Do you already know everything you need to know about payment transaction security? Do you have taken every sensible precaution to manage risks?
If you already know everything you need to know about payment transaction security and have taken every sensible precaution to manage risks, you can save yourself some time and stop reading this article now. If not, read on…
"Hi Jenny, I hope you're doing fine? How was your daughter's first day at school? […]." If you received an e mail like this from your superior, would you suspect that the mail actually came with fraudulent intent? The days of mass mailings with vague, generalised wording in broken English or German are long gone. Even as companies have become more sensitive to the risks presented by e-crime, so too fraudulent strategies are becoming noticeably more complex. Two years and several webinars on from our newsletter on E-crime in payment transactions – A call to action, the subject of payment fraud is still alarmingly topical. And in the meantime, fraudsters have become much more professional: Even "cyber-crime as a service" offerings have been observed. On the "Dark Web", fraudsters can, for example, use a cryptocurrency to rent a fake call centre which is then used to confirm incorrect delivery account data. Alternatively, Denial-of-Service (DoS) attacks can be bought as a service. These attacks are then used to bring down Internet connections in an attempt to obscure fraudulent payment transactions. The company under assault is distracted from the real attack and loses precious time – the time it would have needed to identify the case of fraud, notify the bank and stop payment from going through. That is exactly what happened last year to a Swiss midcap, which suffered losses totalling CHF 1.2 million as a result.
At the same time, familiar cyber-assaults such as the fake president fraud are still very much with us, as attested by a recent KMPG study of E-crime in the German Economy in 2017, in which a total of 504 companies took part. Roughly a quarter of those companies that know about this trick have already been the victims of successful scams. Another quarter report attempted fraudulent attacks that were thwarted. That said, the number of unrecorded cases is likely to be significantly higher, as the employees concerned often fail to report attempted assaults. The study also shows that, despite high-profile coverage in the media, more than half of the respondents are still not conversant with the topic of fake president frauds. That, of course, plays into the hands of criminal elements: If you don't realise the danger, you won't take steps to protect yourself. Another trick that is still very common is known as payment diversion: Fraudsters send falsified notifications about changes in account details, for example, in an attempt to divert funds to their own bank account. These days, the cyber-criminal repertoire also includes what are known as remote access tools that let them remotely control the victim's computer via the Internet. Once access has been gained, fraudulent payments can be executed unnoticed by tapping into payment transaction or treasury management systems. One way in which fraudsters gain such access is by contacting the "right" employee by phone and posing as Microsoft support staff, for example (although it would also be conceivable for them to pretend to be employees of the target company's TMS provider). On the pretext of fixing acute security loopholes in the system, they get the employee in question to install "remote maintenance software". Once this malware is installed, the fraudsters can access the system remotely and unnoticed, spy on the employee and, when they have all the information they need, make payments via the e banking system, for instance.
Drawing on personalisation to maximise the likelihood that their attacks will succeed, criminals adopt sophisticated approaches such as social engineering and spear phishing. Payment transaction staff also need to be aware that, in order to acquire information, fraudsters do not only target the company's IT infrastructure. To make attacks appear as individual as possible, criminals specifically make use of all the information they can find on the Internet. In particular, social networks such as LinkedIn, XING, Facebook and Instagram constitute worthwhile targets for hackers. One reason is that changes of position, trumpeted widely on LinkedIn and XING, publish the information that is needed to select potential victims. At the same time, Facebook and Instagram are used to harvest private details which – as we saw in our example at the start – allow e mails to be heavily personalised. Exploiting the techniques of social engineering, businesses and employees in relevant positions are not targeted at random with a scattergun method. Instead, they are spied on systematically and in meticulous detail. This approach lets fraudsters pose as "insiders" in their attempts to persuade the chosen victim to take certain actions in the context of criminal practices such as the fake president fraud and attacks via remote access tools. Unlike regular phishing attacks, spear phishing makes use of individualised e mails with personalised or company-specific content. For example, the head of cash management might receive a counterfeit e mail imitating the design of the TMS provider's newsletter and referencing what is allegedly a whitepaper to be downloaded. This kind of e mail has much greater chances of succeeding than normal phishing mails that might, say, try to get victims to disclose their PayPal password.
