Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

HOW CAN YOUR ORGANISATION AVOID GETTING SPEAR PHISHED?

By Tim Wheatcroft, director, Kyriba

The importance of fraud prevention continues to grow within the corporate treasury department, as does the range and sophistication of the types of attack perpetrated.

We’ve probably all received phishing emails in the past – an email purportedly from a bank telling you to click on an embedded link in order to “confirm your security details.” The link takes the unsuspecting stooge to a malware-infected site that allows keylogging or other malicious code on your computer.

While most consumers are now savvy to this type of attack, an approach that can be far more devastating for corporate treasuries is spear phishing, which is targeted, and uses social engineering to make emails look to come from a trusted source (often a senior internal staff member), and therefore increase the click rate*.

One recent example of this, recently uncovered by Russian security software vendor Kaspersky Lab, led to an estimated £700mn ($1bn) being stolen from more than 100 banks in 30 countries, over the past several years**. The attackers targeted bank employees with malware-laced emails, and once they had system access, could steal money through a variety of methods, ranging from transfers via SWIFT, to setting up ATMs to automatically dispense cash into the hands of a waiting accomplice. All pretty terrifying for any corporate treasurer.

So, what can you do to avoid being targeted? The first and most obvious solution is for more effective IT security solutions and policies to be implemented, both to block the emails and also educate email users not to click on the links. However, as this solution will never be 100% effective, the burden is on treasury to set up processes to reduce the likelihood of funds being transferred out of the organisation through illicit electronic transactions. Some of the controls that you can put in place include.

Improved Application Security

Unauthorised access to financial systems via weak login and user authentication procedures is the most common attempt to compromise financial data and initiate fraudulent activity. Treasury requires strong security to ensure access to systems is well protected. However, many people continue to use passwords that can easily be compromised. Employing multiple levels of user authentication helps protecting treasury data from external hackers and spear phishers. The best ways to prevent financial systems from unauthorised access include:

  • Strong password controls
  • IP filtering – limit system access to pre-defined IP addresses
  • Two-factor authentication – using hardware token, SMS, or Yubikey
  • Use of a numeric keypad, where numbers within a password must be selected by mouse instead of typed

Payment Approvals

Payment approvals are already often separated from payment initiation in most organisations. However, what can be improved is to implement multiple, standardised, levels of approval and ensure approvals are electronic, tied to the separation of duties within the treasury system, and align with dollar limits. A centralised treasury system will help prevent fraud not only by implementing these procedures for payments initiation and approval, but also to ensure that the entire workflow is within treasury and finance’s control.

In fact, organisations that choose to initiate payments in their bank portal lack the electronic ‘paper trail’ for that payment, meaning that the history of the payment request is in a different system and quite possibly outside the payment approver’s viewpoint. This introduces unnecessary risk into the process as a result. Consolidating payment requests and outgoing transactions in a single system is important to effectively combat payments fraud.

Digital Signatures

Digital signatures are a critical tool to help banks authenticate imported payment files. Digital signatures, such as SWIFT 3SKey, can be applied to payments, confirming to the bank that all payments are accurate and valid. This not only helps validate the payment but also decreases propensity of non-repudiation by the bank. Digital signatures, combined with strong password controls and a centralised payment workflow within the treasury system, dramatically eliminate opportunities for payments fraud.

Improved workflows

Structured workflows that require all bank account activity to be tracked and approved using the treasury systems’ controls and limits. These workflows can be enforced by mandating centralised documentation to the bank. The requirement for corporates is that no account opening, closings, or changes can happen that do not originate from an authenticated, digitally-signed, encrypted message from the organisation’s treasury system.

* http://searchsecurity.techtarget.com/definition/spear-phishing

** http://ww2.cfo.com/cyber-security-technology/2015/02/spearfishing-attacks-infiltrate-banks-networks/