I thought it was you
Thought it was you
Thought it was you
Thought it was you
– Herbie Hancock
Masquerading and spoofing, phishing and smishing may sound like all kinds of inebriated fun. If only. We all know that the consequences of fraud and cybercrime are grimly sobering and the perpetrators far from inebriated. Morning rags and respected mags kindly supply our daily fear-fixes, now including threats of cybergeddon and high-profile, reputation-obliterating reports of large scale data breaches. Some consultants and the like are delighted to while away the billable hours talking enhanced, triple-bolted cyber-security systems and services. And indeed, according to a report published 2 weeks ago and produced by Barclays and the Institute of Directors, surveying 980 IoD members, cyber-fraud has reached an all-time high in terms of both sophistication and volume with 90% of large corporations and 74% of smaller businesses having incurred at least one breach. Yes, cybercrime and digital identity may be rising into the board-room agenda faster than you can say ‘Baby boomers’ but what impact is all this having on you, the treasurer?
Whilst we’re on the topic of respected mags, the November 2015 edition of The Treasurer - no less- features an article in which Christian Doherty reflects upon the “mounting evidence that cybersecurity needs to be central to treasurers’ thinking”. But though you may all be thinking long and hard, how much are treasurers talking to their peers and colleagues about the security breaches their businesses are suffering or anticipating? Or the ways in which treasury is being implicated? What are the pros and cons of doing so?
To talk about security issues is a security issue. That makes sense. Whilst the majority of businesses are victims of cybercrime and fraud, to openly admit or even infer admission, is to potentially fling your business into untold reputational free-fall and is thought to invite further attacks. Let something -anything- slip and you may well hear your boss yelling ‘why the sitting duck did you say that?’ or worse.
Corporate cybercrime has laid an expansive, expensive and highly explosive minefield of hefty fines, reputational risks, ethical breaches and irrecoverable losses for businesses. According to the IoD/ Barclays report only 28% of breaches were reported. That is compared to the 49% of breaches which were said to have resulted in the interruption of business operations. A recent article in City AM claims that one in four companies is willing to pay ransoms to hackers in order to prevent attacks whilst another article details how hackers who have already stolen data are holding companies to ransom under the threat of releasing or abusing said data. We are quite sure that our members, who abide by the ACT ethical codes, would never consider taking such actions. Yet the uncomfortable pressures under which companies increasingly find themselves is clear.
So when I cheerfully contacted our brilliant and frequently generous community of corporate treasurers in search of an eager speaker to join panel discussions on identity issues and cybercrime at this year’s Annual Conference – Well, it was a bit naïve of me to say the least. To talk about security issues is a security issue –and yes, once it was pointed out to me, it did of course make perfect sense. At conferences we like to hear from the experienced. Experience, they say, is the father of wisdom. But for now, mum is the word.
I was, however, fortunate enough to find a few treasurers willing to give details of their experiences so long as their own identities and those of their companies remained fully anonymous and protected. Of course I did my due diligence in verifying that I was indeed speaking to the people whom I believed I was speaking to. Once fully satisfied I then did my very best to scramble my brains and forget their names. Some other details have been consciously uncoupled from their sources/ altered slightly to protect anonymity.
There is not much collective security in a flock of sheep
on the way to the butcher
- Winston Churchill
So, let’s call them Herbie and Winston. Not your typical mysterious strangers but they’ll do. Both Herbie and Winston work in the group treasury functions of large corporations with UK and EU subsidiaries. Both agree that they are seeing job-losses in finance departments as a result of expensive fraud. They say this has not yet permeated treasury but they fear it may only be a matter of time. Both have experienced losses of millions of pounds as a consequence of identity fraud across a range both UK and EU subsidiaries. But fraud fall-out falls to group treasury and so Herbie and Winston’s tales of woe unfold. Here’s what they told me...
The devil is in the detail and he sure as hell would like to make you pay
‘Our CEO has a very distinctive way of speaking…for the sake of argument… a cockney accent. In fact so distinctive that not only does she have a cockney accent but she only ever discusses business matters in cockney rhyming slang. That’s fairly unique in the modern multinational, right?’ So begins Herbie.
‘Right’ I nod enthusiastically down the phone, pen poised.
‘So, you’re an employee in our finance team and you get a call from a woman who claims to be, and sounds just like, the CEO and she says: Look my old china, you’ll think I’ve been on the Vera Lynn again but I swear I ain’t. We’ve been working on a deal with Porky Pies Plc but its sensitive and we don’t want nothing on the custard and jelly, or in the current bun for that matter, until it’s all gone through. Not a dicky bird to anyone on this, gottit? Good. Now we’re ready to execute the deal and I want you to transfer the bees and honey to Porky Pies Plc. And I’m talking a lot of bloody bees and honey. I ain’t talking no bill and benners ‘ere. We’re talking millions’o’nickers and I’m trusting you. Got that? ‘Ere are the details. Now chop chop my son and transfer those monies.’
