HOW CAN YOUR ORGANISATION AVOID GETTING SPEAR PHISHED?

By Tim Wheatcroft, director, Kyriba

The importance of fraud prevention continues to grow within the corporate treasury department, as does the range and sophistication of the types of attack perpetrated.

We’ve probably all received phishing emails in the past – an email purportedly from a bank telling you to click on an embedded link in order to “confirm your security details.” The link takes the unsuspecting stooge to a malware-infected site that allows keylogging or other malicious code on your computer.

While most consumers are now savvy to this type of attack, an approach that can be far more devastating for corporate treasuries is spear phishing, which is targeted, and uses social engineering to make emails look to come from a trusted source (often a senior internal staff member), and therefore increase the click rate*.

One recent example of this, recently uncovered by Russian security software vendor Kaspersky Lab, led to an estimated £700mn ($1bn) being stolen from more than 100 banks in 30 countries, over the past several years**. The attackers targeted bank employees with malware-laced emails, and once they had system access, could steal money through a variety of methods, ranging from transfers via SWIFT, to setting up ATMs to automatically dispense cash into the hands of a waiting accomplice. All pretty terrifying for any corporate treasurer.

So, what can you do to avoid being targeted? The first and most obvious solution is for more effective IT security solutions and policies to be implemented, both to block the emails and also educate email users not to click on the links. However, as this solution will never be 100% effective, the burden is on treasury to set up processes to reduce the likelihood of funds being transferred out of the organisation through illicit electronic transactions. Some of the controls that you can put in place include.

Improved Application Security

Unauthorised access to financial systems via weak login and user authentication procedures is the most common attempt to compromise financial data and initiate fraudulent activity. Treasury requires strong security to ensure access to systems is well protected. However, many people continue to use passwords that can easily be compromised. Employing multiple levels of user authentication helps protecting treasury data from external hackers and spear phishers. The best ways to prevent financial systems from unauthorised access include:

  • Strong password controls
  • IP filtering – limit system access to pre-defined IP addresses
  • Two-factor authentication – using hardware token, SMS, or Yubikey
  • Use of a numeric keypad, where numbers within a password must be selected by mouse instead of typed

Payment Approvals

Payment approvals are already often separated from payment initiation in most organisations. However, what can be improved is to implement multiple, standardised, levels of approval and ensure approvals are electronic, tied to the separation of duties within the treasury system, and align with dollar limits. A centralised treasury system will help prevent fraud not only by implementing these procedures for payments initiation and approval, but also to ensure that the entire workflow is within treasury and finance’s control.

In fact, organisations that choose to initiate payments in their bank portal lack the electronic ‘paper trail’ for that payment, meaning that the history of the payment request is in a different system and quite possibly outside the payment approver’s viewpoint. This introduces unnecessary risk into the process as a result. Consolidating payment requests and outgoing transactions in a single system is important to effectively combat payments fraud.

Digital Signatures

Digital signatures are a critical tool to help banks authenticate imported payment files. Digital signatures, such as SWIFT 3SKey, can be applied to payments, confirming to the bank that all payments are accurate and valid. This not only helps validate the payment but also decreases propensity of non-repudiation by the bank. Digital signatures, combined with strong password controls and a centralised payment workflow within the treasury system, dramatically eliminate opportunities for payments fraud.

Improved workflows

Structured workflows that require all bank account activity to be tracked and approved using the treasury systems’ controls and limits. These workflows can be enforced by mandating centralised documentation to the bank. The requirement for corporates is that no account opening, closings, or changes can happen that do not originate from an authenticated, digitally-signed, encrypted message from the organisation’s treasury system.

* http://searchsecurity.techtarget.com/definition/spear-phishing

** http://ww2.cfo.com/cyber-security-technology/2015/02/spearfishing-attacks-infiltrate-banks-networks/