Our recent live event, Social Engineering Fraud and Your Vendor Master – Managing the Risk, brought together industry experts – Taylor Nemeth, Head of Payments at PaymentWorks, and Christopher Arehart, SVP and Product Manager of Crime, Financial Fidelity, Kidnap/Ransom and Extortion at Chubb Insurance. (The dynamic duo also happen to be co-authors of the recent white paper “Guarding Against Social Engineering Fraud.” Please download a free copy!)
They took a deep dive into the increasingly hot topic of business payments fraud, which they agree is, at the core, an identity problem. This identity problem happens to be a multi-billion-dollar problem which can be attributed to the combined effect of the fact that 300+ billion emails are being exchanged every day across businesses and individuals and that 30% of existing suppliers are changing their information over the course of a year (PaymentWorks database statistic, 2021). This has added up to $28 billion in losses with an average incident loss of over $150,000 (from 2016-2020), a number which has doubled in 2021! (FBI Internet Crime Report 2021.)
The big question on everyone’s mind is how can organizations avoid this problem and avoid the financial and reputational loss that comes with it? Here, we offer you the top three takeaways from this electric and informational event.
If your process has any manual efforts, you have fraud risk.
If you are in AP or procurement, then you know that identity information is difficult to verify and the collection of information is a highly manual process. In fact, around 99% of organizations collect identity information manually – from verifying it, going through workflows and approving it, storing it in the ERP, paying it and so on. This creates an environment that fraudsters love because they can easily figure out a way to change information in an email or through a portal and essentially redirect funds from the intended recipient to a fraudster. According to Chris, email is at the core of all of these losses.
WATCH THIS VIDEO TO LEARN HOW AN EMAIL SPOOF WORKS
Humans are important, but they can’t be the whole process.
No matter how good your controls are around your IT systems and your email environment to protect you against an email spoof, the one thing you can’t control is your vendors’ environments, such is the case with vendor email compromise, which Taylor and Chris see all the time.
In these cases, the scenario plays out like this: a fraudster gains access to a vendor’s email and then they are patient as they wait and watch the email account. They learn how to interact with the accounts payable department of a company the actual vendor does business with and when the time is right, they trick the customer’s employee into thinking they are the actual vendor that they have a relationship with (this is the identity problem in action). The accounts payable team is none the wiser since this request has come in from a legitimate email address that they are used to communicating with.
It looks and feels just like the person they’ve talked to all the time – so it must be legitimate, right?
Having the best IT team in the country can’t save you in situations like this – there is no technological solution to spot an email coming from a taken-over account.
You can’t insure your way out of this risk.
Having been in the space of insuring crime for decades, Chris has seen companies and organizations continuing to fall for these scams, not because they aren’t trying to do the right thing, but because they’re being bombarded by too much information and too many people have the ability to change that information outside of a standard process.
According to Chris, the total numbers of ground-up loss (loss without any type of retention or deductibles) they’ve seen at Chubb are in the hundreds of millions of dollars, and the vast amount of it is from companies that are not insured, not because of a lack of wanting to purchase the insurance, but more about their ability to get insured because of the lack of a process. But make no mistake, even when there is a human process in place to mitigate fraud, losses still occur
Unfortunately, coverage is difficult to obtain due to the rising losses. The standard crime insurance policies generally don’t provide a whole lot of coverage for these types of loss, and while there are policies that do include coverage for social engineering fraud, they generally are limited and offer very low limits of coverage.
WATCH THIS VIDEO CLIP TO LEARN WHAT TO ASK YOUR INSURANCE PROVIDER
The best defense against social engineering fraud and the associated loss is an early defense – one that starts way before the moment of payment. If you wait until the moment of payment to try to figure things out, you’re putting the urgency on yourself or someone in your organization which is when mistakes are made. When you start your defense at the first contact with your vendor, you have a much better chance of not losing sleep when it eventually comes time to pay them because you’ve already done all of the work upfront. Goodbye identity problem!