Avoid Becoming a Victim of ‘Spear Phishing’

Many of these headline-grabbing incidents were committed against consumer-facing organisations. Their vast databases of credit and debit card details, as well as social security numbers make them an extremely attractive target for hackers, who can either use the information themselves, or resell personal data on the black market.

However, regardless of whether your company is consumer-facing or not, the potential for devastating fraud cannot be underestimated. These high-profile hack attacks tend to generate headlines through the volume of data that is compromised, while the loss through fines and reputation can run into the billions. However, they don’t necessarily cause direct financial losses to the impacted organisation. In fact, one of the key sources of direct financial cybercrime is through a much more sophisticated and targeted approach, known as ‘spear phishing’.

Each of us has probably received at least one phishing email in the past – an email purporting to be from a bank, telling the recipient to click on an embedded link in order to “confirm your security details.” The link takes the unsuspecting stooge to a malware-infected site that allows keylogging or other malicious code on to the user’s computer. While most consumers are now savvy to this type of attack, spear phishing is targeted and uses social engineering to make emails appear as though they come from a trusted source, often a senior internal staff member such as a chief financial officer (CFO). The emails are sent specifically to those with access to financial systems, and request large payments, often wire transfers, to be made.

One example of this, recently uncovered by Russian security software vendor Kaspersky Lab, led to an estimated US$1bn being stolen from more than 100 banks in 30 countries, over a period of several years. The attackers targeted bank employees with malware-laced emails. Once they had system access, they could steal money through a variety of methods, which ranged from transfers via SWIFT to setting up automated teller machines (ATMs) to automatically dispense cash into the hands of a waiting accomplice.

A further similar incident took place in late 2014 at Xoom.com, which is – somewhat ironically – a web-based money transfer service. According to the company’s regulatory filing, “the incident involved employee impersonation and fraudulent requests targeting the company’s finance department, resulting in the transfer of US$30.8m in corporate cash to overseas accounts.” This incident cost the company’s CFO his job.

What can treasury professionals do to avoid being targeted? The first and most obvious solution is for more effective IT security solutions and policies to be implemented, both to block the emails and also educate email users not to click on the links. However, as this solution will never be 100% effective, the burden is on treasury to set up processes to reduce the likelihood of funds being transferred out of the organisation through illicit electronic transactions. Some of the controls that can be put in place include.

Improved Application Security:

Unauthorised access to financial systems, via weak login and user authentication procedures, is the most common attempt to compromise financial data and initiate fraudulent activity. Treasury requires strong security to ensure that access to systems is well protected. However, many people continue to use passwords that can easily be compromised. Employing multiple levels of user authentication helps in protecting treasury data from external hackers and spear phishers. The best ways to prevent financial systems from unauthorised access include:

  • Strong password controls.
  • Internet protocol (IP) filtering – limiting system access to pre-defined IP addresses.
  • Two-factor authentication – using hardware token, short message service (SMS) or YubiKey one-time password (OTP).
  • Use of a numeric keypad, where numbers within a password must be selected by mouse instead of being typed.

Payment Approvals:

Payment approvals are already often separated from payment initiation in most organisations. However, what can be improved is to implement multiple, standardised levels of approval and ensure approvals are electronic, tied to the separation of duties within the treasury system, and align with dollar limits. A centralised treasury system will help prevent fraud, not only by implementing these procedures for payments initiation and approval, but also in ensuring that the entire workflow is within treasury and finance’s control.

In fact, organisations that choose to initiate payments in their bank portal lack the electronic ‘paper trail’ for that payment, meaning that the history of the payment request is in a different system and quite possibly outside the payment approver’s viewpoint. This introduces unnecessary risk into the process as a result. Consolidating payment requests and outgoing transactions in a single system is important to effectively combat payments fraud.

Digital Signatures:

Digital signatures are a critical tool to help banks authenticate imported payment files. Digital signatures, such as SWIFT 3SKey, can be applied to payments, confirming to the bank that all payments are accurate and valid. This not only helps validate the payment, but also decreases the propensity of non-repudiation by the bank. Digital signatures, combined with strong password controls and a centralised payment workflow within the treasury system, dramatically eliminate opportunities for payments fraud.

Improved workflows:

Structured workflows that require all bank account activity to be tracked and approved using the treasury systems’ controls and limits. These workflows can be enforced by mandating centralised documentation to the bank. The requirement for corporates is that account openings, closings, or other changes that can happen that do not originate from an authenticated, digitally-signed, encrypted message from the organisation’s treasury system.

While there are no 100% failsafe approaches for preventing fraud – either from within the organisation or perpetrated by third parties – there are certainly several steps that treasurers can take to minimise the risk of their organisation becoming a victim.

By combining system-level technical security measures with more rigorous fraud prevention processes, treasury departments can significantly lower their risk. However, the most important piece of advice is to be proactive in the approach to prevention. Do not assume that the organisation’s email security and intrusion prevention systems are failsafe, and use common sense – if something doesn’t look right, it most likely isn’t right.


Related reading