constantly refining their techniques and executives need to meet the challenge head-on by staying up to date on the latest technological solutions.
Even the most basic cyber or organizational controls can do a lot to thwart thieves in their tracks. Sometimes good, common sense, such as establishing an agreed-upon policy with the CFO or senior executives for employees to verbally verify account change requests, can create the greatest impact. While the steps above will help to create a more solid security framework, implementing at least one of these best practices in the next 30 days or immediate future can put your company steps ahead of fraudsters.
About the author: Rick W. Burke, Jr., is Head of Corporate Products & Services for TD Bank, America's Most Convenient Bank ®. Rick is responsible for TD's Treasury Management, Commercial Deposits, Small Business Lending and Merchant Solutions offerings as well as the delivery of credit, operating and liquidity management products and services to TD Bank's small business, government and commercial customers. Rick and his team are also responsible for driving innovation for the Commercial Bank and its customers. He is an active member of TD's U.S. and North American Executive Payments Councils and provides leadership on the topics of payment systems, open banking and digital migration.
Rick joined TD Bank in 1999, serving in roles including leading Operations, Digital Channels (Call Center, ATM and Retail Online Services) and Merchant Solutions, in addition to Treasury Management.
In addition to his role as a member of TD Bank's senior leadership team, Rick is active in TD Bank's Diversity & Inclusion efforts, having served as a member of TD's Diversity Leadership Team and as a member of TD's Minority Leadership subcommittee.