Half of the companies have fallen victim to payment fraud or economic crime within the last two years. This fact is from the latest Global Economic Crime and Fraud Survey (PwC 2018), and it should startle you, for a couple of reasons.
Firstly, it indicates that payment fraud is an ever-present threat that touches more and more companies. The rise from the previous survey is sizeable: this time 49% of companies reported having experienced fraud or economic crime, while in 2016, the share was 36%.
And secondly, considering how many fraud attempts – not to mention successful fraud – goes unnoticed, the share of organizations affected is bound to be much more than 49%.
What startles me most, is that despite the frequent news on fraud and cybercrime, companies continue to be unaware of the risks and remain unprepared for preventing payment fraud. According to the PwC survey, only 54% of global organizations have conducted a general fraud or economic crime risk assessment in the past two years. Less than half have conducted a cybercrime risk assessment, and one in ten companies admitted not having performed any risk assessments at all in the past two years.
The threat is both external and internal, but in the end, the motivation to commit the fraud is the same for internal actors and cyber criminals: it’s all about money. On top of that, cybercrime is a form of organized crime and a huge global business. If a cybercrime syndicate detects a weakness in your payment routines, it has millions of reasons to take advantage of it. For a gain of even millions of euros, they have the motivation and patience to keep lurking in your company’s networks. They can buy tailored malicious software to eventually commit the fraud, and even hide all traces of it.
This should give you millions of reason to prevent fraud before it happens.
Increasing security should be on the agenda in every organization today. PwC survey states that every organization is vulnerable to blind spots, and it is easy to agree. It does not matter if you excel in some area in your payment process if a weakness in some other part can break your defense.
Reducing the risk of payment fraud requires a holistic approach, as security is built by people, technology, and processes. But what are the most common blind spots that organizations typically have in these areas? And what actions could you take right away to increase the safety of your payment process?
People: Focus on good cyber hygiene
One small hole in security is all it takes for an attacker to commit a fraud. Often, it might be the basics of cyber hygiene that are neglected and that leave the entire organization vulnerable. Do your employees use strong passwords and avoid open Wi-Fi networks? Do they know how to spot a potential source of virus infection in their email?
Establishing strong cybersecurity policies and creating a culture where the policies are also followed build a foundation for safety. Educating your personnel, especially in Accounts Payable, is one of the easiest steps you can take to immediately reduce the risk of payment fraud in your organization. If people have sufficient knowledge of the most common fraud schemes and are familiar with the basics of good cyber hygiene, they can keep a close eye on anything suspicious they encounter on their daily work. After all, unaware employees are also the weak link that the fraudsters are targeting with the very common Business Email Compromise attacks, posing as C-level executives in emails and asking for a quick money transfer.
Technology: Focus on the big picture
The survey results revealed another blind spot: organizations are neglectful when it comes to performing fraud risk assessments. Same applies to the technology and system environment related to the payment process. Too often a vulnerability assessment or a penetration test against the systems is performed only reactively after something has already happened.
Payment process is intertwined with several business and finance processes and their relevant systems. One of the biggest stumbling blocks here is the lack of cooperation between the multiple stakeholders in the organization, which prevents from seeing the big picture. Good security policies, such as multi-factor authentication, may be followed in one system, but not in another critical part of the process. Or software update policies vary from department to department.
Bring Treasury, Finance, IT and even relevant business units together to mitigate the risk of payment fraud and build a secure payment environment end-to-end. This way you can make sure that the ball is not dropped between process phases and that the security of integrations and data transfers between systems is also looked after.
Processes: Focus on increasing transparency
Even organizations that have implemented best practices in their payment process often take unnecessary risks by leaving a back door open and making it possible to bypass the established controls. Manual payments are a typical blind spot: the standard payment process is protected with good practices such as double-approvals and clear segregation of duties, but when it comes to manual payments, it is possible for a single person to create and approve the payment and send it to the bank.
As half of economic crime is committed by internal actors, user right management is a vital element in reducing risks. A good place to start is to make sure that the users in your organization are not assigned with overly broad rights in the systems out of convenience or that dangerous combination of duties has not formed unnoticed over time. You can start today with the help of our free tool, the Access Control Matrix.
I have only scratched the surface here with these quick fixes to the most common blind spots in payment security. If you want to learn more proactive measures to reduce the risk of payment fraud, watch a recording of our webinar, where I go over actionable steps you can – and should – take to prevent payment fraud from happening in your organization.