Deepfakes and Social Engineering Subvert Fraud Prevention
May 15, 2020 | By Doug Seaberg
Despite the many security protocols in place, fraudsters are not easily deterred. If they can't insert themselves into the flow of funds, they attempt to subvert the payment process, which is why there's a rise in schemes like BEC and deepfakes.
These kinds of attacks, sometimes called "social engineering," are designed to take advantage of human weaknesses, posing as an executive or a supplier and tricking someone into sending money to their own bank account.
Fending off these kinds of attacks requires training personnel on a strict process for validating suppliers' banking data during supplier onboarding, especially when receiving any data change requests.
You have to have the technology to be able to support this at scale. According to a recent survey by consulting firm Strategic Treasurer, 45% of corporations are handling over 10,000 payments globally each month. Once you get past about 5,000 payments annually, your accounts payable team isn't going to be able to keep up with validating every request manually.
Suppliers change banks all the time for legitimate reasons—about every four years, according to our internal data. Maybe they've merged, been acquired, or they had to move their services to a new bank as a condition of securing a line of credit. There are many reasons, and authenticating requests and verifying information is a significant workload.
The first safeguard against fraud is software that analyzes a variety of data sources to make sure that companies and people are who they say they are. For example, if one of our customers tells us to send a supplier's payment to a new bank account, then all of our customers who pay that supplier should be making the same request. If they aren't, that's a problem.
In a way, we use technology as the green light to proceed with account changes. Employees handle the exceptions by reaching out to the appropriate parties and verifying requests before making any changes. Once the information is confirmed, one employee updates the account, and a second employee validates it.
It's easy to say, "Well, why didn't the employee at Nikkei just pick up the phone and confirm the request?" But it's really not that simple. First of all, there's the difficulty of challenging a company executive without any data to back you up. Then there's the constant stress in AP to get payments processed on time, which leaves little time for all the extra legwork of data validation. It's not something they're focused on, or well-positioned to do.
There is some good news. With new regulations coming into play, and with heightened fraud awareness, data security is getting more attention within organizations. As companies push toward digital payments, CFOs and treasurers are thinking about risk and looking for ways to make payments more secure.