Tag Archive for: payment fraud

Nomentia Cash Management Release Info Event

| 15-06-2021 | treasuryXL | Nomentia |

Welcome to the Nomentia 2021 first release information event this year to hear and see the top new features and updates of the Cash Management solution.

The webinar is on June 22nd 15:00 CET / 16:00 EET with a duration of 45 minuten. As we are updating the solution frequently, we will invite you to our biannual release information events so that you can stay up to date with the latest releases. In this session, we will introduce the best picks of the new features from all Nomentia Cash Management modules.

In the webinar, we will cover the following areas:

At the end of the webinar, you will have the opportunity to ask questions.

The webinar will also be recorded and we will send it to you shortly after the webinar has ended.

REGISTER NOW

 

Meet the speakers

Jaakko Kilpinen

VP of Product and Solutions, Nomentia

Jaakko has over 20 years of experience in corporate cash management and has deep expertise in cash forecasting, netting, and In-House banking. Jaakko has previously held e.g. a position as Group Treasurer in a publicly listed Finnish company.

Pamela Quiroga Badani

Solution Manager

Pamela is a finance and accounting professional. Previously, Pamela worked as a Finance Analyst and for the past four years, she has been working with implementations in consultant and project management roles.

About Nomentia

Nomentia is a Nordic powerhouse for global cash management. We believe in a world in which businesses can make the right decisions no matter how unpredictable the times are. Our SaaS-based platform offers solutions for cash forecasting and visibility, global payments with bank connectivity, reconciliation, in-house banking, guarantees, and FX dealing. We serve 2,300+ clients in over 100 countries processing more than 200 billion euros annually. Cash is king!

 

 

 

 

 

 

Payment Fraud | A 750 000 euro Financial Scam that could happen even to you

| 02-06-2021 | treasuryXL | Nomentia |

Have you read the recent news on how Bol.com deposited almost 750 000 euros into a fraudulent bank account over a year ago? Simply, they thought they were making a payment to Brabantia, a household goods manufacturer. If you are not familiar with the story, here is it in a nutshell:

At the same time, Brabantia did not receive the payment, so obviously, they took a lawsuit to the court. And that was the point when the court discovered that Bol fell for a financial scam.

It all started with a legit-looking email like usually

In November 2019, Bol received an email in poorly written Dutch. Nevertheless, the email looked legit like it has been sent from Brabantia including the company’s logo. They were asking Bol.com to transfer the outstanding payment to an account in Spain.

The Bol employees fell for the trick. No surprises there, as these emails can be very well-crafted and if you have never seen one before, you could become a victim too.

The court thought the scam email was obvious and easy to recognize 

Bol tried to get out of paying Brabantia claiming that the company’s employee fell for a business email compromise, and they were accused that they did not use two-factor authentication in the Microsoft 0365 environment. The story doesn’t tell if the email was really sent from Barbantia using a stolen username and password but hopefully, it still makes you want to protect your accounts with multi-factor authentication (MFA).

Despite this, the court ruled in the favor of Brabantia and ordered Bol to pay the outstanding payment. The reasons for it were the following:

  •  The court believed the email was clearly a phishing email due to grammar errors. Previously, all communication between the two companies happened in Dutch, while the scam email was written in mixed Dutch and English.
  • The court thought that Bol should have been suspicious about the odd request to transfer money to a Spanish bank.

How to avoid something like this happening to you? 

There are a few tips that you should always remember.

