To fight fraud, treasurers need to be more proactive than ever. Some are beginning to harness the power of big data, artificial intelligence and machine learning to fight increasingly sophisticated cyber criminals and attacks </em></p> The tools to fight cybercrime in the payments industry are getting more sophisticated—but so are the fraudsters. </p> In the run up to Sibos 2021, financial services executives report that cybercrime - from phishing and malware to man-in-the-middle (MitM) and Internet of Things (IoT) attacks - is now more commonplace than ever and only increasing across the financial services ecosystem. This is coupled with the COVID-19 pandemic, which ushered in not only a host of home offices, but increased vulnerabilities to fraud. </p> Even pre-pandemic, avoiding these malicious attacks while constantly assessing payment systems for risk often fell to treasurers. They are now looking to expand their arsenals through the potential benefits of data, AI and machine learning. </p> Cybercrime in overdrive</h4> Nearly 50% of treasury professionals cited cybersecurity as their most challenging risk to manage - up from 12% in 2010, according to the AFP Risk Survey conducted in May of this year. “Surprisingly, Business Email Compromise (BEC) continues to top the unfortunate list of most commonly experienced fraud,” said Mary Rosendahl, Managing Director, CashPro Channel, Global Transaction Services, Bank of America. “However, fraudsters are also constantly innovating and as a result, we are in a continual educational cycle with our clients, informing them of new threats and how they can protect themselves.”</p> And these events can be costly, according to a recent IBM and Ponemon Institute study, which found the average cost of a data breach in 2020 was $3.86 million. This is an upward trend where cybercrime is expected to cost the world $10.5 trillion annually by 2025.</p> “It's escalating at an increasing pace, and I think a lot of that is because the criminals are steadily becoming extremely technology savvy,” said Neil Katkov, Head of Risk at Celent. “They're using robotics; they're using AI. They have access to legions of ‘employees’ helping out to execute things like call center scams and serving as wheels to transport funds.”</p> In other words, cybercrime is industrialised, global and leveraging advanced technology. “With all of those things together, you suddenly have this huge increase in activity and success in infiltrating systems from the cybersecurity point of view and perpetrating fraud from especially the payments or a funds point of view,” he said.</p> The COVID-19 pandemic only accelerated this trend due to the shift to remote work, Katkov added, which had to be implemented very rapidly. “That provided additional opportunities for fraudsters and I think also emboldened them and made them think of new schemes and new approaches to perpetrate fraud on institutions and corporates.” Institutions were often ill-prepared for new schemes because they were focused on transforming their operations overnight into a remote model.</p> One complication of today’s highly digitised world is that the access points have multiplied”</p>Mary Rosendahl, Managing Director, CashPro Channel, Global Transaction Services, Bank of America</cite></blockquote> But before nearly every home became an office, the number of digital access points had skyrocketed in recent years. “One complication of today’s highly digitised world is that the access points have multiplied,” said Bank of America’s Rosendahl. “So we don’t just have desktops, but mobile devices, APIs and other digital gateways. Companies need to know that as soon as they expand how clients and vendors interact with them, they are also expanding their threat surface.”</p> The number of devices connected to the internet is only expected to increase from 31 billion in 2020 to 35 billion in 2021, with estimates of 75 billion by 2025, according to Security Today, a leading industry publication. In 2018, there were 7 billion internet-connected devices.</p> Another obstacle that exists today is the collection and storage of data, she added. “Businesses need to have a deliberate approach to managing data across their whole ecosystem. As a best practice, companies should have clear policies in place that determine what data they collect, where it should reside and who has access.”</p> So how can firms best be on alert and constantly assess payments for risk and warning signs? “Companies should review all of their treasury access points,” Rosendahl said. Processing transactions has expanded from online platforms and directly transmitting files to mobile and API. “If you take APIs as an example, it’s essential to look at access - how the controls are administered, who has access to an API and who is receiving the data, and whether that access review is tied into the broader treasury team’s access and entitlement review. There are also important tools that companies should leverage like alerts, maybe over a certain threshold, and secondary payment approvals, not only for executing payments, but changes in beneficiary accounts.”</p> Another area that companies should scrutinise is their vendor database, and whether they have installed friction in the appropriate place with strong controls for adding or changing a beneficiary’s account. “Of course, the friction should lie in the setup and approval of beneficiary account changes, not when executing the actual payment,” she added. The database should be regularly audited and vendors that do not have contracts should be removed. This helps protect against internal as well as external fraud. Clients that use shared services centers also need to be confident that their procedures and access management controls are operating as designed.</p> The cybersecurity perimeter has moved outside of the corporation or outside of the financial institution to the web at large”</p>Neil Katkov, Head of Risk, Celent</cite></blockquote> Celent’s Katkov said that with so many more systems in the cloud, and the prevalence of e-commerce, and online financial services - which also saw a huge spike during the pandemic - the need to secure systems is now not just an internal data center-focused activity. The task now is to secure an internet presence. “The cybersecurity perimeter has moved outside of the corporation or outside of the financial institution to the web at large, which requires a whole other basket of sophisticated tools to try to monitor and authenticate activity,” he said.</p> New tools, new partners</h4> “Every company is challenged to find the right balance of security while also delivering a great customer experience,” said Rosendahl. “Innovations in big data, AI and machine learning are helping to create friction in the appropriate places to help prevent payment fraud. Our clients want to have confidence that they can execute their payments with as few false positives as possible so as not to slow down legitimate payments.”</p> Robotic process automation (RPA) has also made great headway in this area by eliminating manual processes and through data enrichment, she added. RPA can also free up employees to work on strategic, non-repetitive tasks. </p> “Fighting fraud effectively requires partnership,” she said. “Partnership within the financial community, and with banks and their clients to ensure that all participants are using every available tool and security service to combat fraud. Education is a fundamental component as well.” Bank of America has hosted an educational series on fraud prevention for many years and Rosendahl says that in their experience, the clients who are informed are better equipped to help fight fraud.</p> Third-party vendors and technology providers can be crucial partners, according to Katkov. “Increasingly treasurers are going to have to rely on the technologists to help out,” he said. “They will need advice for artificial intelligence and machine learning models, and for external solutions that can provide help with specific fraud in cybersecurity sectors. At the same time, the security teams at corporates as well as financial institutions also need very in-depth domain expertise to design technology or monitor networks properly.”</p> People and preparedness </h4> Even with the power of these new tools at treasurers’ disposal, employee training is and will remain critical. From the need to understand the importance of password ‘health’ to being vigilant against phishing fraud attempts.</p> This type of training is especially important when clients’ employees are working remotely and relying more on email to conduct business, according to Bank of America’s Rosendahl. “The good news is that as companies have spent more time on disaster recovery, business contingency and business resiliency they are becoming more prepared for cyberattacks,” she said. “A strong cyber response plan will help a company figure out how to replicate processes like collecting funds, paying their employees and vendors. These tried and tested plans should not just sit on the shelf once created.” </p> Celent’s Katkov concurred: “The pandemic is quite a step up in the education measures because of remote work.” </p>