Treasury Cybersecurity in the Digital Age: Key Steps to Protect Your Business
Cyberthreats are no joke. And corporate treasury is a top target. PwC’s 2020 CEO survey shows that online security attacks place in the top five of CEO concerns across all industries, moving up one position from fifth place in last year’s rankings. The COVID-19 outbreak has only increased the danger: as business operations shift to accommodate more remote work, bad actors are finding new security vulnerabilities to exploit.
While payments fraud is the most obvious form of attack, it’s not the only threat. In addition to being a repository of corporate business funds, treasury is a repository of data — and a potential window into the larger corporate infrastructure. As a treasury professional, it’s incumbent upon you to know the common types of threats and how to protect and defend your company’s funds.
Common Cyberthreats Treasurers Should Know About
Arming yourself starts with knowing what to look for. Here are the most common forms of cyberthreats:
Social engineering fools people into sharing personal information with someone they believe is a known, trusted individual. These attacks may be made through any person-to-person channel emails, texts, instant messages, social media messages, and phone calls. Often, they are the bearer of, or the precursor to, another attack vector. Common forms of social engineering attacks include:
- Phishing — an attack designed to steal user data, such as login credentials or account information. This may be via email, instant message, text message, social media, or phone, and can appear to be from a friend, colleague, supplier, or other legitimate source.
- Business email compromise (BEC) — a form of phishing in which an email appears to come from a trusted source such as a regular supplier, attempting to convince an employee who has access to company funds and to transfer money into a bank account controlled by the attacker. This may appear to be an overdue invoice with a request for urgent payment to the “updated” account number listed on the invoice.
- Phone call scams — often reliant on scare tactics, these calls try to finagle personal information or money out of the victim. For example, a phone call purporting to be from Microsoft, saying there is a problem with your computer and asking you to give the help desk representative remote access. Or a call saying that your grandchild is in jail and you need to provide your bank account details to wire money for bail.
Ransomware attacks block users from accessing company systems, holding data hostage until a ransom is paid. The attack is made via malware, which encrypts the victim’s files so that only the attacker has access. This malware is typically delivered via a phishing attack, as a link within an email, text message, or IM which, when clicked, infects the victim’s computer or phone.
Corporate account takeover involves an attacker stealing employees’ business login credentials to break into the company’s bank account. Once in, they can initiate fraudulent transactions such as ACH or wire transfers, into accounts specifically set up for this purpose and then typically closed immediately afterwards, before the fraudulent activity is discovered.
Key Steps to Protect Your Business
Knowledge is power. Anyone who has access to treasury systems and data needs to know the key signs of a cyberattack, and be prepared to take action (or, as is most common, to NOT take action). No opening of emails that look suspicious. No clicking on attachments. No making any transaction without at least one other set of eyes to confirm what you’re doing.
A few months ago, we wrote a blog post addressing payments fraud and the importance of sanctions screening, which covered top level ways to detect fraudulent activity and protect your organization. Some of these need to be organization-wide and originate with IT. But there are steps that you can take specifically within treasury to help keep your business funds safe.
- Enforce secure passwords — any passwords used for treasury systems access should be at least eight characters long, include uppercase, lowercase, numerical, and special characters. And changing the password regularly should be a requirement. Never share your password with anyone, for any reason.
- Pay attention — carefully read your emails. It’s often easy to spot a spoofed email account by looking at the “reply-to” sender information, or excessive use of poor grammar and spelling errors. If something looks awry, confirm independently with the sender via another channel.
- Validate payment requests — confirm any new or updated payment instructions before taking action. Do not rely on the requester or information they provide: look for independent confirmation. If someone leaves you a number claiming to be that of their bank, instead, look up the bank phone number directly.
- Follow the four-eyes principle — always have an approver on each transaction where any information is new or different.
- Segregate accounts — keep your incoming and outgoing funds in separate accounts, with separate protocols. This also will help with your overall cash visibility.
- Implement filters — ensure your bank, payment provider, or bank connectivity provider has filters in place for validation of messages and transactions as well as sanction screening.
- Avoid checks — It is comparatively easy for fraudsters to alter information on a check. Stick to electronic payment methods and channels whenever possible.
Businesses choose to use Fides not only because of our market-leading multibanking solutions, but because they trust us. Fides has been protecting client data for more than a century. When you work with Fides, you can rest assured that we have the latest security protocols in place to keep your transactions safe and secure.
For more information on protecting your organization from payments fraud, read our blog post “Keep Treasury Safe, Secure, and In Compliance: How to Minimize Payments Fraud Risk.”