Teiss guest blogger Andrew Davies, VP Global Market Strategy at financial services provider Fiserv offers some practical advice on stopping "fake CEO" fraud.
The risk of fraud within corporations has increased dramatically over the past decade. As the number of payment channels and methods increases to meet the demand of an ever switched-on society, the opportunity for fraudsters to hack into systems has similarly increased.
Today’s consumers are becoming more demanding when it comes to accessing their money, transferring money and making payments; they want to be able to view their accounts whenever and wherever they want. New technology provides vendors, clients and partners with an easy and efficient way to send and receive payments.
Alongside this growth however, fraudsters are aware of the high potential transaction value of transferring funds electronically and are turning to subversive means, such as impersonating senior executives, to fraudulently steal huge amounts of money from corporations.
A new type of fraud
With the amount of financial crime committed having increased by 53% in a year, and with financial fraudulent activity predicted to be taking place once every 15 seconds, it is no surprise that this particular type of fraud, often known as "CEO fraud", has crippled many organisations over the past few years. Individuals create bogus messages appearing to be from a senior leader within a business, for example the CEO, which asks employees to wire funds across to them. The messages appear authentic and so this tricks the employees into transferring large amounts of cash electronically.
Fraudulent transactions such as these average around £50,000 ($67,000), although individual incidents targeting fewer people in a company can easily reach seven figure sums. It is easy to see how CEO fraud has the potential to bankrupt a major business. According to a recent FBI report, CEO fraud has cost organisations more than £2.3 billion ($3 billion) in losses over the past three years alone. Email deception, as well as scams carried out on the phone and over SMS, are now common tools in the modern bank robber’s trade.
The exponential payoff and high probability of success makes CEO fraud an attractive proposition for criminals. In order to reduce the risk of CEO fraud, and to ensure that employees have confidence in their employer, organisations need to implement advanced and accurate security controls to analyse patterns and flag potential frauds before transactions are completed, because once payments have been made, it is very hard to reverse them.
This is a large problem. But there are a number of effective methods organisations can introduce to make it more difficult for fraudsters to commit CEO fraud. As technology finally catches up with criminal intelligence, it is imperative that companies are prepared to protect themselves and their employees, not only through advanced technology, but also through new policy implementation.
1. Create special, risk-based processes for approving unusual transfer requests
Putting in place a system which will flag any payment requests larger than a particular amount, for example greater than £10,000, is a simple way for organisations to monitor transfers that appear unusual. Investing in the technology that can flag these irregularities also allows organisations to capitalise on its multi-faceted capabilities.
In addition to flagging large requests, this software is able to leverage analytics that can recognise and uncover deviations in an individual’s behaviour; if an employee never usually transfers large amounts of cash, the system will flag a large transaction as unusual activity to the fraud team and it can then be investigated.
Similarly, transactions requested in unusual locations can be recognised. For example, if a request and consequent transfer has come from a different continent, a notification can be sent to the organisation to look into the transaction. These additional layers of security can be easily implemented by companies, and can be a straightforward method of lowering the risk of falling victim to CEO fraud.
2. Outsource the review of transfer requests
Outsourcing is another, increasingly popular, method that organisations can implement to help combat the threat of CEO fraud. Employing an external accountant or financial assistant to perform sophisticated and thorough reviews of wire transfers can help in preventing unintended fraudulent activity. Sending the requests for review outside the organisation ensures impartiality, and different technology will ensure that checks are more stringent.
3. Perform regular and comprehensive scans of email systems
The most common method that allows fraudsters to commit CEO is being able to hack into email servers. Once the servers have been hacked, the fraudsters send authentic-looking requests for money from counterfeit C-level email addresses.
Employees more often than not respond to these emails without question. They see them as being sent from a senior manager and they may not necessarily be concentrating wholly on the request.As soon as these email addresses and emails have been created and distributed, the criminal deletes them and they become virtually untraceable.
In order to avoid this happening employees should be instructed to change their passwords and log-in information on a regular basis, and the organisation can run standard, routine checks of their email servers to ensure any fraudulent attempts or unusual behaviour are flagged.
4. Use analytics and predictive techniques for real-time detection
In this increasingly digital world, there is a constant influx of data, not only from internal processes, but also from customers and other organisations in the same industry. Companies can leverage this vast amount of data to help combat CEO fraud in real-time.
Collecting data, both internally and from industry consortiums, enables companies to track and understand better fraud patters. It provides the ability to create an in-depth analysis of CEO fraud, what it typically looks like and when and how fraudsters target employees across a wide variety of organisations. This in turn enables corporations to better recognise unusual behaviour, and increase the likelihood of pre-empting and preventing fraudulent behaviour.
5. Education and company policy
An additional method to lessen the threat of CEO fraud is that of education. An organisation should ensure that they have sufficient training in place to ensure that employees are aware of the risks of CEO fraud, as well as knowing what to do should they think they have been targeted. Companies of any size should ensure that they have an adequate reporting infrastructure in place so that employees are well aware of protocol, and to ensure that fraudulent attempts can be monitored and dealt with correctly.
Self-service risk management is also an easy way to ensure that employees are monitoring themselves and each other. This action does require a solid reporting infrastructure; yet company-wide awareness of what to look for can be very effective alongside the implementation of technology. Introducing a policy whereby all requests for money within a company are made verbally, or through an official channel, is an additional way that a corporation can help prevent large amounts of money being stolen fraudulently.
Wire transfers are typically large, fast and difficult to repudiate, and with the introduction of more and more real-time settlement systems globally, the transfers are often final and it is difficult to reverse the transaction once it has occurred. Incorporating and implementing steps such as outsourcing, predictive models and company policy to lower the risk of CEO fraud, is crucial to a company’s success in the digital age.
Organisations that can fit these solutions seamlessly into payment processes will be able to better protect themselves and their employees against this type of fraud. The UK government has committed to spending £1.9billion on cyber security and cyber crime over the next five years, and it is critical that companies capitalise on this investment and incorporate strategies into everyday practices to mitigate fraudulent losses.
Andrew Davies is vice president, global market strategy, Financial Crime Risk Management solutions at Fiserv. He works with Fiserv customers around the world to design effective risk management solutions to mitigate financial crime risks. He is also responsible for seeking new markets and applications for Fiserv’s financial crime detection and prevention solutions.
Davies joined Fiserv in 2007. He has worked in the software industry for more than twenty years supporting many of the world’s largest financial institutions. His experience covers real-time payments, front-office trading, risk mitigation of financial crime risk, settlement risk, and more.
Davies studied Pure Mathematics and Computer Science at the University of Wales. He is a Certified Anti-Money Laundering Specialist and has worked with customers in the Americas, Europe and Asia. He is a respected industry speaker and author having presented at SIBOS and ABA events and contributed to articles in the American Banker and Credit Union Journal, among other publications.