  1. Always be suspicious: Always be suspicious, especially, when you are handling large payments. If you have the slightest doubt about the legitimacy of the request, something is probably wrong.
  2. Never accept a payment alone: In this case, always ask for help! Never send out payment before at least you had a second pair of eyes looking at it. In most companies, that’s an everyday process.
  3. If you are in doubt, ask for help: Still, if there is even one person that is a tiny bit unsure, don’t process the payment. Ask for more help within your treasury or financial department, procurement, or even from your cybersecurity department. Your cybersecurity team will be able to tell with high likelihood whether the email is real or not.
  4. Use a payment hub: Payment hubs come with features that enhance the security of processing payments. Consider using the following: Workflows to manage authorization of different payment flows | Approval limits for different payment types | Templates to limit and control releasing of manual payments
  5. Strict processes to update supplier master data: Supplier master data should be correct in the ERP system. It should only be managed by procurement who has strict processes in place to validate the possible changes before updating master data. Always execute payments according to registered beneficiary bank account details.
  6. Don’t skip the CyberSecurity and phishing training: While you may think it’s easy to spot phishing emails, it’s not. Especially when we are talking about financial scams. Spear phishing is a growing business and it’s expected to grow to 1,4 billion US dollars by 2022. Scammers can work even two weeks on crafting an exceptional financial scam to lure in financial professionals to make a large payment. Good phishing training should be targeted for your expertise and prepare you through challenging exercises to spot potential scams. It’s always better to report an email to your security team and ask for their opinion than make a payment and regret it later.
  7. Care about security: Security is a bigger part of treasury operations than you would think. Make sure that you care about security. Things like using a strong password, updating the password frequently, using multi-factor authentication, or not sharing user rights matter and can do a lot.

When you care about security, you also show a good example to the rest of the team.

Trust your instinct and the learnings of this story and the security training

Always rather take longer to process the payment than pay a scammer! Creating good and strict payment processes and workflows can help with this. Also, trust your own and co-workers’ instinct if you feel like something is off.

Stay curious about financial scam news to know what the latest trends are and how hackers will try to trick you. Work closely with your security department! It’s in everyone’s best interest to avoid falling victim to a scam.

It’s not a question of whether you will receive financial scams and phishing emails, but when you will get them. Be prepared that you will be targeted and face the situation with confidence to avoid making a payment.

About Nomentia

Nomentia is a Nordic powerhouse for global cash management. We believe in a world in which businesses can make the right decisions no matter how unpredictable the times are. Our SaaS-based platform offers solutions for cash forecasting and visibility, global payments with bank connectivity, reconciliation, in-house banking, guarantees, and FX dealing. We serve 2,300+ clients in over 100 countries processing more than 200 billion euros annually. Cash is king!

 

 

Barbara Babati

Barbara is working in the marketing department at Nomentia. Previously, she worked in cybersecurity and data integration industries.

 

 

 

 

 

5 concrete tips for preventing Payment Fraud

| 16-03-2021 | treasuryXL | Nomentia |

Payment fraud has become a real and permanent threat for companies of all sizes. No company can afford to close their eyes on the risks – fraudsters target all industries, and large and small businesses alike. It is the eleventh hour to start focusing on the safety of your payment process if you want to avoid financial damage.

The good news is that the fraudsters prefer easy targets, so even raising awareness on the topic in your organization is a step in the right direction. With this blog, I want to share 5 concrete tips for preventing payment fraud and improving the safety of your organization’s payment process.

Get rid of risky task combinations

Do you know who has access to your payments at each stage of the process? Risky task combinations may have formed overtime without anyone noticing that a single person can, for instance, create a new payment in the system and approve it to be paid. Overly broad user rights leave unnecessary room for both malpractice and costly mistakes. Applying strong user rights management – the four-eye principle, for example – is a quick way to reduce the risks. You should require double approval also on the changes made in the vendor master data, as well as user rights.

Build your payment process on best practices

Design a secure payment process with best practices approach. Establishing a “no PO, no pay” principle where invoices are approved for payment only if they have a purchase order number or if they are paid to registered suppliers supports preventing payment fraud. You can improve the safety of manual payments when you utilize the ready-made templates of a payment system and demand multi-factor identification from the person who makes the spontaneous request for payment. Many CFO attacks could have been prevented if the origin of an email payment request had been confirmed via another channel.

Automate and focus on end-to-end safety

You would be surprised if you knew how many companies have gaps in their payment process, creating payment fraud risk. For example, if the payment file batches are waiting to be uploaded to bank in a folder or file share, it leaves the data open for tampering even if the process up to that point had been secure. Eliminating manual phases through automation is one of the best ways to increase safety as it reduces not only the risk of fraud but also the risk of mistakes.

Improve transparency

Standardized and harmonized practices build up transparency, which makes spotting and preventing payment fraud easier. Create a uniform, company-wide process for handling payments and make sure that there are no routes round it. By centralizing all your bank connections to a single system, you will take transparency to another level, and, in addition, you are able to better control the risk related to data transfer and system management.

