Combatting Cyberfraud: NextGen Treasury
-
bookmark
-
print
- Keywords:
- next gen treasury
Fraud continues to be on the rise, taking on many forms and spurred by emerging technologies. At the core of every fraud is deception. While advances in technology can help uncover the deception, much of the work of fraud detection and prevention comes down to following best practices.
My colleague, Sue Witteveen, Senior Vice President & Head, Treasury & Payment Solutions, recently moderated a conversation with Derek Vernon, Head of BMO’s North American Treasury and Payment Solutions Group, and Larry Zelvin, Head of BMO's Financial Crimes Unit, to discuss what we’re seeing in fraud today, what the future might look like, and how we can all help successfully combat cyberfraud.
Following is a summary of their discussion.
Fraudsters are changing their ways
Fraud and cyber schemes are in the news daily. Zelvin noted that while fraud has been around as long as money has existed, what’s changed is the way fraudsters commit their crimes.
“Before the internet and before digital banking, threat actors had to be physically present to conduct fraud,” Zelvin said. “The internet has changed this. Through the virtual domain, a threat actor can access more targets, cross geographic boundaries and automate the attack. A threat actor could be sitting on one side of the world and attack tens of thousands of financial and other institutions on the other side of the world.”
Even more troubling, Zelvin said there’s now more collaboration between criminal networks and nation-states in committing fraud. And during times of intense geopolitical upheaval, fraud tends to rise. “As countries and entities engage in armed conflict, costs to fund the conflict, such as ammunition and support for people in the field—including food, clothing and shelter— begin to increase. A way to support the increase is with fraud.”
Given that powerful entities are often behind cyberfraud events, the techniques they’re using are becoming more deceptive. Criminals often target your interactions with your financial institutions through caller ID spoofing—that is, pretending to be a bank or other organization that you do business with, urging you to provide sensitive information to solve a problem. Bad actors prey on creating a false sense that you need to take action. “They will look for opportunities to catch you off guard and instill a sense of fear or panic,” Zelvin said. “Your sense of urgency is your biggest problem.”
The emergence of synthetic fraud*
Advances in artificial intelligence (AI) are lowering the barrier to entry for aspiring fraudsters. “A threat actor does not have to be very sophisticated anymore,” Zelvin said. “With technology like ChatGPT, they can automate writing an email. AI has allowed them to do things faster and more effectively. It is very early days with AI. The problems we are facing today are going to be very different from what we’ll see in six months to a year from now.”
One way AI is making fraud attempts harder to spot is through what’s called “synthetic fraud.” Vernon provided a chilling example of how fraudsters trick people into wire fraud.
“Your company’s CFO just gave a speech and it’s now available online,” he said. “Did you know that fraudsters can use those voice clips to create a deep fake, which they then use to train their AI software to imitate your CFO’s voice? Then they call and request an urgent payment. You think it’s your CFO, because it sounds just like them, and proceed to send the wire.
“This is happening,” Vernon added, “and your best defense against these schemes is surprisingly simple and low tech. When in doubt, call them back on a phone, and make sure you call from a number that you trust and not the number that they just called you from. In fact, I recommend that before you send any payment that may seem suspicious, I would stop and take the time to confirm the request by calling them back on a number that you know to be legitimate.”
Best practices
“It’s important to ensure that you consistently and regularly educate your employees,” Vernon said. “Educate them on how to verify incoming emails and make sure that they’re legitimate and continue to remind them not to click on suspicious links. I recommend performing a daily review of your banking reports to monitor for any suspicious activity. And talk to your banker. We can send you daily account information, and we can teach you how to run various reports yourself. These tasks can also be fully automated.”
Vernon recommends implementing processes such as dual or multilevel approvals based on dollar thresholds for all of your outbound payments. “These are fairly simple things that you can implement quickly that will help prevent fraud, whether it’s initiated by AI or by a human bad actor.”
