While financial services (FinServ) innovations often emerge with built-in security measures, new market trends — including faster payments and open banking — are introducing new security threats to corporate treasury departments, according to cybersecurity company BioCatch.
The treasury department is an increasingly attractive target to cyber fraudsters. Account takeover attacks, social engineering tactics and payments fraud all threaten businesses as attackers go after the high-value transactions typical of corporate finance, BioCatch explained in a blog post last week.
Among the most prevalent is the Business Email Compromise (BEC), a type of social engineering attack that received significant attention last year. The Federal Bureau of Investigation (FBI) has now pegged total losses to BEC scams at $12 billion across 150 countries, marking a 136 percent rise in BEC cases between December 2016 and May 2018.
The tactic is relatively simple. Fraudsters can infiltrate company databases and email accounts to identify which executives would typically initiate a transaction, then pose as that professional to receive company funds without suspicion. However, according to BioCatch, the ongoing progress of corporate financial technology (FinTech) has created new opportunities for fraudsters to steal from their business targets, even as emerging innovations put financial security at the center of their solutions.
Faster payments, for instance, can make it more difficult to detect that fraud has occurred, BioCatch said, particularly in instances of cross-border corporate payments.
"Wire transfer fraud is of particular concern for corporate treasury," the company wrote. "With instant payments, fraudsters can not only move funds from legitimate users to themselves quickly, [but] they can divert them just as fast. By the time the fraudulent activity is noticed, the stolen funds are nearly untraceable and may be impossible to recover."
Despite the warning, many experts have assured that faster payments do not necessarily mean faster — or an increase in — fraud, particularly as financial institutions (FIs) adopting faster and real-time payment capabilities enhance their anti-fraud efforts at the same time.
Furthermore, so far, corporate adoption of faster payment tools is limited. In the case of Same Day ACH in the U.S., NACHA found that, in the first 11 days that the service went live in 2017, only 6 percent of the 2 million transactions made were B2B transactions. More recently, however, BNY Mellon found that 29 percent of executives expect real-time payments to have a significant impact on their firms in the coming three years, and treasurers will have to address changing fraud risks as a result.
BioCatch also pointed to open banking as another FinServ trend imposing changes on corporate fraud risks.
The emergence of open banking in the U.K. now means that banks are opening data to third-party payment providers (TPPs) via application program interfaces (APIs), presenting a new door into which cybercriminals can break. While open banking and data sharing between banks and FinTech firms are largely viewed as consumer-facing trends, some analysts have said corporates are headed for similar disruption.
A recent survey from treasury management solutions provider Centtrip found that three-quarters of U.K. businesses expect to benefit from open banking by the end of the decade, despite awareness and uptake of open banking-based solutions still being limited among medium-sized and large corporates.
"Open banking has a huge potential to shift the way financial data is shared and managed," said Centtrip CEO and Co-founder Brian Jamieson in a statement earlier this week. "A year on from its launch, we are just starting to understand its benefits and the way it may reshape the financial sector."
With businesses beginning to consider how to use open banking to their advantage, analysts are closely watching how data sharing and FinTech APIs could create new avenues for cybercriminals.
In an interview with PYMNTS in November, Shape Security VP of Product Management and Co-founder Sumit Agarwal explained how APIs offer another way for cybercriminals to attack, by posing as a third party requesting seemingly legitimate access to bank data.
"If I can't attack the banks' front doors, maybe I can pose as a small developer and find an alternative side door that still gets me through to the bank, one way or another," he explained.
BioCatch pointed to this risk in its blog post, too.
"Cybercriminals will take advantage of TPP security weakness to launch attacks against banks, putting corporate treasury at risk," the company stated. "For example, a fraudster that takes over a user's account on a TPP can then use that account to initiate fraudulent transactions with the connected bank."
For corporate treasurers, this indicates the need to place greater emphasis not only on the security of bank partners, but on the third-party payment firms that now receive data from the banks.