In a recent conversation, Michael Argast, co-founder and CEO of Kobalt.io offers a snapshot of the current fraud landscape, a review of how Canadian businesses are faring and easy-to-implement measures that can go a long way toward protecting your business from today’s biggest threats.
Today’s trends in business fraud
The most common fraud attacks in play today are largely not new. Rather, fraud tactics have evolved in step with technology and in response to business’ enhanced vigilance and prevention processes. Here are the top trends in business fraud:
- Business Email Compromise (BEC): Business Email Compromise is when a fraudster attempts to trick a financial decision-maker into transferring funds or revealing sensitive data that can in turn lead to financial losses. “BEC is no longer new, but it definitely continues to be one of the underlying trends over the last 12 months,” Argast explains. He adds that losses tend to fall within the $100,000 – $250,000 range, representing a major hit to a SME’s bottom line.
- Commercialization of AI: There have been a few high-profile incidents in the news this past year, where Artificial Intelligence (AI) was used to impersonate a senior executive, resulting in significant financial losses. Perhaps most notably was when an employee of a Hong Kong company received a request from their Chief Financial Officer to make a confidential transaction. During a follow-up video call, an AI-generated deepfake of the CFO validated the transaction, which resulted in the firm losing more than $25 million USD. While small and medium-sized business owners may think they’re not targets for sophisticated attacks, AI tools have made it easier for fraudsters to go after more businesses, including smaller ones. “Sophisticated mechanisms are cheap enough and available enough that it has become easy for cyber criminals to impersonate executives. There is definitely a rise in the use of these more sophisticated tools by intermediate-level fraud actors,” says Argast.
- Insider fraud: While insider fraud is nothing new, Argast explains that during challenging financial times, there tends to be an uptick in financial misconduct. “We don’t see any slowdown in insider fraud – things that have always been an issue continue to be an issue,” he says. “But in tough financial periods, we tend to see more of it. And, many organizations don’t always followed best practices because as they get busier, it’s easier to rely on one or two key individuals to handle their financial transactions – this creates an environment where fraud is more likely to occur.”
- MFA phishing: Here’s the good news: Argast has noted that roughly 80 percent of Canadian organizations are using Multi-Factor Authentication (MFA) – a security process that requires users to provide two or more verification factors to access an account or system. Now for the bad news: While MFA is a strong security control, it is not the silver bullet many businesses may believe it to be. “It is important for employees and users to understand that Multi-Factor Authentication can be phished. While it reduces the risk of being compromised, attackers can phish those credentials at the same time as they collect your username and password, which allows them to get in through the back door,” cautions Argast.
Cheque fraud continues to be a risk
Not all fraud is digital! While electronic and card payments make up the bulk of business transactions, many businesses still use cheques – and cheque fraud remains pervasive in Canada. Be sure to do your due diligence when accepting cheques – question any that arrive earlier or for a larger amount than expected – and keep your business cheques in a secure location.
Tip! Cheque mitigation services such as RBC Payee Match can act as a reliable line of defense. With Payee Match, organizations meeting certain criteria provide RBC with the details of the cheques they intend to use. Any cheques that do not match those details will be flagged as exceptions, which allows businesses the option to pay or return the cheque.
5 min Read: Top 3 Fraud Scams: Keeping Your Business Safe When Making or Accepting Payments
How businesses are handling today’s fraud risks
There’s no question that Canadian business owners are making fraud prevention a priority. The Canadian Federation of Independent Business (CFIB) conducted a recent survey that found that half of Canadian businesses are implementing stricter payment verification processes, 36 percent have increased their investment in cybersecurity, and more than a third have enhanced employee training.
This increased vigilance matches what Argast is seeing firsthand in his discussions with business owners. In addition to the widespread adoption of MFA, Argast has found that businesses are more diligent in creating backups of their data, which is reducing the instances of ransomware.
Argast has also seen a change in behaviour across businesses, where more and more often employees are conducting outbound verification after receiving a message to change a payment process or account. “Three years ago, people did not have the habit of picking up the phone when they received an email. We do see that behaviour now being enacted by most businesses.”
Despite this progress, common gaps in fraud prevention practices continue to make businesses vulnerable. Below are suggestions on how to bolster your business’ defenses.
Six low-cost ways to protect your business against fraud
1. Build pre-established verification processes
One fundamental way to protect your business is to set up reverse-direction verification processes and policies – this is when an employee receives a request on one channel (i.e., through email) and they verify it through another (i.e., a Slack message or phone call). Argast believes businesses should take it one step farther and have pre-established outbound verification channels. “Don’t make the employee figure out the best way to verify a message – instead, have a pre-defined communication channel so it’s easy.”
2. Be consistent with verification practices – and document them
Argast explains that a lack of consistency in verification practices is the downfall of many businesses. “Even if you have a policy in place to do reverse direction verification, it’s important to go beyond that policy and document what’s been done – that is critical to driving consistency. Because when there is inconsistency, fraudsters can usually find a way to take advantage of human behaviours.
3. Push back on out-of-the-ordinary requests
The advancement of AI has made it harder to validate virtual requests, as fraudsters have been able to successfully achieve video and voice impersonation. Argast therefore emphasizes the need to assess whether the request seems reasonable. “You want your employees to have the confidence to push back and use their reason to question something that feels out of the ordinary.”
4. Focus on training your financial staff
While fraud training and education should apply to all staff, it’s crucial to ensure those team members who handle financial transactions and decisions are up to date on the latest fraud trends and tactics – and are well-versed in anti-fraud policies. Consider enrolling critical staff in awareness and prevention training programs with industry professionals like Kobalt.
5. Don’t forget about your suppliers and outsourced financial support
If you outsource sensitive tasks (such as accounting or data management) to a third party, be sure that they have sufficient training and adequate policies in place to defend against fraud attacks. “If you’re dealing with a bookkeeper who has the authority to make payments on your behalf, you should ask them about their verification practices. If they don’t have a good answer for that, then you might want to select a different bookkeeper,” says Argast.
6. Consider a monitoring service
Round-the-clock monitoring of your IT ecosystem can help prevent cyberattacks. “The sooner you spot a cybersecurity threat, the faster you can respond and recover,” says Argast.
If you’re one of the many business owners who has boosted their fraud prevention strategies and tactics, you’re on the right track to defending your company from fraudsters. By staying up to date on the latest fraud trends and tactics, you can be in a better position to keep your business safe.
This article was originally published on RBC’s My Money Matters blog.