Granted, you might not be naturally inclined to take payment instructions from someone who sounds like they dialled straight out of Get Carter. But as Herbie points out this employee was speaking to somebody who sounded just like the CEO. Though perhaps unorthodox, the command to make a payment of £5Million and to keep it fully confidential, was convincing enough and certainly clear. So the employee did as he was told and it was only the next day when said employee overheard a colleague mentioning that the CEO was currently on annual leave that alarm bells started to ring and then the penny dropped. Actually significantly more than a penny – but let’s not labour the point.
Herbie says ‘We never recovered those lost millions and we never found the culprit. The money and the criminals are profoundly hard to trace. Whoever the culprit was they clearly had access to significant information about the CEO’s identity. The employee was quick to speak up once he realised the error and of course it was all reported to the bank and to the police immediately thereafter. But a day after the payment is made is a day too late. Payments happen so quickly now that you really need to realise and report the error within 30 – 60 seconds. The money may still be within the EU jurisdiction at this point and your bank may be able to recover it. But at the moment such swift internal responses are very rare. If you realise even an hour after making the payment you’ve got no chance. But just try to remember the 30 second rule. Make it a mantra…it really is the best chance of recovery.’
Winston’s war stories are not dissimilar: ‘We have been targeted by fraudulent emails from addresses which, at the flick of an eye, look in no way suspect and totally as expected. But look a little closer and you’ll see the anomalies. So for example joebloggs@gmail.com may be a customer of yours and you receive an email from joeblogg@gmail.com informing you of a change in payment details. You, the finance officer, don’t spot the error and a significant refund is then made to an unknown account. The little treasure was in fact an egregious scammer.
As well as fake customers we’ve had fake suppliers too. So, we received an email from majorsuppliers@rnajorsuppliers.com informing us of changed payment details. At a glance it looks totally familiar and correct but ‘rn’ is a fairly common substitute for an ‘m’ and yet all too often it is not spotted. Vast sums have thus been paid never to be seen again. In almost every case the emails have been followed up by convincing telephone calls made to our company which have helped to (falsely) verify the identities of both customer and supplier. These hoaxes may sound profoundly simple but those committing them are highly sophisticated. How they have obtained the data which allows them to emulate identities is of course of grave concern to us. This is a clever combination of exploiting technology and human to human contact. Human psychology is something we can’t discount when understanding how cybercrime works. ’
Incidentally, a recent conversation I had with another anonymous source, ‘Mr Public Sector Accountant’, reveals a similar story. A high importance email, apparently sent by the chief executive, instructed the financial director to make a payment, of a smaller but not insignificant sum of £20K, with utmost urgency. It was a Friday late afternoon just as the FD was trying to head home for a family engagement.
‘As a public sector organisation’ he told me ‘a lot of our senior executives’ details are easily available. It’s not surprising then that we become victims of spoofing like this. The nature of our organisation means that we have to protect a lot of the public’s data. These factors combined mean that we have a lot of careful security processes in place. However, an urgent email to a hurried FD on a Friday afternoon can unnervingly easily appeal to our capacities for human error as we saw here. We were lucky in this instance because the FD having responded in haste, had nagging doubts only moments later and we were able to retrieve the money. We dodged a bullet there and have had to review processes since. But human psychology and the errors that can ensue even for very smart or senior staff are hard to fully mitigate against. This was interesting in the sense that it was apparently a correspondence between two of the most senior people in the organisation. Their interactions tend to be informal and less likely to adhere to company processes. The spoofer was able to emulate the brisk and informal tone that is common between the CEO and FD. I’ve heard of an increase in the so-called CEO scams. It makes sense really – people are not accustomed to questioning their chief executives and that really works in the criminals’ favour. At the risk of sounding mutinous I do wonder whether a culture of reverence and strict hierarchy could be holding us back.’
‘It’s also worth noting’ he adds ‘that the whole thing was hushed up rather quickly. Of course it’s an embarrassment that it happened at all and given the fact that no money was lost you can kind of understand why they’d not want to dwell on it. But my personal feeling is that the hush-hush response is not helping get the best out of process improvements nor is it helping to raise important organisation-wide awareness. Whilst an understandable reaction I don’t personally think it’s conducive to an environment of trust and information sharing. In my experience, and it may sound counter intuitive when a natural reaction may be to assume a sort of siege mentality, but the more an organisation is subject to security threats the more we have to foster trust and openness internally – it takes work but in my view its highly necessary.’
‘Usually it’s our subsidiary finance team rather than group treasury being targeted.’ Says Herbie ‘But we pick up the slack and are having to give up increasing amounts of time to verifying details. This includes doing penny tests and going back to old invoices to cross-reference all details, then going to banks or another 3rd party to check that all details are indeed fully aligned. We may make several phone calls to verify one email. Humans are doing the verification often with fairly qualitative, though in-depth methods. As you can imagine this is very labour intensive, time consuming and a drain on our resource. We have also introduced enhanced controls around organised signatories across the group. We have radically reduced the number of authorised signatories as a security measure. Where once we had 20 we now only have two. But of course this is deeply impractical. One signature must be verified by the other signatory and so it only takes one person to be off sick or on leave for an effective hold up in sign-off. Treasury teams therefore have to be acutely aware of staff movements in all subsidiaries. Likewise it makes sense to better inform staff of the movements of senior executives, although that is much more easily said than done. In any case the signatory issues means meticulous planning in our department and might mean things like ensuring that certain transactions are forward-dated. There is a lot more for us to be thinking about.’