A lack of transparency about bank accounts and the processes involved in payment transactions makes fraudsters' job so much easier. Substantial risks often also arise because cash pool monitoring is inadequate. The Pareto principle (also known as the 80/20 rule) is simply not an option in this context: Both cash pools and payment transactions are only ever as secure as the weakest link in the chain. Our discussions with cash managers repeatedly show that inadvertent cash outflows of less than a million euros often do not immediately appear on a company's radar: The money leaves the company and nobody notices. The list of security loopholes in payment transactions is a long one. In practice, for example, it is often not clear exactly who is responsible for what within treasury departments. This creates a situation in which no one really feels responsible for existing weaknesses. We also still frequently witness file-based and, in many cases, unencrypted data exchange between systems with regard to payment information. The door is thus left wide open for hackers to spy on or manipulate data. Inadequate measures to grant user authorisations that protect sensitive data, shortcomings in bank account management, large numbers of "exceptional cases" which each have their own processes and substandard monitoring of the end-to-end process chain round off the list of the most frequently-made mistakes in the context of payment transactions.
As criminals and their dirty tricks proliferate at a frantic pace, treasury departments cannot afford to be left behind. Ideally, they should take a proactive approach rather than merely reacting. Process-related and organisational measures are important, but nor should companies neglect to optimise their own IT landscape and deploy the latest technology. Leading-edge technology such as process mining enables weaknesses and security loopholes to be identified in the workflows defined across the payment transaction system landscape. Process mining is an approach that focuses specially on process management. Based on the analysis of log files and transaction files in the company's own system landscape, the aim is to draw up a profile of the operating processes. Comparison with existing process documentation and new requirements then makes it possible to expose any of the deficits already discussed and identify potential for optimisation. A further issue is that, over the past year in particular, buzzwords such as blockchain and artificial intelligence have been causing quite a stir in the industry, especially in relation to ways to minimise risks to payment transactions. However, these new technologies can only be put to good use if the status quo – in terms of centralisation and standardisation – is first optimised. Implementing payment transaction platforms is an effective way to put the necessary conditions in place. Bundling payment processes eliminates the need for local banking solutions and creates the transparency that is so vital as the cornerstone of effective protection against fraudulent attacks. Specialised software firms such as Treasury Intelligence Solutions (TIS), Omikron, Ementexx and SAP provide this kind of payment platform to centralise all payment transactions on a single system and connect that system to the external banking community.
In today's digital age, that is far from all, however. As we have seen, this merely puts in place the conditions needed for the application of more modern technologies and for provision of the data and information that these technologies demand. It is already possible to use machine learning to identify and thwart attempts at fraud in the context of payment transactions. Analysing large volumes of data to detect unknown patterns supports the detection of payments that are "not normal", allowing them to be subjected to closer inspection. Alternatively, rule-based monitoring of all outgoing payments can be based on factors such as the payment amount, recipient/user combinations and the timing of approval. Again, though, this procedure is only as good as the algorithms it uses, and these are based on past incidents. For example, if a large payment to a supplier who normally only receives smaller amounts is detected, payment is not executed immediately. The system notifies the employee responsible about the case, and this person can then either approve payment or, if fraud is suspected, block it. True, rule-based pattern recognition does an excellent job of spotting known patterns. On its own, however, it is not very good at detecting hitherto unknown patterns, adapting to new patterns of fraud or dealing with the ever more sophisticated techniques used by criminals. Which is precisely where the new technologies come into their own – technologies that will do much to help companies keep up with constant advances in the realms of e-crime.
While it is right to welcome all this progress, treasury departments should not overlook proven measures such as cultivating awareness among staff, clearly defining end-to-end payment transaction processes, implementing appropriate approval workflows, splitting roles and conducting regular reviews of all systems and processes which are of relevance to payment transactions. Taken together, these tools lay a firm foundation for secure payment transactions – and are usefully flanked by new technologies.
Source: KPMG Corporate Treasury News, Edition 79, April 2018
Author: Tatjana Schäfer, Manager, Finance Advisory, firstname.lastname@example.org
© 2018 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.