August 2, 2023
Five Authentication Tactics to Fight Email Attacks, Fraud and the Risk of Sanctioned Suppliers – Three Years After the Start of the Pandemic
On January 15th, 2021, Forbes Technology Council featured Five Authentication Tactics To Fight Email Attacks, Fraud And The Risk Of Sanctioned Suppliers, an article by Akhilesh Agarwal, Chief Operating Officer & Executive Vice President, Global Procure to Pay Solutions & Applied Technology for apexanalytix.
At that time, just under a year since the World Health Organization (WHO) declared COVID-19 a pandemic, the world had changed forever. The impact on business was multi-faceted – employees went home to work, supply chains were disrupted, and controls that had been carefully crafted over decades of best practices were compromised in the chaos that became the new normal.
Three Years Later...
On May 5th, more than three years after its original declaration, WHO ended the global emergency status for COVID-19. But that three-year period took its toll, not only in COVID-related deaths and disease, but in the creation of a playground for bad actors – fraudsters who looked past the tragedy to the opportunity – the opportunity to steal millions, even billions, from companies via communications and transactions with trusted suppliers. We are (partially) back in the office, but most workplaces are on hybrid schedules (work-from-home/work in office). Fraudsters, motivated by their successes of the last several years are stealing more than ever – the FBI’s IC3 reported $10.3B in losses associated with complaints received in 2022, a nearly 50% increase from $6.9 in losses associated with 2021 complaints., If you haven’t implemented these five authentication tactics yet, it might be time.
The original article published on January 15th, 2021 (with updated data in [brackets]), follows. Reprinted with permission from Forbes Technology Council.
A Recent History of Business Disruption and Fraud
The Covid-19 pandemic, the recession, business bankruptcies, reduced GDP and record job losses have placed increased financial pressure on suppliers and individuals — and, with it, an increased incentive to commit fraud. In fact, from April to May of this year, data shows a 200% increase in business email compromise (BEC) attacks focused on invoice or payment fraud [Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts, with an average of 156,000 attempts daily].
Although common social engineering fraud is moderately successful when employees are in a physical office, it thrives in remote settings: Fraudsters might call an employee at your company and ask for information about the vendor maintenance controls process or a supplier’s real-world transactions. They then move on to another employee for even more information until they have everything they need to impersonate a supplier and request a bank account change or access to sensitive data. In April , the FBI issued a warning of a rapidly emerging fraud — advance fee and BEC schemes related to personal protective equipment (PPE). In one incident, a company had already wire transferred funds to a fraudulent broker of PPE who was outside the reach of U.S. law enforcement and the funds were unrecoverable. [From February 8th, 2023, through July 7th, 2023, The Internet Crime Complain Center (IC3) issues 16 industry alerts, warnings related to various schemes, threat actors, hacking and cybercrime]
Checks and balances and segregation of duties can break down when many people are working from home, meaning there might be a lack of official and de facto controls like making sure no one has control over all the parts of a financial transaction and reporting suspicious calls or emails in compliance with a fraud risk governance protocol.
[In their 2022 Global Cybersecurity Outlook 2022 report, the World Economic Forum pointed to the correlation between the COVID pandemic and heightened cybersecurity threats. They said: “At the time of writing, digital trends and their exponential proliferation due to the COVID-19 pandemic have thrust the global population onto a new trajectory of digitalization and interconnectedness. One of the starkest and most troubling new consequences of our digitalized existence is the increasingly frequent, costly and damaging occurrence of cyber incidents, sometimes even paralyzing critical services and infrastructure. This trend shows no signs of slowing, notably as sophisticated tools and methods become more widely available to threat actors at relatively low (or in some cases no) cost.“]
At apexanalytix, we found that as the Covid-19 pandemic had progressed, organizations were changing sourcing and suppliers without always properly vetting them. Lost profits to fraud are unfortunate, but the fines and other legal costs of trading with a sanctioned supplier — an organization on the Specially Designated Nationals List or one of the many other lists maintained by the Office of Foreign Asset Control (OFAC) — can be extreme. In fact, my company’s in-house data shows that 22% of companies that receive fines from OFAC are fined over $1 million. In 2020 alone, the U.S. Department of the Treasury reported $22.8 million in civil penalties and settlements for just 14 entities in violation of financials sanctions, publicly revealing the name of the penalized organization on its website.