Systems:
-
Set up alerts. Make sure they’re activated for when new users are created within your digital platform, when a payment over a certain threshold is initiated, or when a significant balance change is reported, among other events. This helps you identify when a potential suspicious activity occurs, allowing you to act quickly.
-
Review your user and activity reports regularly. This helps make sure that any money movement taking place in your accounts, or any user activity is exactly what you’d expect.
-
Challenge your internal controls regularly. Make sure you have up-to-date procedures in place for changing who has approval authority, as well as removing active users across your various internal systems, including access to banking platforms. Also, perform spot checks to make sure staff are executing these controls.
-
Use tools such as positive pay, debit block and account validation to help reduce your risk of fraud exposure.
-
Set limits on wire and electronic payments
-
Communicate with your banker on how and when you should make adjustments to the tactics listed above
Vernon said there are concrete steps businesses can take to minimize their risk, including:
Behaviours:
-
Establish a culture of fraud awareness. “During the holidays, many people are out of the office, which makes it even more important to ensure that the employees covering for staff are fraud aware,” Vernon said. “The most common types of schemes we see are payment requests or requests to change account information. These could come through an email, through a fake invoice or through a phone call. It's important that whoever is covering has very clear instructions on how to handle these types of scenarios.
-
Inform your banker that you're going to be out of the office.
-
Make sure staff are aware of the red flags to look for. Make sure they scrutinize any urgent payment requests that they might receive. Look carefully for disguised email addresses, which may include a domain name that looks very similar to the legitimate one.
-
Verify, verify, verify. Be especially attuned to a vendor or a senior officer asking to make a change or requesting to send out an urgent payment. Always confirm any unusual or suspicious requests by calling the requester back on a known legitimate number. Better yet, request a quick virtual meeting and ask for the camera to be on to validate the authenticity of the requester.
Fraud 911
Combating fraud is a matter of timeliness. When it comes to responding to an attack, speed is your friend. But it’s also game of chess. Fraudsters are constantly raising the bar, which means technology has to advance. Zelvin noted that BMO is working to improve authentication in response to AI fraud schemes. “We're using AI technology to see if we can get your voiceprint and, more importantly, the voiceprint of bad actors.”
While technology is a critical component, the human element is the most important solution for—and the biggest obstacle to—combating fraud. “One of the biggest problems we're having is that many of our customers are emphatic they’re not a victim of fraud; they don’t believe somebody could be manipulating them,” Zelvin said.
That's why if a fraud does occur, the first step is to acknowledge that you’ve been a victim. Zelvin noted people feel embarrassed, especially when it comes to telling their employer. After acknowledging the fraud, report it immediately.
"First, people should report the fraud to the financial institution or the vendor where the fraudulent activity occurred,” Zelvin said. “I would also suggest reporting it to the Canadian Anti-Fraud Centre or the Federal Trade Commission in the United States. You can, if you wish, contact your local law enforcement to let them know what's going on. Because although these criminals may be on another continent, they could also be within the jurisdiction of federal, provincial, territorial or state law enforcement.”
Also, as Vernon pointed out, make sure to suspend access to critical applications, including access to online banking platforms and other internal systems. Again, time is of the essence.
Finally, Vernon suggested developing a playbook for how to respond to a fraud event quickly and efficiently. “Build some muscle memory internally around what to do when this happens. You don’t want to be fumbling around and trying to figure out what to do in the moment. Writing it down and practicing that playbook every once in a while is a good best practice.”
Ultimately, preparation and swift action are the keys to success. Because despite all the advances in technology that enable bad actors to commit fraud, being vigilant and adopting best practices are what will help businesses of all types to identify deception and combat cyberfraud.
* Synthetic identity theft is a special form of fraud in which a real person's social security number (SSN) is stolen and then a name, date of birth, mailing address, email account and phone number are made up and applied to that legitimate SSN to create a new identity.