Winston tells me: ‘All this is not the sort of thing we discuss with acquaintances at other companies. But I do have some very good friends who are also treasurers and, off the record, we talk about these problems. Although even then, very few are prepared to admit how much has gone out. But I do know of at least 10 different companies currently dealing with the impacts of at least one form of identity theft. More often than not we only discover the fraud by chance, through the normal course of business such as for example bank reconciliation. Clearly best practice is to train all of your staff and for your business to do all its Know Your Customer due diligence. I don’t mean the bank stuff – I mean your own customers, suppliers etc. This is crucial. A common sense approach is often as good as any but the question is how you instil this across the company in a watertight manner. I think it’s got to come down to good leadership from the top and then excellent communication.
Winston continues: ‘I do know of one particular MNC, head quartered on the continent, which has elected to invest in encryption software, the type used by our banks. But this is extortionately expensive! In the end, due to the specific nature of that business and the amounts at stake, they decided it was a cost worth shouldering. My company has not reached the same conclusion. Indeed at the current rate I’d say the cost is prohibitive to all but perhaps the FTSE 50. Costs may reduce in time but not, I think, in the foreseeable future. Less expensive forms of software may be worth considering but sometimes you are just layering yourself up with more digital complexity and not necessarily fully trustworthy security. You worry that you may be opening yourself up to new and as yet unknown exposures. I suppose it’s an area we could do with being better educated in. I’d also point out that in all ten instances I know of, and my own, the subsidiaries were decentralised. It is worth thinking about how more centralised systems might help.’
‘Another thing to think about is your bank’ says Winston. ‘How is your bank supporting you through these incidents? In our experience some really are better than others. Some were unable to grapple with the fact that the fraud had taken place before it had entered into their space so to speak and so proved fairly useless. Others were not limited by this and were really great and very helpful. Needless to say our bank relationships going forward are increasingly based upon our judgement of their ability to adapt to the digital economy. Not long ago we completed banking tenders in 3 different regions and 2 of the 3 were awarded to one bank because of the impressive digital support they have shown us. This is a bank which may not be spotted on every street corner in London but rather has a very wide virtual network. We have found that, perhaps as a consequence of this virtual network this bank proves particularly adept at thinking outside of the box and acting with the sort of agility that the digital world demands. And indeed it was this particular bank that has proved outstandingly helpful on identity theft and cybercrime. The decision we took, based more on thinking about the future than the past, has paid off.’
‘My number one tip to corporate treasury and finance peers would categorically be: step to it and make best pals with your IT department!’
says Herbie emphatically. ‘You’ve probably always thought of them as the dusty geeks over in the corner, but the good news is they’ve likely always thought of you in exactly the same way, so you’ve already got more in common than you thought. The fact is that you absolutely need to be opening up excellent lines of communication with IT. Once a breach has occurred and the staff member has realised it the very first thing they must do is report it – crucially to 3 entities: the police, the bank and the IT team. Your IT teams can do useful things like investigate IP addresses and will generally be much more helpful to the police than you alone can be. To battle these breaches we really need a much more joined-up approach. Don’t have a melt down and wonder how to tell your boss – you can worry about that in 5 minutes time. In the next 60 seconds you need to be making those other calls.’
From terrorists to teenagers to internal ‘talent’ you can be sure that all threats begin with a ‘T’. I jest. You can be sure of nothing and, moreover, trust nobody. Ok – not quite. We all know that without trust there is no business, no economy. So trust is something we must strive to establish with ever greater vim and vigour as we venture further into the depths of the digitalised economy. Humans and algorithms can each have their flaws and only one out of the two understands the concept of ethics. If you’re lucky. But only one of the two experiences feelings of greed or of fatigue also. And neither fully understand one another. There is a complex overlay of human and technological flaws and exposures at play here and businesses have a lot of things to think about to attempt to safeguard their assets. Interesting work has been cut-out for us in the ACT’s production team: How can we open a useful, collaborative and peer-led discussion in a way which benefits the corporate treasury community whilst keeping them fully secure and able to speak? Answers on a credit card please. I mean postcard.
No doubt John Kay will provide food for thought on how we can establish trust in today’s world as he opens the Annual Conference in Liverpool this May. Indeed, we are thoroughly looking forward to three days of searching discussions and thought-sharing on corporate financial security, digitalised business and innovations in identity. You can hear from the Head of Digital Identity at Barclays discuss the progress they’ve made in designing the government’s new Gov.UK Verify scheme, the director of financial crime and security at RUSI will field all your questions at Question Time and Wells Fargo’s head of Innovation is flying in from silicon valley to share all he knows about cybersecurity in a hyper-connected world. Incidentally the chairman of the IoD will also be addressing the audience too. A veritable security-saturated spread not to be missed. I look forward to seeing you there!