Keep an eye on deviations

It is not rare that payment fraud is discovered only by accident. As a part of good risk management, you need to focus also on the measures that help you spot the fraudulent payments that manage to go through your defenses. Keep an eye on payments that are going to unknown bank accounts or that are made outside normal payment schedule. Your payment system should support you in risk management and filter out deviations from your payment flows before they are paid. Machine learning and artificial intelligence will soon create new possibilities for recognizing and managing deviations in accounts payable in a more real-time and automated fashion.

Preventing payment fraud in an ever-changing threat landscape requires that you take a comprehensive and proactive approach. I recommend that you download and read our e-book, where we take a look at this topic in detail, and provide you with all the different perspectives a corporate payment process should be examined from. In the e-book, you will find best practices and concrete advice you need to keep your organization from falling victim to payment fraud.

About Nomentia

Nomentia is a Nordic powerhouse for global cash management. We believe in a world in which businesses can make the right decisions no matter how unpredictable the times are. Our SaaS-based platform offers solutions for cash forecasting and visibility, global payments with bank connectivity, reconciliation, in-house banking, guarantees, and FX dealing. We serve 2,300+ clients in over 100 countries processing more than 200 billion euros annually. Cash is king!

Meet Jukka Sallinen

 

 

PSD2 – new opportunities but an issue of trust

| 07-11-2017 | Lionel Pavey |

PSD2PSD2 (Payment Services Directive) is an extension on the existing PSD within the EU. The objective is to increase competition in the payments industry, whilst increasing access from non-bank firms. This should lead to standard payment formats, infrastructure and technical standards – at first glance an improvement for consumers. However, there appears to be a particular threat to privacy and the threat of third parties gaining excessive access to personal data.

What are the objectives of PSD2?

  • Standardising, integrating and improving payment efficiency across EU states
  • Harmonise pricing and improve security of payment processing across the EU
  • Providing better consumer protection
  • Encouraging innovation and reducing costs
  • Create a level playing field and enable new entrant payment service providers
  • Incorporate emerging payment methods such as mobile payments
  • Bring new and emerging payment services under regulatory control

For the fintech industry this is a welcome development – they are focused on providing alternative platforms for standard bank products.

 What changes will take place because of PSD2?

  • Third party Access to Accounts (XS2A) – E-commerce companies can take online or mobile payment directly from a consumer’s bank account without going directly through PCI intermediaries (Payment Card Industry); this process will be known as Trusted Third Party (TTP) Account Access.
  • The ability of API’s to take payment – The ability of an Application Programming Interface (API) enabling payment by directly connecting the merchant and the bank
  • The ability to consolidate account information in a single portal – An API enables a new type of financial services company – an Account Information Service Provider or AISP – which aggregates account information to let consumers with multiple banks view all bank details in one portal

A Dutch television programme that informs on consumer issues (AVRO/TROS RADAR) recently broadcast a report on the potential dangers of PSD2 with regard to issues around personal privacy. By granting access to TTPs they are able to access your bank account and retrieve all the data from the last 90 days. This will enable them to provide consumers with a better overview on products and services. However, it also means that they gain a valuable insight into how much you earn, how you spend your money and which companies you transact with. In theory they could offer you alternatives which are cheaper and more tailored to your individual requirements.

But to be able to do all this, they will also need access to your verification methods – in other words they will need to know your PIN numbers. We have always been told, especially by the banks, that this information is strictly confidential and should never be given out. There is also the possibility that they could offer you a special discount that can only be obtained if you give away your personal access codes.

This opens up the payments market to potential fraud – how do we know our personal data will be protected; how will the companies guarantee that the data is only used for a specific product or service; who can ensure that our data is not sold to data mining companies; how can we be sure that our personal data is erased if we decide to opt out in the future?

Commercial banks are subject to numerous directives to ensure they conform to all legislation regarding banking and data protection. How can we get the same guarantee from a fintech solutions provider who might be tempted to increase its revenue by selling data?

However advanced our technology becomes, finance is an industry that has always relied on trust. Banks can only thrive if customers trust them with their money. We assume that if we deposit money into a bank, the bank acknowledges our position as a debtor and will repay us when we demand it. We expect them to exercise a duty of confidentiality and not disclose information about us. When that trust is broken, confidence in the bank is lost and this can quickly escalate to a run on the bank as mistrust leads to customers wanting their money back.

