Stopping fraudulent transactions before they take place

Indias Cosmos Bank has lost USD 13.5 million in a cyber-attack. It’s a statement that should render shock, but these situations are becoming so commonplace that whilst such headlines are discouraging, they are no longer a surprise. One has to wonder whether we’ve become desensitised to them.

This seemingly fatalistic attitude that hackers will have their way and little can be done about it is quite unsettling. But something can be done – and it’s not only possible, it’s easy and achievable.

Here are the facts in review:

India’s Cosmos Bank lost nearly 944 million rupees (USD 13.5 million) through simultaneous ATM withdrawals in 28 countries.

The customer info was stolen through a malware attack on ATM machines (14,849 transactions in two hours).

Hackers also transferred 139 million rupees (USD 1.9 million) to a Hong Kong based account by issuing unauthorised transactions over the SWIFT network.

Add to this the startling statistic from the 2018 UK Business Payments Barometer, sponsored by Bottomline Technologies: of all fraud incidents reported by the respondents, less than 50% of the funds could be recovered.

So begins the Bank’s uphill battle of recovering stolen funds and repairing any reputational damage. Given that they were hit in February 2018 with three fraudulent remittances of nearly USD 2 million, transmitted via SWIFT’s network, this latest attack is likely to have left Cosmos Bank feeling somewhat fragile.

But they’re not the only one to have been hit with successful attacks. It was Banco de Chile earlier this year, Bangladesh Bank in 2016, and a number of unnamed financial institutions in Russia, Vietnam, Philippines and Ecuador in 2015.

Conversely, statistics in Strategic Treasurer’s 2018 Treasury Fraud and Controls Report indicate that fraud prevention is moving in the right direction. Organisations are taking the threat of payment fraud seriously and in turn, are taking precautionary measures. Compared to 2017:

84% surveyed agree that threat levels have increased;

61% feel they are in a better position to fight fraud.

It begs the question ‘Why do organisations still fall victim to such attacks?’

Recognising potential fraud is the first step in addressing the issue. Alone it is not a solution and neither is throwing money at it. According to J.P. Morgan’s 2018 AFP Survey, fraud budgets are holding steady year-over-year, which is encouraging, but it doesn’t change the fact that 78% of organisations were targets of payment fraud in 2017.

Even more concerning is that according to KPMG, internal users are involved in a large percentage of fraud cases, highlighting the stark reality that fraud threats can come from any direction at any time. Fraud continues to be an insurmountable threat because of an inappropriate focus.

Consider this: your boat is taking on water. You’re bailing it out as fast as you can, but not only does the boat have a hole – so does the bucket. Effort in that situation will get you nowhere, unless you change your approach. It’s the same with addressing potential fraud.

Allocating spend might feel satisfying and appear productive and it might stem the flow in a few areas. But unless you’re plugging the real holes, the realities of potential payment fraud will continue to plague your business.

Businesses need to start by detecting and preventing fraud before it happens. This can be done by closely examining any potential loopholes related to your people, your processes and your technology. A much more holistic approach includes applying the right mix of technology, stringent processes and a culture of diligence.

This is all entirely possible and simple to do given the sophisticated behaviour and transaction monitoring solutions that are available today. Undoubtedly, proactive behaviour monitoring combined with transaction monitoring is the most comprehensive way to help guard against future financial losses and reputational damage related to fraud incidents. Solutions such as these leverage the latest in machine learning technology to understand what activity is safe and normal and what’, then immediately alert to suspicious activity, putting a hold on potentially fraudulent transactions before they can cause any damage.

You have a responsibility to secure each and every payment that passes through your hands. And don’t think your fraud protection work is done, simply because you send an end of day report – at that point, it’s too late to take action. Invest your fraud protection spend where it will do the most good. Make sure you plug the right holes and address the root cause of the problem so you can stop fraud before it happens.

About James Richardson

James helps organisations reduce their fraud risk and secure their critical payments. He has worked in the Payments industry in an ever-changing landscape for over 15 years with Financial Institutions and Corporates of all sizes. He leads Bottomline’s Cyber Fraud and Risk Management group, helping organisations understand the latest threats and how best to secure their payments. With ever increasing threats in internal and external frauds, and compliance demands, he regularly presents at conferences, panels and on webinars sharing experiences from organisations, on how they can reduce their exposure.

About Bottomline Technologies

Bottomline Technologies helps make complex business payments simple, smart and secure. Corporations and banks rely on Bottomline for domestic and international payments, efficient cash management, automated workflows for payment processing and bill review and state of the art fraud detection, behavioural analytics and regulatory compliance.