Fraud: The Game Where Not Losing is a Win
This article originally published on PaymentsJournal.
As a CFO, your chief concern is your company's valuation and financial health. You're focused on setting and meeting expectations for the investors, the board, and, at public companies, the street. Everybody looks to you for a plan, and expects you to help the broader management team execute well against that plan. You’re the quarterback, moving the ball forward, trying to find the receiver downfield, and pushing for the winning touchdown.
At the same time, you have to guard against surprises that could derail the plan. Maybe one of your offensive linemen gets beaten on the block—and in comes the defensive end to take you out from the blind-side.
On the football field, there are a limited number of surprises because there are only so many players on the field who can take you out. But as CFO, threats come from all directions—many of them hidden. The tech world is changing so fast that new avenues are opening up all the time. According to the 2019 State of Risk Oversight report from the AICPA and the Poole School of Management at North Carolina State University, 59 percent of executives said they believe the number and complexity of risks is increasing. And 68 percent of organizations said they have recently experienced an operational surprise due to a risk they did not foresee.
Record payment fraud
Surveyed executives said they are most focused on risks related to talent, innovation, the economy, their reputation, and brand. One rising threat that organizations may not be paying enough attention to is payment fraud. In the 2019 AFP Payments Fraud & Control Survey underwritten by J.P. Morgan, a record 82 percent of organizations said they were the victims of actual or attempted payments fraud, with fraudsters increasingly targeting bigger firms and electronic payments.
As chief operating and financial officer of a B2B payments company, this concern is very high on my list, but in many organizations it often it doesn’t rise to the level of executive interest until there's been a leak. Then you have to explain what happened to the board or the investors—it's not a pleasant conversation.
Like a quarterback, you generally expect your team members to have your back so that doesn’t happen. But even the best offensive line gets beat once in a while, because some of the bad actors out there are astonishingly sophisticated in their fraud methods. I know, because I worked for four years at a network security company where our job was to protect companies from bad actors.
Looking for a hole
Just as you train and call plays for the offense to run, the bad guys are also training and watching for holes in your line-up to anticipate your plays. And they are finding plenty. The world has only gotten more complex since I worked in network security, and the bad actors have found more ways to defraud you of your money.
It’s not just check fraud anymore. They hack into systems and steal data they can use to impersonate a legitimate payee through email. According to the AFP survey, 80 percent of companies reported business email compromise fraud last year, with more 54 percent reporting financial losses as a result. We’re also starting to see reports of multimillion dollar frauds committed through voice impersonation, or “deepfakes.”
Take this Forbes story, for example, where a fraudulent party used deepfake technology to trick a CEO into sending them roughly $243,000. It just goes to show that as technology gets smarter, even highly intelligent folks can have trouble distinguishing genuine phone conversations from fake ones. And fraudsters are experts in exploiting that human vulnerability.
CFOs need to pay more attention to data protection and payments fraud, given that these things happen with a high degree of frequency, with significant costs. You need to make sure your offensive line is prepared. You might also want to consider bringing in a pro bowl player or two.
In football, the offensive line often trains separately from the quarterback, but they share the same playbook. The same goes for a CFO. You have to have confidence in what your controller and AP staff are doing to make sure payments always go to the right place. If your AP team isn't cognizant of all of fraudsters’ latest tricks, or if they’re not using the latest payment best practices, they can be duped. They should also be working with your IT team and your CISO—if you have one—to keep customer and vendor data safe, because having the right tools and technology is a key part of an effective program.
The pro bowl player
There’s a lot you need to be prepared to defend against, so you may want to bring in a specialist. It's analogous to the way that companies used to run their own data centers, spending a lot of money and time to try to establish a best-in-class operation. Now many have realized that if they outsource that to Amazon Web Services or Microsoft, those companies have far more resources to deliver best-in-class performance. You can scale more effectively at a lower cost than building your own data center and trying to secure and maintain it.
We’re reaching the same kind of inflection point with data protection and fraud. The stakes are getting higher, and the game is getting too complex for most companies to build a best-in-class operation on their own. Payment specialists can fill that hole in your line without the need for added resources.
Companies are starting to realize that data theft and fraud attacks are a “when, not if” proposition, so if it's not in the forefront of your mind as CFO, it should be. Don’t shy away from making it somebody's main focus. Otherwise, you could suddenly lose your best resources, lose focus of growing revenue, and move the ball downfield to play defense for a while. You won’t score many points or get to spike the ball in the end zone after the touchdown because of all the surprises that didn’t happen, but the key to winning this game is ensuring you are not losing!