Oscar Johnson
U.S. Head of Commercial Sales for Treasury and Payment Solutions
312-461-8361
Oscar is the U.S. Head of Commercial Sales for Treasury and Payment Solutions for BMO Commercial Bank. His group is responsible for providing cash management, …(..)
View Full Profile >Fraud continues to be on the rise, taking on many forms and spurred by emerging technologies. At the core of every fraud is deception. While advances in technology can help uncover the deception, much of the work of fraud detection and prevention comes down to following best practices.
My colleague, Sue Witteveen, Senior Vice President & Head, Treasury & Payment Solutions, recently moderated a conversation with Derek Vernon, Head of BMO’s North American Treasury and Payment Solutions Group, and Larry Zelvin, Head of BMO's Financial Crimes Unit, to discuss what we’re seeing in fraud today, what the future might look like, and how we can all help successfully combat cyberfraud.
Following is a summary of their discussion.
Fraudsters are changing their ways
Fraud and cyber schemes are in the news daily. Zelvin noted that while fraud has been around as long as money has existed, what’s changed is the way fraudsters commit their crimes.
“Before the internet and before digital banking, threat actors had to be physically present to conduct fraud,” Zelvin said. “The internet has changed this. Through the virtual domain, a threat actor can access more targets, cross geographic boundaries and automate the attack. A threat actor could be sitting on one side of the world and attack tens of thousands of financial and other institutions on the other side of the world.”
Even more troubling, Zelvin said there’s now more collaboration between criminal networks and nation-states in committing fraud. And during times of intense geopolitical upheaval, fraud tends to rise. “As countries and entities engage in armed conflict, costs to fund the conflict, such as ammunition and support for people in the field—including food, clothing and shelter— begin to increase. A way to support the increase is with fraud.”
Given that powerful entities are often behind cyberfraud events, the techniques they’re using are becoming more deceptive. Criminals often target your interactions with your financial institutions through caller ID spoofing—that is, pretending to be a bank or other organization that you do business with, urging you to provide sensitive information to solve a problem. Bad actors prey on creating a false sense that you need to take action. “They will look for opportunities to catch you off guard and instill a sense of fear or panic,” Zelvin said. “Your sense of urgency is your biggest problem.”
The emergence of synthetic fraud*
Advances in artificial intelligence (AI) are lowering the barrier to entry for aspiring fraudsters. “A threat actor does not have to be very sophisticated anymore,” Zelvin said. “With technology like ChatGPT, they can automate writing an email. AI has allowed them to do things faster and more effectively. It is very early days with AI. The problems we are facing today are going to be very different from what we’ll see in six months to a year from now.”
One way AI is making fraud attempts harder to spot is through what’s called “synthetic fraud.” Vernon provided a chilling example of how fraudsters trick people into wire fraud.
“Your company’s CFO just gave a speech and it’s now available online,” he said. “Did you know that fraudsters can use those voice clips to create a deep fake, which they then use to train their AI software to imitate your CFO’s voice? Then they call and request an urgent payment. You think it’s your CFO, because it sounds just like them, and proceed to send the wire.
“This is happening,” Vernon added, “and your best defense against these schemes is surprisingly simple and low tech. When in doubt, call them back on a phone, and make sure you call from a number that you trust and not the number that they just called you from. In fact, I recommend that before you send any payment that may seem suspicious, I would stop and take the time to confirm the request by calling them back on a number that you know to be legitimate.”
Best practices
“It’s important to ensure that you consistently and regularly educate your employees,” Vernon said. “Educate them on how to verify incoming emails and make sure that they’re legitimate and continue to remind them not to click on suspicious links. I recommend performing a daily review of your banking reports to monitor for any suspicious activity. And talk to your banker. We can send you daily account information, and we can teach you how to run various reports yourself. These tasks can also be fully automated.”
Vernon recommends implementing processes such as dual or multilevel approvals based on dollar thresholds for all of your outbound payments. “These are fairly simple things that you can implement quickly that will help prevent fraud, whether it’s initiated by AI or by a human bad actor.”
