• Francois Lacas, Deputy COO and CMO at Yooz


• 22.09.2022 04:45 am
#fraud

 In 2015, Ubiquiti Networks, a wireless network hardware manufacturer, wired $46.7 million to fake vendor accounts worldwide. The method used by the criminals was deceptively simple: a technique called “CEO fraud” or “business email compromise.”

It consists of presenting yourself as a company’s CEO and requesting payment for a “highly confidential” project. The email appears official and contains wire transfer information. But instead of pointing to a legitimate account, the wire transfer goes to the fraudster’s account.

This fraud is just one of many cyberattacks that have increased during the pandemic. 

Cybercrime keeps rising, and employees are still a threat

During the pandemic, companies were forced to adjust quickly to remote work, and most didn’t have time to secure their processes. Criminals took advantage of this vast field of unsecured transactions and cyberattacks increased sixfold.

Unfortunately, cybercrime shows few signs of slowing. According to a 2022 report by Checkpoint Software, the first half of the year showed a 42% increase in cyberattacks. The ensuing costs of successful attacks continue to climb.

According to the Association of Certified Fraud Examiners (ACFE), while companies can lose up to 5% of their revenue because of fraud, it’s not only because of external attackers. 86% of fraudulent activities come from within the organization. This includes billing schemes, false expense reports, payment tampering, and more. Oddly enough, it is owners and executives (not the rank-and-file employees) causing the most significant losses representing 23% of occupational fraud. 

Companies are catching up

Despite these dire statistics, there is good news. The rate of digital transformation has increased during the pandemic, making it easier to detect fraudulent activities.

Over the past decade, ACFE reports occupational fraud losses have decreased by 16%. During that same period, the duration of fraud schemes decreased by 33%. There’s still a long way to go, but technology, such as digital accounting with AI-based document fraud detection, full audit trails, data entry automation, and AI-backed intrusion detection systems, level the field.

Technology helps, but companies are still vulnerable to attacks perpetrated against employees. In 2022, employees from Cloudflare, a security company, were tricked into giving up their credentials to cybercriminals. That mistake allowed the criminals to launch an attack on the company’s internal systems. This event shows that companies must continue to educate employees on fraud detection and prevention. 

Here are six tips for doing so.

Tip 1: Be proactive with fraud detection

Set up unscheduled audits and monitoring of bank account statements. Any payment should go through an automated series of checks and balances. Requests that go through unusual channels should be flagged for investigation before proceeding. While that can slow down legitimate payments, it avoids situations where criminals target employees, hoping they make poor decisions.

Being proactive also means having security policies in place that employees and vendors must agree to and adhere to.

Tip 2: Rotate employee roles and mandate employee vacations

You can limit an employee’s ability to commit fraud by having them change roles regularly and requiring them to take time off. It allows someone else to take over for a time. Having a new set of eyes on the same activities can help spot irregularities.

Tip 3: Stay up to date/be aware

Use news events to keep employees abreast of ongoing cybercrime activities. Don’t focus only on high-profile incidents involving millions of dollars. Share incidents where small and medium-sized businesses have been victimized by fraud. It prevents employees in smaller companies from becoming complacent.

Tip 4: Conduct regular phishing training

Email is the most popular method to commit fraud because it’s easy to reach millions of people at once, and employees continue to fall victim to phishing attacks. Employees must pay attention to these signs:

• Email provenance: Most fraudulent emails come from free websites such as Gmail and Hotmail. Scammers also use domain names that closely resemble real domain names, such as amazon.net or anazom.com instead of amazon.com.

• A false sense of urgency: Scammers trick employees into clicking fraudulent links by preying on their sense of duty to authority and combining it with a sense of urgency. In his book Influence: The psychology of persuasion, Robert Cialdini shows how just saying you are a person of authority can cause people to act without thinking. As a result, scammers have found success by requesting payment with emails pretending to be from the CEO. The email asks to immediately transfer funds to a “new” account—one that belongs to the criminals.

• Suspicious links: Phishing attacks often involve clicking on a link that installs a virus or points to a website where employees are asked to input their login credentials. You can avoid that behaviour with regular reminders not to click on links or to hover over them to see where they point.

Tip 5: Open a fraud hotline

Companies with a fraud reporting hotline suffer fewer losses than companies that don’t have one. Employees should be assured that anything they report will be anonymous. This is especially true when reporting fraud by executives or owners.

Tip 6: Give employees a solid first line of defence

As you can see, training your employees to identify and not fail prey to fraud attempts is key to thwarting said attempts. Even the best-trained workers can be overwhelmed by sheer volume, however, and may overlook fraudulent transactions, especially when they are inserted among thousands of other transactions. Select technologies can significantly reduce the number of fraudulent transactions before they ever reach your employees. 

Equipping finance and accounting departments with document fraud detection technologies embedded in their AP automation platform is a critical strategy in stemming this rising tide. AI-backed tools with multiple validation points will flag these activities more efficiently. For example, with an automated digital purchasing system, each invoice requires a matching purchase request, a purchase order and a valid receipt. With such two- or three-way matching built into the system, it can identify potential invoice fraud without any upfront engagement from the payment team.

We’ve come a long way... but still, need to do more

Payment fraud has been with us for a decade, and while the number of schemes and attacks continues to rise, businesses have many more tools at their disposal. Fintech solutions that detect and block fraud attempts are becoming more sophisticated, and businesses should take advantage of them.

Ubiquiti Networks learned of the wire transfers when the FBI reported the fraudulent activity. But with the tech improvements in just seven years, Cloudflare stopped the launched attack before criminals could compromise their systems.

Clearly, technological advances help. But we can’t overlook companies are made up of people, and many attacks target the unwary. Training employees to spot and properly react to potential fraud will certainly assist to prevent major issues from occurring.