In today’s world, cyber-attacks are a matter of when, not if. Best-in-class cyber security teams and software are essential for prevention, but technology prowess alone may not always keep you safe from cyber criminals. “It’s often social engineering techniques that allow threat actors to profile and start to surgically target organizations or individuals,” says Adam Evans, Senior Vice President and Chief Information Security Officer, Cyber Operations at Royal Bank of Canada (RBC). “The weakest link is still really the first line of defense, which is the employee or individual”.
That’s where corporate treasury teams come in. Fake Invoice Scams, Business Email Compromise Scams, and Spear Phishing attacks are often designed to trick treasury teams into sending payments directly to a cyber-criminal. Cyber criminals are crafty and innovative, and as stewards of your company’s cash, it’s up to you and your team to stay vigilant. It’s imperative to understand the latest types of cyber fraud that are most likely to impact corporate treasury teams, and the preventative actions you can take to keep your cash secure.
Types of Cyber Fraud and How to Secure Your Treasury Against Them
Fake Invoice Scams
In this scam, businesses are typically sent an email with a fake invoice, claiming to be from a company that they do business with, informing them of a bank account switch and redirecting their payments to the “new” account number. Many of these “invoices” appear at first glance to be legitimate bills and may include threatening or confusing legal jargon to create a false sense of urgency to pressure recipients to make quick payments.
How to Protect Your Business:
- Employees responsible for processing payments should remain vigilant and watch for changes to payment instructions. If you do see a change, take appropriate action such as calling the vendor or payee directly to confirm their bank details over the phone.
- Review all invoices closely. Never pay an invoice unless you know the bill is for items that were actually ordered and delivered.
- Always check order details, confirm the validity of the customer, and verify the information on invoices before transferring any funds.
- Before doing business with a new company, search the company’s name online with the term “scam” or “complaint.” Read what others are saying about the company.
Business Email Compromise (BEC)
In this scam, a cyber-criminal poses as a trusted entity in order to facilitate the transfer of funds or information. They can pose as a client, vendor, business partner, or even a senior executive in the same company. Through the use of social engineering tactics and research, often through social media, the criminal will craft credible emails and send them to someone within the company who likely has the authority to move money in hopes of tricking them into transferring money to a fraudulent account.
How to Protect Your Business:
- Educate your team about email scams and advise them to be skeptical of urgent or suspicious requests made by email.
- Be mindful of what you share on social networking sites. Criminals can use these sites, and your website, to gather information about you that they can repurpose to target your company.
- Remember that email addresses and websites that look legitimate are easy for criminals to fake. Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Don’t reply by email to coordinate fund transfers. Have an additional communication process in place that requires face to face communication or a phone call to verify the request is legitimate.
Spear Phishing
In this scam, criminals masquerade as a trusted entity or person in order to target a specific organization or employee with tailored messages, with the goal of gaining unauthorized access to sensitive information or computer systems. Spear Phishing can occur when criminals gather information – typically via social networking sites – about their targets, such as: email addresses, job titles, and interests, etc., and use it to send convincing, but fraudulent emails.
How to Protect Your Business:
- Train your team to know what to look for. They should learn the importance of protecting the information they regularly handle to help reduce exposure to the business.
- Confirm any email requests that you’re not expecting with the sender directly, even if the request looks like it’s coming from someone within the company.
- Ensure the appropriate security measures are in place within your company. Consider: firewalls, antivirus, email filtering, etc.
Cyber Security is Risk Management
"You have to understand that cyber-risk is just another risk that your business has to manage now," says Evans. In Corporate Treasury, preparedness starts with and depends on policies and training. It’s much easier to prevent money from going out the door in the first place than it is to recover it once it’s gone. Visit Be Cyber Aware for more tips. And stay informed about any new or ongoing scams by checking RBC Current Scam Alerts.
“The weakest link is still really the first line of defense, which is the employee or individual”.
Adam Evans, Senior Vice President and Chief Information Security Officer, Cyber Operations at Royal Bank of Canada (RBC).