Growing Business, Growing Risk: Fraud Events Rising
By Rick Burke, Head of Corporate Products and Services, TD Bank
Growing companies go through many transitions: adding additional staff, expanding their customer base and engaging new suppliers. This growth translates into a need to formalize organizational financial processes, including the treasury function. Prior to evolving into a true middle market company, many organizations operate with the CEO acting as CFO, possibly supported by a bookkeeper and accountant. But as deposits grow and the dollar amounts flowing into and out of the company increase, financial professionals are needed for balance sheet management, payment processing and to provide strategic insight.
While the business growth phase is fast-paced and exciting, innovation and expansion should not overshadow the need for effective risk management. Put simply, adding employees and customers to your roster and engaging in new vendor relationships creates added complexity and exposes an organization to additional risk for breaches, information leaks and fraud – topics that are top-of-mind for most companies. In a TD Bank survey of treasury and financial professionals at the 2018 Association for Financial Professionals Conference, 44 percent of respondents identified risk of payments fraud and cyber security threats as their greatest challenge for 2019. This concern isn't without reason: 74 percent of companies in the 2017 Association of Financial Professionals Payments and Fraud Control Survey reported they were victims of payments fraud.
These threats are unlikely to go away soon. Another recent TD Bank survey further found that 84 percent of financial professionals believe these types of incidents will become a bigger threat over the next few years – a daunting prospect to a business in the midst of operationalizing a treasury management function. Along with the potential for breaches, the costs of cyberattacks and payments fraud can range from hundreds to hundreds of thousands of dollars in losses. Check fraud losses, for instance, average $1,000-$2,000, according to American Banking Association numbers, while the FBI reports wire fraud losses average over $130,000. These amounts do not include the indirect costs to a company, such as investing in risk management solutions, reimbursing affected parties and potentially losing revenue due to reputational damage.
Combating these risks means that companies need to step up their defenses. While there is no one, guaranteed solution, every participant in the business financial ecosystem – financial institutions, third-party payment processors and companies – must do their part to help prevent and minimize cyberattacks and payments fraud.
While many businesses already have some amount of risk processes in place, a smart organization will look for opportunities to invest in and operationalize their fight against cyber criminals. Among the suggested methods to reduce fraud and cyber risks:
- Take advantage of email or text alerts which can notify the company of payment orders that have been sent from your account
- Review and reconcile bank accounts daily to check for discrepancies, which will help flag suspicious or missing payments or wires almost immediately
- Verify all payment orders or account changes issued by company executives, customers or vendors via phone or in person, instead of relying on email confirmation
- Segregate employee functions:
- No employee should be responsible for both recording and processing a transaction
- Limit the number of people who can authorize purchases
- Set a dollar limit that each person can authorize
- Designate a computer to be used exclusively for banking transactions and restrict all other Internet and email access. Similarly, do not access company financial information on any other computer. Doing so will help block the most common entry point for cyber criminals
- Create strong passwords, change them frequently, and prohibit the use of shared usernames and passwords. Make sure to also update login information if an employee leaves the business
- Take advantage of email or text alerts from your bank, which can notify the company of payments or transfers that have been sent from your account
- Do not click on links in emails that indicate your bank needs you to update account information online. Do not provide password or other authentication credentials over the phone to anyone; it is highly unlikely a financial institution would request that type of information from you
- Conduct background checks on all new hires, including contractors. Many successful cyberattacks leverage someone who is familiar with a company’s systems
- Train and educate employees about fraud and how to spot suspicious emails
- Form and maintain a risk and fraud management committee. Cyber criminals are constantly innovating their techniques and executives need to meet the challenge head-on by staying up-to-date on the latest technological and security solutions
Even the most basic cyber or organizational controls can do a lot to thwart thieves in their tracks. Sometimes good, common sense, such as establishing an open-door policy with the CFO for employees to verbally verify account change requests, can create the greatest impediment. While the steps above will compound to create a more solid security framework, implementing at least one of these best practices in the next 30 days can put your growing company steps ahead of fraudsters.