Systems:
-
Set up alerts. Make sure they’re activated for when new users are created within your digital platform, when a payment over a certain threshold is initiated, or when a significant balance change is reported, among other events. This helps you identify when a potential suspicious activity occurs, allowing you to act quickly.
-
Review your user and activity reports regularly. This helps make sure that any money movement taking place in your accounts, or any user activity is exactly what you’d expect.
-
Challenge your internal controls regularly. Make sure you have up-to-date procedures in place for changing who has approval authority, as well as removing active users across your various internal systems, including access to banking platforms. Also, perform spot checks to make sure staff are executing these controls.
-
Use tools such as positive pay, debit block and account validation to help reduce your risk of fraud exposure.
-
Set limits on wire and electronic payments
-
Communicate with your banker on how and when you should make adjustments to the tactics listed above
Vernon said there are concrete steps businesses can take to minimize their risk, including:
Behaviours:
-
Establish a culture of fraud awareness. “During the holidays, many people are out of the office, which makes it even more important to ensure that the employees covering for staff are fraud aware,” Vernon said. “The most common types of schemes we see are payment requests or requests to change account information. These could come through an email, through a fake invoice or through a phone call. It's important that whoever is covering has very clear instructions on how to handle these types of scenarios.
-
Inform your banker that you're going to be out of the office.
-
Make sure staff are aware of the red flags to look for. Make sure they scrutinize any urgent payment requests that they might receive. Look carefully for disguised email addresses, which may include a domain name that looks very similar to the legitimate one.
-
Verify, verify, verify. Be especially attuned to a vendor or a senior officer asking to make a change or requesting to send out an urgent payment. Always confirm any unusual or suspicious requests by calling the requester back on a known legitimate number. Better yet, request a quick virtual meeting and ask for the camera to be on to validate the authenticity of the requester.
Fraud 911
Combating fraud is a matter of timeliness. When it comes to responding to an attack, speed is your friend. But it’s also game of chess. Fraudsters are constantly raising the bar, which means technology has to advance. Zelvin noted that BMO is working to improve authentication in response to AI fraud schemes. “We're using AI technology to see if we can get your voiceprint and, more importantly, the voiceprint of bad actors.”
While technology is a critical component, the human element is the most important solution for—and the biggest obstacle to—combating fraud. “One of the biggest problems we're having is that many of our customers are emphatic they’re not a victim of fraud; they don’t believe somebody could be manipulating them,” Zelvin said.
That's why if a fraud does occur, the first step is to acknowledge that you’ve been a victim. Zelvin noted people feel embarrassed, especially when it comes to telling their employer. After acknowledging the fraud, report it immediately.
"First, people should report the fraud to the financial institution or the vendor where the fraudulent activity occurred,” Zelvin said. “I would also suggest reporting it to the Canadian Anti-Fraud Centre or the Federal Trade Commission in the United States. You can, if you wish, contact your local law enforcement to let them know what's going on. Because although these criminals may be on another continent, they could also be within the jurisdiction of federal, provincial, territorial or state law enforcement.”
Also, as Vernon pointed out, make sure to suspend access to critical applications, including access to online banking platforms and other internal systems. Again, time is of the essence.
Finally, Vernon suggested developing a playbook for how to respond to a fraud event quickly and efficiently. “Build some muscle memory internally around what to do when this happens. You don’t want to be fumbling around and trying to figure out what to do in the moment. Writing it down and practicing that playbook every once in a while is a good best practice.”
Ultimately, preparation and swift action are the keys to success. Because despite all the advances in technology that enable bad actors to commit fraud, being vigilant and adopting best practices are what will help businesses of all types to identify deception and combat cyberfraud.
* Synthetic identity theft is a special form of fraud in which a real person's social security number (SSN) is stolen and then a name, date of birth, mailing address, email account and phone number are made up and applied to that legitimate SSN to create a new identity.