How to move away from traditional authentication tactics.
- Automate identity checks. Supplier identity checks are key — automated identity checks are even better. Look for automated authentication solutions that validate supplier identities against global sanctioned lists, industry-specific lists, prohibited vendor lists, politically exposed persons lists, CPI (Corruption Perceptions Index), IP addresses and more. For instance, before establishing a trading relationship with a supplier in Venezuela, Syria or other countries that would be flagged for a high level of business corruption, you should first check the sanctions list provided by OFAC. This monitoring should happen continuously as the lists change.
- Automate data entry checks. You should be able to validate information being entered or provided by your suppliers in real-time and with minimal or no human intervention. Validation of data points such as tax identification numbers, address verification, bank account number and account holder verification are no longer nice-to-have but must-have features. The entire ROI of a solution can rest on the value of preventing a single attempted fraud. Automated checks improve relationships with your suppliers, provide clarity to your internal team members and help scale up operations.
- Limit the information you provide. Scale back the amount of information you are willing to provide both over the phone and by email to reduce the threats of scams like “spear phishing,” in which an email sender tries to trick your employee to reveal confidential information, like passwords, account numbers or network access information. You must also educate your staff on cybersecurity best practices, including the nature of threats and the consequences of leaks to encourage more secure communication.
Companies are moving away from staffed help desks to reduce the risk of social engineering efforts that compromise passwords, issue email addresses and confirm or provide system access. Instead, they are substituting help desks with online multi-factor procedures. One best practice for completing requests and questions that can’t be found elsewhere is to have an online portal with its own set of built-in authentication checks.
- Interact with suppliers outside of email and phone. The best way to prevent BEC attacks and the threat of malicious software being installed on your company network is to use an online portal to which you can directly request information or changes. Look for login protective measures like secure passwords and multi-factor authentication. A portal can automatically block new IP addresses or suspicious users from entering.
The FBI also recommends training your employees not to click on anything in an unsolicited email, be careful of downloading any files, examine the format of email address, URL and spelling used in any electronic correspondence and have formal steps to verify payment and purchase requests by calling the requester from the contact information that you have.
- Track supplier behavior. Implement technology that tracks supplier behavior and evaluates the actions each supplier representative takes when they interact with your company’s system on a regular basis. Logs and tracking checks help identify when an action is high-risk or outside the normal range and will flag the incident automatically for additional review by someone at your organization. One warning sign to look for is when a requestor is requesting a quick response.
Supplier authentication techniques, especially when automated, not only prevent fraud and the risk of working with a sanctioned supplier, but they also improve the supplier experience. Faster, more secure supplier authentication leads to a superior onboarding process — further boosting the ROI of authentication solutions.
Akhilesh Agarwal leads the apexanalytix solutions practice responsible for apexportal, the industry’s only 100 percent touchless solution for global supplier information management and working capital optimization. He leads the development of new client-focused software innovations, guided by the regular trend analyses he conducts to ensure that apexportal delivers real-world efficiency and productivity benefits. He also oversees pre-sales, product management, project planning and reviews, risk mitigation and the delivery of seamless solutions to large global clients across country borders.
Akhilesh has an extensive background in product design and execution in accounts payable, accounts receivable and related areas. Before joining apexanalytix, he was vice president of technology for iQor, a provider of intelligent customer interaction solutions, where he earned a reputation there for consistently delivering on high-visibility, high-performance projects. He is also a former associate director of software development for Receivable Management Services and a former project manager for Aditya International.