Cybersecurity offences are Australia’s leading economic crime, with an average cost to affected businesses of $276,000. Payments fraud is one of the fastest cybercrime growth categories and was estimated in a KPMG study to be measured at a $442 million impact across a six-month period in Australia. Despite the scale and growth of this crime sector, few businesses fully understand what payments fraud is and how to protect against it.
In today’s world where data is stored digitally and payments are submitted online, all businesses need to protect against new types of fraud.
Ian Mirels, chief executive of EFTsure, shares some advice for firms preparing their cybersecurity plans. Photo: Picasa
Outdated internal controls that rely on the trust of one or more individuals, either internal or external to a company, are often at the root of payments fraud and payments errors.
Payments fraud typically occurs at the point in which a business instructs its bank to make payments to suppliers and individuals. In Australia, a particular area of vulnerability stems from the fact that banks do not match payee names to account names. Although it may look like you are paying an intended supplier by their name, unless you check the account number and BSB every time you make a payment, a fraud or error could occur. Unfortunately, criminals take advantage of this vulnerability every day.
Here are six areas for businesses large or small to consider when preparing their cybersecurity plans.
1. No business is immune
In today’s digitised world, any business is susceptible to cyber attack and open to risk of payments errors or fraud. A common misconception is that most cases of fraud sit outside the business – yet research shows the perpetrators are usually “inside” the business and typically at management level. Twenty-two per cent of frauds in Australia are also enabled by technology.
It’s not only big businesses that are targeted. SMEs are often resource-constrained and may not have all the necessary controls in place, such as separation of duties when entering and approving invoices and authorising payments, making them attractive prey by exploiting internal controls that rely on trust.
2. Don’t expect banks to always fix the problem
If you suffer a fraud or error from an invalid payment instruction to the banks, the banks are not obligated to resolve the matter. Strict privacy laws mean banks cannot tell you where the money went. From their perspective, they received a payment instruction from you and the ultimate liability lands with your organisation.
On request, your bank will try to help you recover the funds, but this can be time-consuming and relies on the cooperation of other entities in the banking system, as well as the recipient of the funds. If that recipient was the fraudster, the funds have likely been moved on before this process completes.
Here is an example of a common bank disclaimer: “Important: You must enter the correct BSB and account number of the intended payee. In processing payments, the bank does not verify that account name matches the provided account number. If you enter an incorrect BSB and/or account number, your funds may be paid to an unintended recipient and it may not be possible to recover your funds from that recipient.”
Where financial loss occurs due to fraud or error, banks may refund monies lost but they are not obligated to do so. Banks cannot access funds once in the recipient’s account and a fraudulent or accidental recipient has no obligation to return the money, meaning the payer loses, not the bank.
3. Simple data entry errors can result in big losses
Even in the hands of trusted and reliable teams, accidental data entry can occur as a result of having out-of-date or duplicate payee records. As more information is digitised and business records multiply, the risk of data entry error increases – and so do the consequences, such as misdirected payments.
While it’s always best practice to manually check that payments data is correct, including the payee name matching the account name and BSB, payment details can still be manipulated at both the banking and accounting software application levels after it has been checked. This can also occur in the ABA file – a file used by all major Australian financial institutions to specify payments be made inter-bank.
Use a cloud-based system that validates the integrity of payments data in real-time and at multiple stages through the payments process.
4. The introduction of real-time payments means businesses must be prepared
The New Payments Platform to be introduced in October 2017, is a major industry initiative to develop new national infrastructure allowing fast, flexible, data-rich payments between financial institutions and their business and consumer customers.
The NPP will bring about considerable improvements in fast payments methods, meaning funds that are currently cleared in three days will in future be cleared in seconds.
Based on overseas experiences, accompanying this revolutionary advance will be an increase in the risk of fraudulent activity. This makes it imperative to ensure a parallel focus on both fast and secure payments as the new NPP platform is introduced.
5. Businesses are ultimately responsible
As businesses extend their use of digital technologies and processes, they must acknowledge and prepare for the increasingly complex risks that are inherent. The onus rests with business owners and finance officers to ensure company assets, including the incoming and outgoing flow of funds, are protected at the highest level. This includes implementing systems, procedures and processes that promote a sound internal and external control environment to minimise the risk of payments fraud, acknowledging that such fraud can be perpetrated both within and external to an organisation.
Protecting a business from financial fraud also ensures against reputational damage, which has the potential to further impact customers, suppliers and shareholders.
6. Criminals are creative
While many fraudsters are purely opportunistic about their crimes, don’t underestimate the degree of skill applied to identifying and exploiting vulnerabilities in the payments system. You can expect tactics that include everything from touched-up supplier invoices to complete business email compromise. Fraudsters often set up bank accounts, often changing the VMF data then changing it back again to avoid detection. As the saying goes, you need to be able to think like a criminal to catch one.
Ian Mirels is the chief executive and co-founder of EFTsure.