Education | November 22, 2024

3 Strategies to Reduce the Risk of Treasury Management Fraud


The treasury management function plays a critical role in organizations, making it an especially attractive target to sophisticated fraudsters. Astute fraud prevention requires close partnerships with financial institutions, foolproof security protocols and rigorous employee training at every level.

Key takeaways:

  • Treasury fraud schemes are increasingly prevalent, threatening organizations’ finances, operations and reputation.
  • Organizations can protect themselves by partnering with their financial institutions on advanced security and fraud prevention practices.
  • Formalizing in-house security protocols and rigorous employee training can elevate awareness across the organization and minimize incidents.

Treasury management is a critical function in organizations and sophisticated fraudsters have it in their sights. The stakes are high: Not only can fraud cause heavy financial losses, it can also create havoc in operations and damage an organization’s reputation. Scammers are adept at using common tactics to exploit vulnerabilities — but organizations can use strategic partnerships and policies to combat them.

Common fraud schemes targeting treasury teams

An ever-present threat is business email compromise (BEC), says John Fick, MLS, CFE, CFCI, CECFE and Head of Fraud at Northwest Bank. It involves compromising legitimate business email accounts through social engineering or computer intrusion techniques, resulting in an authorized transfer of funds.[1]

“The main type of fraud year over year is business email compromise, and those numbers continue to increase,” Fick says. “Fraudsters don’t just target one customer; they send thousands of emails looking for one person to bite — and once somebody bites, it's all downhill from there.”

To underscore the severity of the threat posed by BEC, the FBI Internet Crime Complaint Center (IC3) reported that from October 2013 to December 2023, the FBI and law enforcement recorded 305,033 incidents of BEC, resulting in domestic and international exposed dollar losses of $55.5 billion.[2]

Another ongoing challenge is spoofing. With this tactic, a fraudster disguises an email address, sender name, phone number or website URL to appear as a trusted source.[3] “Over the last year and a half, a lot of commercial clients have been victims of spoofing fraud schemes, where the bad actor is contacting our customer, spoofing the bank’s call center phone number,” Fick says.

What happens during this type of interaction? When a fraudster posing as a bank employee contacts the intended victim, they ask for the user’s login credentials if they don’t have them already. They then require the commercial client to validate themselves. At the same time, behind the scenes, the fraudster has the bank on hold and, acting as the customer, triggers the issuance of a one-time passcode. The fraudster then tells the customer to provide the one-time passcode just sent to them for authentication purposes. The customer grabs their phone and provides the code to the fraudster, granting them access to their account. Fraudulent transfers soon follow.

Vulnerable roles targeted by fraudsters

While any employee could provide the information fraudsters need to engage in BEC or spoofing, those in leadership and accounting roles are often the primary target. “Bad actors scour and scrape data off websites, whether it's social media or the company’s website,” Fick says. “A lot of websites list their org charts, and they will typically have the names, email addresses and phone numbers of senior leadership freely available.”

Having gathered sufficient information to assume an executive’s digital identity, fraudsters can customize their communications using artificial intelligence to mimic the tone, language and behavior of the individual. This makes the fraud attempt look like a legitimate message from an executive, increasing the chances of an employee falling for the scam.

For example, if the fraudster compromises the CFO’s email account, they can send an urgent request to an accounting employee to wire funds to a critical vendor with updated or different wire instructions. To ensure the accounting employee acts quickly, the CFO’s email will use phrases that the CFO would typically use and stress the importance of sending the email by a deadline. In fact, fraudsters often use psychological tactics, such as creating a sense of urgency or authority, to manipulate employees into bypassing standard security protocols.

Implementing robust security measures

Organizations can do a great deal to protect themselves from these pervasive threats, Fick says. He recommends businesses partner with their financial institutions on advanced security and fraud prevention practices. These include tools such as positive pay, which companies use to manage the check and ACH transactions posted to their accounts. He also recommends dual control, which requires two individuals to sign off on specific transactions, such as those involving wire transfers.

The availability of such security measures should also be reflected in company policy and procedures for financial transactions — for example, spelling out the steps for sending a wire. Have protocols that guide the proper response to urgent emails from vendors requesting payment, Fick urges. Don’t reply by email; pick up the phone. An email could be from a bad actor who will reroute your reply to fraudsters.

Every employee should receive training on the red flags associated with common schemes and their role in protecting the organization from fraud. For example, they should never give their login credentials to a third party or share one-time passwords sent from a financial institution. Emails with grammar issues, a sense of urgency or unusual email addresses that attempt to mimic real email addresses are especially strong warning signals that should trigger extreme caution.

Navigating the recovery process

Once a fraudulent payment is posted to an account, recovery options vary widely. For ACH transactions, the bank has a 24-hour window to return the funds without a loss to the customer. In these cases, the other bank may bear the loss. For check transactions, banks can work together to try to recover the funds, potentially by holding the bank of first deposit harmless. Wire transfers are much more difficult to recover, especially if reported after 24 to 36 hours, Fick says. This is due to the speed of money movement and availability, which makes wire fraud recovery universally challenging.

Fick recommends that businesses report any form of digital fraud to the IC3.[4] “This is especially important when dealing with international wire fraud because there is a team that specializes in recovering fraudulent funds sent overseas by consumers in the United States,” he says. “If you're a victim of identity theft, visit the Federal Trade Commission website; they have fantastic booklets you can order free of charge about how to protect yourself and recover from identity theft.”

Creating a strong culture of security

Treasury fraud schemes will continue to evolve, but organizations can protect themselves using a combination of security measures, robust policies and employee training. It is critical to create a strong security culture where preventing fraud is everyone’s responsibility. Additionally, employees should always follow verification procedures and never bypass them — even under extreme pressure. By partnering with financial institutions and staying vigilant, businesses can reduce the likelihood of fraud.

[1] https://www.ic3.gov/CrimeInfo/BEC

[2] https://www.infosecurity-magazine.com/news/business-email-compromise-55bn/

[3] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing

[4] https://www.ic3.gov


Related News