Combatting Cyberfraud: NextGen Treasury

Fraud continues to be on the rise, taking on many forms and spurred by emerging technologies. At the core of every fraud is deception. While advances in technology can help uncover the deception, much of the work of fraud detection and prevention comes down to following best practices.

I recently moderated a conversation with, Derek Vernon, Head of BMO’s North American Treasury and Payment Solutions Group, and Larry Zelvin, Head of BMO's Financial Crimes Unit, to discuss what we’re seeing in fraud today, what the future might look like, and how we can all help successfully combat cyberfraud. 

Following is a summary of our discussion. 

Fraudsters are changing their ways

Fraud and cyber schemes are in the news daily. Zelvin noted that while fraud has been around as long as money has existed, what’s changed is the way fraudsters commit their crimes. 

“Before the internet and before digital banking, threat actors had to be physically present to conduct fraud,” Zelvin said. “The internet has changed this. Through the virtual domain, a threat actor can access more targets, cross geographic boundaries and automate the attack. A threat actor could be sitting on one side of the world and attack tens of thousands of financial and other institutions on the other side of the world.”  

Even more troubling, Zelvin said there’s now more collaboration between criminal networks and nation-states in committing fraud. And during times of intense geopolitical upheaval, fraud tends to rise. “As countries and entities engage in armed conflict, costs to fund the conflict, such as ammunition and support for people in the field—including food, clothing and shelter— begin to increase. A way to support the increase is with fraud.” 

Given that powerful entities are often behind cyberfraud events, the techniques they’re using are becoming more deceptive. Criminals often target your interactions with your financial institutions through caller ID spoofing—that is, pretending to be a bank or other organization that you do business with, urging you to provide sensitive information to solve a problem. Bad actors prey on creating a false sense that you need to take action. “They will look for opportunities to catch you off guard and instill a sense of fear or panic,” Zelvin said. “Your sense of urgency is your biggest problem.” 

The emergence of synthetic fraud*

Advances in artificial intelligence (AI) are lowering the barrier to entry for aspiring fraudsters. “A threat actor does not have to be very sophisticated anymore,” Zelvin said. “With technology like ChatGPT, they can automate writing an email. AI has allowed them to do things faster and more effectively. It is very early days with AI. The problems we are facing today are going to be very different from what we’ll see in six months to a year from now.” 

One way AI is making fraud attempts harder to spot is through what’s called “synthetic fraud.” Vernon provided a chilling example of how fraudsters trick people into wire fraud. 

“Your company’s CFO just gave a speech and it’s now available online,” he said. “Did you know that fraudsters can use those voice clips to create a deep fake, which they then use to train their AI software to imitate your CFO’s voice? Then they call and request an urgent payment. You think it’s your CFO, because it sounds just like them, and proceed to send the wire.  

“This is happening,” Vernon added, “and your best defense against these schemes is surprisingly simple and low tech. When in doubt, call them back on a phone, and make sure you call from a number that you trust and not the number that they just called you from. In fact, I recommend that before you send any payment that may seem suspicious, I would stop and take the time to confirm the request by calling them back on a number that you know to be legitimate.”

Best practices

“It’s important to ensure that you consistently and regularly educate your employees,” Vernon said. “Educate them on how to verify incoming emails and make sure that they’re legitimate and continue to remind them not to click on suspicious links. I recommend performing a daily review of your banking reports to monitor for any suspicious activity. And talk to your banker. We can send you daily account information, and we can teach you how to run various reports yourself. These tasks can also be fully automated.” 

Vernon recommends implementing processes such as dual or multilevel approvals based on dollar thresholds for all of your outbound payments. “These are fairly simple things that you can implement quickly that will help prevent fraud, whether it’s initiated by AI or by a human bad actor.”  

Systems: 

• Set up alerts. Make sure they’re activated for when new users are created within your digital platform, when a payment over a certain threshold is initiated, or when a significant balance change is reported, among other events. This helps you identify when a potential suspicious activity occurs, allowing you to act quickly.  

• Review your user and activity reports regularly. This helps make sure that any money movement taking place in your accounts, or any user activity is exactly what you’d expect. 

• Challenge your internal controls regularly. Make sure you have up-to-date procedures in place for changing who has approval authority, as well as removing active users across your various internal systems, including access to banking platforms. Also, perform spot checks to make sure staff are executing these controls.  

• Use tools such as positive pay, debit block and account validation to help reduce your risk of fraud exposure. 

• Set limits on wire and electronic payments 

• Communicate with your banker on how and when you should make adjustments to the tactics listed above  

Vernon said there are concrete steps businesses can take to minimize their risk, including: 

Behaviours:  

• Establish a culture of fraud awareness. “During the holidays, many people are out of the office, which makes it even more important to ensure that the employees covering for staff are fraud aware,” Vernon said. “The most common types of schemes we see are payment requests or requests to change account information. These could come through an email, through a fake invoice or through a phone call. It's important that whoever is covering has very clear instructions on how to handle these types of scenarios.  

• Inform your banker that you're going to be out of the office. 

• Make sure staff are aware of the red flags to look for. Make sure they scrutinize any urgent payment requests that they might receive. Look carefully for disguised email addresses, which may include a domain name that looks very similar to the legitimate one.  

• Verify, verify, verify. Be especially attuned to a vendor or a senior officer asking to make a change or requesting to send out an urgent payment. Always confirm any unusual or suspicious requests by calling the requester back on a known legitimate number. Better yet, request a quick virtual meeting and ask for the camera to be on to validate the authenticity of the requester. 

Fraud 911 

Combating fraud is a matter of timeliness. When it comes to responding to an attack, speed is your friend. But it’s also game of chess. Fraudsters are constantly raising the bar, which means technology has to advance. Zelvin noted that BMO is working to improve authentication in response to AI fraud schemes. “We're using AI technology to see if we can get your voiceprint and, more importantly, the voiceprint of bad actors.”  

While technology is a critical component, the human element is the most important solution for—and the biggest obstacle to—combating fraud. “One of the biggest problems we're having is that many of our customers are emphatic they’re not a victim of fraud; they don’t believe somebody could be manipulating them,” Zelvin said.

That's why if a fraud does occur, the first step is to acknowledge that you’ve been a victim. Zelvin noted people feel embarrassed, especially when it comes to telling their employer. After acknowledging the fraud, report it immediately.

"First, people should report the fraud to the financial institution or the vendor where the fraudulent activity occurred,” Zelvin said. “I would also suggest reporting it to the Canadian Anti-Fraud Centre or the Federal Trade Commission in the United States. You can, if you wish, contact your local law enforcement to let them know what's going on. Because although these criminals may be on another continent, they could also be within the jurisdiction of federal, provincial, territorial or state law enforcement.” 

Also, as Vernon pointed out, make sure to suspend access to critical applications, including access to online banking platforms and other internal systems. Again, time is of the essence.

Finally, Vernon suggested developing a playbook for how to respond to a fraud event quickly and efficiently. “Build some muscle memory internally around what to do when this happens. You don’t want to be fumbling around and trying to figure out what to do in the moment. Writing it down and practicing that playbook every once in a while is a good best practice.”

Ultimately, preparation and swift action are the keys to success. Because despite all the advances in technology that enable bad actors to commit fraud, being vigilant and adopting best practices are what will help businesses of all types to identify deception and combat cyberfraud.

* Synthetic identity theft is a special form of fraud in which a real person's social security number (SSN) is stolen and then a name, date of birth, mailing address, email account and phone number are made up and applied to that legitimate SSN to create a new identity.