In today's digital world, especially due to the COVID-19 pandemic with the advent of new, mobile ways of working, companies are facing ever more profound challenges when it comes to combating fraudulent activities. As a result of the progressive use of digital information technologies as a common basis for data networking, the connection of ERP systems to the cloud and, above all, the digitalization of payment transactions, organizations can, on the one hand, continue to increase their efficiency. But on the flip side, this also creates new threats and potential vulnerabilities, along with a growing need for appropriate security measures. While shortly after the turn of the millennium attention was still focused on individual "scripting kiddies" with the aim of stealing identities or fraudulently obtaining services, these infantile methods of attack have since evolved into a much more organized form of cybercrime. This involves, among other things, data being stolen and IT systems being hacked or paralyzed in order to force a financial gain. Trends observed in payment fraud reveal highly concerted and coordinated approaches, in some cases for the purpose of being able to offer their own services on the market ("cybercrime as a service"). A recent example of this is a ransomware with the capability to sneak malware into businesses and obtain ransom payments by interfering with operations.
The COVID-19 pandemic served as an accelerant in the number of payment fraud attempts. The AFP Payments Fraud and Control Survey of 2021 confirms this, in that 65% of respondents reported an increase in fraud attempts due to Covid-19.1 Cyber criminals were particularly drawn to the high levels of liquidity in circulation from government stimulus and easing monetary policy by central banks. Simultaneously, many companies introduced remote working models due to the pandemic, which for finance-related departments in particular would have been unthinkable in the past due to security concerns. This raised issues that initially remained unanswered in the remote environment: How should payments be approved and how should the entire payment process be handled? What technical security controls are needed in a home office setup? What can be done to ensure smooth communication? Which rules of conduct and guidelines need to be adapted for the new type of situation? When professional cyber criminals and new working methods are combined, it becomes apparent that companies urgently need to develop resilient measures to counter any possible fraud scenarios. It is our concern to point out current fraud scenarios based on common vulnerabilities in payment processing and to show suitable ways to reduce the risk of fraud.
Common vulnerabilities in payment transactions
There are many gateways and points of attack for cyber criminals along the entire payment chain. Vulnerabilities may span from the invoice process and master data entry, through the payment file approval process, to the wire transfer to the bank and the accounting treatment of the payment.
Particularly at risk are decentralized master data management systems with isolated silo solutions at individual subsidiaries, i.e., different systems within the company without data exchange. As with the handling of the payment process, master data and its necessary processing should be organized centrally, since the monitoring and control of the payment flow should be standardized throughout the Group. This way, the clustering of payments just below an approval threshold or payments to conspicuous target accounts (e.g., offshore) would be detected much earlier and, ideally, even before any payments are made.
The general rule is that under certain conditions, a high degree of automation can minimize fraud risks. Whenever routine and automated processes are interrupted, it is particularly easy for cyber criminals to attack, as activities are regularly performed manually at these points. This is why closed process chains to safeguard automated workflows, as well as the integration of controls at system interfaces and the monitoring of audit trails, are effective means of averting or detecting harmful interventions.
The use of manual payments should therefore be an absolute exception and should not be used in the standard process for operational vendor payments. Solely for payments far from ordinary business operations or in the context of fall-back scenarios should any manual intervention still be permitted. It is advisable to use predefined payment masks with hard-coded "standard settlement instructions" so that only a few manual entries are required (e.g., amount, date and reason for payment). Any exceptions should be clearly defined by means of work instructions and reviewed using the principle of a second set of eyes. In the case of particularly critical transactions whose financial impact has a high impact on earnings, a six-eye or multiple-eye principle is recommended.
Beyond this, user authorizations often prove to be problematic in payment transactions. In this respect, it is key to clearly delineate responsibilities in advance and to grant users only those permissions that they need to perform their tasks. It goes without saying that permissions should be checked regularly during the year, and that they should be changed or deleted whenever a user is transferred internally or leaves the company.
No matter how sophisticated a system's technical defenses may be, there is still no better gateway for cyber criminals than people and their lack of awareness of fraud scenarios.
The latest fraud scenarios
Most attacks are "multi-vector" in nature and only reveal their true potential danger through combining several fraudulent schemes. The sophistication of cyber criminals knows no bounds, and simple e-mails in which purported CEOs want to obtain a payout are already a thing of the past these days ("fake president fraud").
