A manager transfers USD 17 million to foreign accounts. Suppliers' invoices are rerouted to unknown payment recipients. Cash pools are used to service the greed of fraudulent gangs of hackers. Not even corporate treasuries are now safe from computer crime. Yet despite all the worrying headlines, we find that awareness of this issue is still comparatively low in treasury departments. In payment transactions alone, a wide range of risk factors must be analysed and minimized in order to prevent "white-collar crime". It follows that e crime can no longer be confined to the realms of IT and master data management. Treasury departments need a wake-up call: It is high time to take action!
The stories crop up with ever increasing regularity: Gangs of hackers are stealing data from the servers of large, well-known companies which, up to now, were believed to be safe. And while these events may still seem far removed from the treasury department, what are known as "fake presi-dent" cases (more about them in a moment) are commonly reported in the press. Large and small companies alike are affected. By now, at the latest, treasury departments too have become the scene of e crimes. And although we have almost all heard about these or similar incidents, few treasury functions have yet taken any corresponding preventive measures. For the treasury itself, but also for the entire company, fake president cases and other kinds of e crime and fraud in the treasury environment can not only cause huge financial damage, but also lead to compliance risks relating to legal violations.
Cyber-crime: increasingly an issue for treasuries in the future
A recently published KPMG study of computer criminality in the German economy shows that around 40% of companies in Germany have been hit by e crimes in the past two years. 89% of the respondent companies currently rated the general risk as high to very high, and 70% assume that the risks will continue to increase in the next two years. Cyber-crime and e crime are synonyms that cover delinquencies such as spying on and intercepting data, copyright violations, computer sabo-tage and the manipulation of account and financial data.
The latter also affects treasury functions, which traditionally manage the company's bank and account data, as well as handling payments. Here too, fraudsters' creativity knows no bounds as they find ever new ways to line their own pockets with corporate wealth.
Lately, one of the more frequently used methods has been what is known as "fake president fraud" or "CEO fraud". It is very similar to the widely known "long-lost relative" trick - the only difference being the scale of the losses involved. Posing as middle managers or, in many cases, even as board members, fraudsters contact an employee familiar with payment processes. Contact remains impersonal and is usually channelled via e mail or fax. To deceive the unsuspecting employee, the sender's address, signature and letterhead are forged to look astonishingly authentic, with the e mails even coming from the company's own server in some cases. These communiqués instruct the employee to transfer money urgently to a foreign account.
A strategic and still-secret board decision or some strictly confidential research and development project is often cited as the reason for the hasty money transfer. On no account must the transaction be made public. The feeling of social recognition ("The board trusts me of all people to do this!") and the pressure of strict secrecy are often enough to get employees to make such payments without consulting their colleagues or immediate superiors. There are many examples of six- and seven-digit amounts being transferred in this way. One US manager was especially hard hit in 2015, transferring USD 17 million to a Chinese account in response to what looked like an e mail from his boss. Among German companies too, we are seeing a sharp increase in similar cases.
Another common scenario is the "payment diversion". Whereas CEO fraud tricks seek to generate money transfers on the basis of false premises, payment diversion leaves the original payments unaffected.
The trick with this method is to manipulate the route taken by the money. In this case, fraudsters pose as the company's suppliers or business partners. In an informal e mail or fax, they notify the employee responsible for master data management that the payment details have changed. They then request that all payment transactions be processed using the new bank details in future.
Particularly ingenious perpetrators even call the employee by phone to verify that the change request has indeed been received. This personal contact, the fact that a change of bank account details is nothing unusual and the absence of any extra and conspicuous account movements makes it difficult for companies to quickly expose the deception and identify the guilty parties.
Treasury and IT functions argue over who is responsible for guarding against potential attacks
It seems that not all treasury departments have yet woken up to the scale of the threat. Cash pools are another exceptionally lucrative target. Every account attached to a cash pool has access to the liquidity parked in the entire pool - and thus constitutes a source of vulnerability. Our project expe-rience shows that the list of possible points of attack is considerably longer than many treasurers think. Fortunately, some risks have not yet been recognised by the attackers themselves; and we certainly have no intention of using this newsletter to put a user's guide to cyber-attacks in their hands! Rather, we want to raise the awareness of treasury departments and encourage treasurers to think about what must be done to guard against such attacks.
Before looking at specific protective actions, however, the first step is to compare the various points of attack in order to identify possible sources of risk. And this is where we encounter our first major problem: Who is actually responsible for this issue within the company? In most cases, companies have not yet clearly assigned or communicated the relevant areas of responsibility. Treasury de-partments don't need long to identify who they think is in charge: the IT team.
In the eyes of many treasurers, fraudsters target the computer systems, so it stands to reason that IT should shoulder primary responsibility for protecting these systems. IT quickly puts the ball back in the treasurers' court, however, arguing that IT people lack the process knowledge they would need to adequately protect payment transactions from attacks. Both positions appear perfectly reasonable on their own merits. However, that is of no use to a company seeking to gain ground in the battle against e crime. It is therefore vital to define exactly who is responsible for what.
The only possible answer to this question is that the treasury must bear overall responsibility for safeguarding liquidity and, hence, for protecting payment transactions too. Clearly, a 360-degree perspective and adequate protection against economic crime can only be achieved if additional sup-port is provided by IT. In cases of doubt, however, this support must be actively solicited by the treasury department.
The example of fake president fraud nevertheless shows that treasuries should never rely solely on IT, and that a simplistic understanding of security can never provide effective protection. It is therefore imperative to address all the processes involved in the context of IT security. Identifying risk factors and making initial changes to the company's internal structures and processes will itself significantly reduce the threat of becoming a victim of cyber-attacks. Beyond that, treasury and IT departments should target joint action to further contain risks and ward off the threat of both financial damage and loss of reputation.
More information about e crime in treasury departments will be provided in our webinar on "Payment transactions as a risk factor - Examples from current practice and preventive actions on fraud and e crime" at 16:00 on 24 March 2016. In this webinar, Michael Sauermann, a KPMG partner from the Forensic department, will report on the routine of forensic investigations in the context of e crime and payment transactions.
Source: KPMG Corporate Treasury News, Edition 52, February 2016
Author: Thomas Mehlkopf, Manager, firstname.lastname@example.org
© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.