What to Read Next.
Moving Corporate Sustainability from Silo to Core Business
George Sutherland | January 08, 2024 | Business Strategy
Corporate climate action appears to be reaching a new phase. More companies in the United States and Canada are implementing mitigation plans to redu…
Continue Reading>More Insights
Tell us three simple things to
customize your experience.
Contact Us
Banking products are subject to approval and are provided in the United States by BMO Bank N.A. Member FDIC. BMO Commercial Bank is a trade name used in the United States by BMO Bank N.A. Member FDIC. BMO Sponsor Finance is a trade name used by BMO Financial Corp. and its affiliates.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements.
BMO Capital Markets is a trade name used by BMO Financial Group for the wholesale banking businesses of Bank of Montreal, BMO Bank N.A. (member FDIC), Bank of Montreal Europe p.l.c., and Bank of Montreal (China) Co. Ltd, the institutional broker dealer business of BMO Capital Markets Corp. (Member FINRA and SIPC) and the agency broker dealer business of Clearpool Execution Services, LLC (Member FINRA and SIPC) in the U.S. , and the institutional broker dealer businesses of BMO Nesbitt Burns Inc. (Member Canadian Investment Regulatory Organization and Member Canadian Investor Protection Fund) in Canada and Asia, Bank of Montreal Europe p.l.c. (authorised and regulated by the Central Bank of Ireland) in Europe and BMO Capital Markets Limited (authorised and regulated by the Financial Conduct Authority) in the UK and Australia and carbon credit origination, sustainability advisory services and environmental solutions provided by Bank of Montreal, BMO Radicle Inc., and Carbon Farmers Australia Pty Ltd. (ACN 136 799 221 AFSL 430135) in Australia. "Nesbitt Burns" is a registered trademark of BMO Nesbitt Burns Inc, used under license. "BMO Capital Markets" is a trademark of Bank of Montreal, used under license. "BMO (M-Bar roundel symbol)" is a registered trademark of Bank of Montreal, used under license.
® Registered trademark of Bank of Montreal in the United States, Canada and elsewhere.
™ Trademark of Bank of Montreal in the United States and Canada.
The material contained in articles posted on this website is intended as a general market commentary. The opinions, estimates and projections, if any, contained in these articles are those of the authors and may differ from those of other BMO Commercial Bank employees and affiliates. BMO Commercial Bank endeavors to ensure that the contents have been compiled or derived from sources that it believes to be reliable and which it believes contain information and opinions which are accurate and complete. However, the authors and BMO Commercial Bank take no responsibility for any errors or omissions and do not guarantee their accuracy or completeness. These articles are for informational purposes only.
This information is not intended to be tax or legal advice. This information cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. This information is being used to support the promotion or marketing of the planning strategies discussed herein. BMO Bank N.A. and its affiliates do not provide legal or tax advice to clients. You should review your particular circumstances with your independent legal and tax advisors.
Third party web sites may have privacy and security policies different from BMO. Links to other web sites do not imply the endorsement or approval of such web sites. Please review the privacy and security policies of web sites reached through links from BMO web sites.
Notice to Customers
To help the government fight the funding of terrorism and money laundering activities, federal law (USA Patriot Act (Title III of Pub. L. 107 56 (signed into law October 26, 2001)) requires all financial organizations to obtain, verify and record information that identifies each person who opens an account. When you open an account, we will ask for your name, address, date of birth and other information that will allow us to identify you. We may also ask you to provide a copy of your driver's license or other identifying documents. For each business or entity that opens an account, we will ask for your name, address and other information that will allow us to identify the entity. We may also ask you to provide a copy of your certificate of incorporation (or similar document) or other identifying documents. The information you provide in this form may be used to perform a credit check and verify your identity by using internal sources and third-party vendors. If the requested information is not provided within 30 calendar days, the account will be subject to closure.