Treasury fraud: Managing risks in a digital world

Corporate cyber fraud—which is estimated to now cost the global economy as much as US$600 billion each year—is evolving. Traditional methods such as hacking, phishing, or the use of malware have given way to elaborate ploys where perpetrators engage in deep research, identify a vulnerability in a company and then attack a specific target at a specific time. Because of their access to a corporation’s funds, Treasury teams now find themselves in the crosshairs of criminals.

That's the reality of corporate fraud in 2020, says Vincent Iarocci, Head of Corporate Cash Management at TD Securities. "Companies need to be aware that there is a huge threat of having their employee's behaviour unknowingly manipulated," he says. "Thieves have realized that the best way to achieve a big payout is by making the target do it voluntarily." If it works, the monetary damage can be in the tens to hundreds of millions.

Prime Targets

Treasury departments are prime targets for this sort of activity. "As transactions have increasingly moved to the digital realm, fraudsters have followed," says Rob Hooper, CIO of TD Securities, Europe. "There are billions of dollars at stake every day, and the tools and tactics these criminals use are constantly evolving and becoming more sophisticated."

Those engaging in Treasury fraud will often go to incredible lengths to pull it off. TD has intervened in cases where malicious actors have created a fake law firm, sent out NDAs and held conference calls in order to create and process a fraudulent transaction. In other instances, they have tracked a CFO's location to know when they would be out of cellular range, before using a fake personal email address impersonating the executive to ask an analyst to make a transfer.

Fraud perpetrators often use a Treasury team's own tools against it. A corporate Treasury department fell victim when one of its vendors' email addresses was compromised: the thieves used the address to send a fake letter, informing the client of a change in bank accounts for future payments. The client then used an Electronic Fund Transfer (EFT) to pay over C$1.2 million to the account. By the time the fraudulent account change had been discovered, the transfer could not be reversed and the money was unrecoverable.

In every case where the fraud has been successful, it is because the right targets were chosen. "The degree of sophistication is high. Fraudsters will go to great lengths to identify their targets in a company," says Iarocci. "What is their background? What is on their LinkedIn profile? What is the organization structure and their respective role? When the time is right, they will pretend to be this person, electronically, using their credentials to initiate a fraudulent transaction."

Reducing the Risk

Given the severity of the risk for Treasury departments, what can managers do reduce their chances of becoming victims? The first, and biggest, step they can take is to listen to their doubts. If a transaction seems off or too much pressure is being applied, Treasury operators need to stop and confirm that all is right. "Don’t be afraid to pick up the phone to confirm if the email is legitimate," says Hooper. "One of the biggest defenses TDS provides is a dedicated team structure where our clients know to call and ask questions, without being subjected to a call centre. If something seems off, on our end or theirs, we know that we can make a call to ensure everything is right."

Investing in a strong defense against fraud is also important. While it may be tempting for companies to try to save money on its Treasury department, doing so can increase vulnerability to an attack. A Treasury department with reduced staffing is one that will be more drastically impacted when fraud does occur, potentially causing a massive disruption to business.

At TD Securities, our clients' security is a top priority. We actively combat fraud by offering daily transaction matching and cheque interception, dual authentication for payments, and through internal programs to detect suspicious wires. As well, TD Bank Group has formed the TD Fusion Centre, a new operations hub in Toronto that will provide robust detection and prevention of global cyber threats. The Fusion Centre takes a proactive approach to protecting TD and its customers, with a team that includes members from cybersecurity, fraud management and incident response, all to ensure a collaborative response to any issue.

"There will always be fraudsters, but the right defenses can keep them away from your organization. You want to be a hard target," says Iarocci. While the risks and dangers of fraud are evident, empowering colleagues to identify and respond to it can go a long way in preventing attacks.

Key Measures to Defending Against Fraud:

1. Be Vigilant

Don’t be afraid to pick up the phone to confirm if an email is legitimate. Treat any changes to account information as a red flag. Never provide login credentials to anyone. No reputable financial institution will ask for these details by phone or email.

2. Take Advantage of Security Features

Implement two-factor authentication for all wire and EFT payments. Where possible, restrict bill payments and set appropriate authorization limits for employees.

3. Implement Fraud Prevention Procedures and Perform Regular Reconciliations

Don’t wait until the end of the month to review transactions. Reconcile transactions daily and immediately report any unusual transactions to your bank. Reduce human error by having different people responsible for cheque issuing vs. reconciling bank statements.

4. Validate the Source and Be Careful Where You Click

Look closely at the email address: it may look similar but be slightly altered. For example, if the real address is abc_123@mail.ca, then the spoofed address might be abc_123@mial.ca. Never open attachments or click on links from unknown senders.

5. Use Latest Software and Browser Updates

Install antivirus protection and implement security patches in your software. Periodically engage an external consultant/provider to review your network and web applications for security vulnerabilities that an attacker could exploit.