However, the point of vantage for any vulnerability will primarily be the human factor. Using social engineering, cyber criminals gain the trust of victims so they can influence them on an emotional level, obtain internal company information, and finally persuade the employee to slip up. In doing so, cyber criminals use respectable organizations such as BaFin as a cover to conceal their fraudulent intentions with a credible appearance. They use everything from simple spying on social media channels to falsifying entire identities. In some cases, professional cyber criminals even fake entire business relationships (for example, as suppliers), create fake social media accounts, and gain the trust of employees through months of contact, often over the phone. While the business relationship may actually exist, the contact person does not. Then, after months of preparation, the cybercriminal might send a changed recipient bank account with a request to update the master data (payment diversion). In most cases, such a fraud scenario can be averted only by having a well-defined process in place that ensures the unambiguous assignment of a bank account to a real existing business relationship.
In terms of the technical components of fraud scenarios, malware is the generic term for hostile or intrusive software. Internet criminals develop malware to manipulate computer functions, steal data, bypass access controls and damage host computers, customer devices and their applications or data. Among these, one attack scenario stands out particularly in terms of financial damage potential, according to the "E-Crime Study 2022" published by KPMG.2 Ransomware. This involves encrypting or blocking files or access to corporate resources and extorting victims to pay a ransom (often in cryptocurrency) to regain control of the system. Again, social engineering methods are often used as a starting point to more successfully place the ransomware with employees through email attachments. When Media-Markt-Saturn's cash register and merchandise management system was attacked with ransomware, the cyber criminals demanded EUR 50 million in bitcoin as a ransom to reinstate the encrypted servers back up and running.3 Other prominent examples in the past two years with losses in the millions of euros were the healthcare group Fresenius, the chemicals trader Brenntag4, and the US pipeline operator Colonial, whose operational failure made Brent crude oil temporarily more expensive.5 What's more, identifying the affected systems often proves to be very difficult. And if the Active Directory servers (domain controllers) are affected, the entire internal corporate infrastructure may become inoperative, as these domain controllers serve as the basis for logging on all other systems in the infrastructure. This may even affect payment systems needed to process transactions. The top priority with regard to such attacks must be prevention (see below). The ideal solution would be to set up redundant server systems and mirror them in another virtual environment in real time using a backup solution. That way, the time of system failure can be limited to a few hours.
What can a company do to protect itself?
Apart from an up-to-date IT security structure, the first and most important step in protecting against cybercrime is to educate and raise awareness among your own employees. After all, only those who know the tactics of fraudsters can protect themselves against cybercrime. It helps to openly talk about fraud attempts and fraud schemes, in addition to regular training measures. The goal is to help employees develop a sense of awareness and a certain healthy skepticism, allowing them to handle internal company information with confidence at all times. Attempted crimes are not always immediately apparent. Typically, fraudsters have been preparing well in advance and as a result know the company quite well. Even the smallest hint of suspicion should be openly shared. Line managers need to establish a suitable culture that empowers employees to openly and proactively address, discuss and resolve suspicious cases before any damage can be done. There is no room for hierarchical thinking or fear of admitting a possible mistake; instead, trust and a swift response will lead to success. It is also important to establish clear company-wide guidelines and processes that serve as guardrails in day-to-day business and are actively practiced. And central whistleblowing tools to which suspicious cases can be reported facilitate purposeful internal and external communication as well as the handling of the incident.
The aim of a stable and resilient cyber defense is end-to-end fraud prevention, in which all systems, interfaces, data and employees involved in the payment process are covered by clearly communicated governance.
Any system is only as strong as the weakest link in the chain, which makes it vital to regularly revisit your own processes and raise awareness among employees. Although illegal, cyber attacks are a highly lucrative business, which is why the perpetrators' methods are constantly being refined in line with the latest (technological) developments. Yesterday it was the forged signature, today it is social engineering or ransomware, and in the future ever-advancing levels of professionalism among cyber criminals will produce even more effective fraud schemes. For this reason, organizations have no choice but to subject their own security standards to regular inspections and devise new defense measures. On top of that, targeted penetration tests help identify vulnerabilities in the company's internal defenses. The question is not if but when your company will be caught in the crosshairs of cyber criminals.
Source: KPMG Corporate Treasury News, Edition 122, June 2022
Nils Bothe, Partner, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG
Tobias Riehle, Manager, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG
1 AFP underwritten by J.P. Morgan (2021): Payments Fraud and Control Survey Report
2 KPMG (2022): E-Crime 2022
3 Heise online (2021): Ransomware-Angriff auf Mediamarkt und Saturn (Ransomware attack targeting Mediamarkt and Saturn)
4 Der Treasurer (2022): Ransomware-Angriffe nehmen massiv zu (Ransomware attacks on the rise)
5 Handelsblatt (2021): US-Regierung unterstützt Pipeline-Betreiber nach Hackerangriff (US government to support pipeline operators after hacker attack)
Nils A. Bothe
Partner, Financial Services, Finance and Treasury Management
KPMG AG Wirtschaftsprüfungsgesellschaft