Cyber financial crime: what should businesses do to prevent it?

Cameron Shilling

Disaster strikes. One of your employees was tricked into changing the payment account for your business’s largest vendor, sending a series of payments to a fraudulent account. The vendor has now cut off your business until you pay the outstanding balance of hundreds of thousands of dollars. Or, perhaps your largest customer was duped in the same way, and is now refusing to pay, claiming that your business caused the loss because your email system was hacked.

The scams get even more catastrophic. For example, maybe you (or your real estate title agent, accountant or attorney) was tricked into sending to a fraudulent account the funds that your business intended to use to purchase real estate, a large piece of equipment or another company, and the sellers are now refusing to proceed with the transaction without payment.

These and many other types of electronic funds transfer (EFT) fraud are prolific. Yet most business leaders think this could not happen to them — until it does. Businesses need to adopt the following safeguards to prevent EFT fraud or reduce the risk of it.

1. Dual Verification. Payment instructions and changes to payment information should never be accepted by email, voicemail, text message or other electronic communication, particularly without a second method of reliable verification. Dual verification can be achieved, for example, in a video or telephone call with a known individual who has authority to provide or change payment instructions, during which that individual recites the particular payment information. Designating and training one or a few personnel who are responsible for releasing payments to perform and document this process can be an effective method for dual verification.

Sometimes payment information is altered directly by hackers, such as in payroll systems and financial accounts used to make automated clearinghouse (ACH) transactions, wire transfers and benefits distributions. Businesses should configure these systems to prevent such changes from becoming effective without an authorized and knowledgeable accounting or human resources person verifying that the payment change or transaction is legitimate.

2. Portals and AP Providers. The dual verification process described above is fallible, because it relies on imperfect human firewalls. Businesses therefore should transition to using portals and accounts payable (AP) systems to manage financial transactions.

Portals are online financial systems that maintain separate accounts for each party (and sometimes their service providers, such as bookkeepers, real estate agents, attorneys, etc.). Each party maintains its own access credentials, and authentication to the portal is controlled by multifactor authentication (MFA) or conditional access. Payment information is input and maintained in the portal by the party receiving payment, and the financial transaction is executed through the portal. Venmo is an example of a consumer financial transaction portal, and Zelle is an example of a portal used more commonly by businesses. Prominent financial institutions also maintain their own portals for large transactions, such as corporate deals.

Variants of such portals are systems operated by AP providers. Payees maintain their own access credentials to the portal (which should require MFA or conditional access), and submit invoices to the AP provider (preferably directly into the portal). The business then reviews the invoices and authorizes payment using the portal, which can be paid from and synchronized with the business’s bank accounts and accounting application.

3. Cyber Crime Insurance. Insurance for cyber financial crime is different from insurance for loss of data and network compromise (which is called cyber liability insurance). Additionally, cyber crime insurance for a lost payment initiated by the insured as payee is different from coverage for a lost payment initiated by another payee intended for the insured. A business should assess whether it needs one or both types of cyber crime insurance. Also, while a business often can readily obtain a cyber liability policy with a multi-million dollar limit, a cyber crime policy typically has a much lower limit of hundreds of thousands of dollars, and premiums for a cyber crime policy can seem steep for that amount of insurance. If appropriate and feasible, a business should secure cyber crime insurance with limits comparable to the largest financial transactions initiated by the business and its customers.
   
4. Contractual Allocation of Liability. When businesses enter into contracts with customers and vendors, they should include a provision containing payment instructions and identifying a specific mechanism by which those instructions can be changed, including through dual verification or a portal. The contract also should allocate liability for EFT fraud to the party who fails to comply with that process, exclude such liability from typical contractual limits of liability, and require each party to maintain appropriate cyber crime insurance.

Sophisticated hackers are constantly searching for targets for cyber financial crime. Business leaders should implement measures to prevent or mitigate these risks before they or one of their customers becomes a victim of EFT fraud.

Cam Shilling founded and chairs McLane Middleton’s Cybersecurity and Privacy Practice Group. The group of five attorneys and one technology paralegal assist businesses and private clients to improve their cybersecurity and privacy safeguards, and address any security incidents, breaches, and financial losses that may occur.