Do we feel the same level of trust for non-bank parties who gain access to our bank data?

 

Lionel Pavey

Cash Management and Treasury Specialist

 

Payment threat trends

| 12-6-2017 | Lionel Pavey |

In the article ‘payment threat trends’ on FinExtra.com you can read that the European Payments Council provides an insight into the latest developments on threats affecting payments, including cybercrime. You can also download the document, which is divided in two sections. One analyses threats including denial of service attacks, social engineering and phishing, malware, mobile related attacks, card related fraud, botnets, etc… Another section aims to include early warnings on threats related to emerging technologies which could lead to potential fraud, including cloud services and big data, internet of things and virtual currencies.

Payment policies

Generally, companies will have a secure, written policy for making payments. These will be generated from the purchasing and bookkeeping systems and should be reconciled. Beneficiary static data should be restricted to view only for the staff – only authorized staff can make and amend the data.
Payments relating to creditors should only be processed if a purchase order has been originated internally and is approved. All payments should be uploaded to recognized bank systems and verified with a six-eyes doctrine.

The biggest area of concern relates to electronic payments outside of the abovementioned process – namely via credit cards. If inventory levels are not correctly monitored then it can occur that a one-off purchase order is made. Payment should be made through a recognized payment provider such as Ideal or PayPal. Furthermore, the issuing of credit cards to key personnel leads to many more risks that can not be directly controlled by the company.

Risks for companies

When using a credit card in a public area, there are a few obvious dangers:

  • Card being stolen
  • Open WIFI in the area
  • Skimmers applied to hand held card devices

Up to now, the majority of payments have occurred on stand-alone bank software. As we enter the electronic age of disintermediation, there are many companies offering payment services. Blockchain and bitcoin are the obvious examples. No system is completely secure but, in the past, banks have made good on any loses if it was shown that the banks systems were at fault. However, hacking into Blockchain wallets and taking electronic coins has occurred and the losses are not covered as they are not run by banks or governments.

For a company this leads to direct risks such as monetary loss, fraud and loss of reputation. Also of concern is the danger of company data being stored by external third parties.

Clearly defined doctrine

Despite all the technological advances being made that make payments easier, companies need to stick to a strong clearly defined doctrine for payments:-

  • Only payments via purchasing and bookkeeping systems
  • Restricted use of credit cards
  • Elimination of petty cash
  • Secure protection of the static data relating to creditors
  • Payments offered only through recognized bank software

Blockchain

Blockchain is a reality – its uses go far further than just payments. The technology can not be stopped – the major issues (in my opinion) revolve around the electronic currencies (Bitcoin).
Companies would do well to investigate the advantages that Blockchain offers and consider how it can be implemented within a company. Some of the potential uses include compliance, insurance, finance, energy, supply chain management, human resources, accounting, data, taxes etc.

As for payment threats – stay alert, identify and manage risks, and keep abreast of changes.

Lionel Pavey

 

Lionel Pavey

Cash Management and Treasury Specialist


Safety of payments

Payment fraud – Leoni case

Payment fraud – Leoni case

| 30-08-2016 | Udo Rademakers |

wolkenkrabberAt the 5th of August I wrote an article regarding payment fraud. Not even two weeks later, Leoni, an automotive company in Germany with EUR 4.5b turnover, has been the victim of massive fraud where USD 40m has been wired … to a crime organization. “Leoni realized it had become the victim of fraudulent activity with the help of falsified documents and identities and the use of electronic communication channels,” the firm said. (source: dw.com)

Most probably, this has been done via the so called “Fake President Fraud”: an employee receives a top secret message from the “CEO” with the instruction not to discuss this request with anyone else and to make a high value wire (to an account abroad). Obviously, the money flows into a crime organization.

Currently I am working in Germany where one sees (including myself) an increase in these kinds of attempts. I suspect that most of the cases don’t make it into the paper however.

I refer to my article what measurements could be taken to avoid payment fraud, but would advise corporates as well to make a “quick scan”, as a lack of transparency and decentralization of payments increases the opportunity for fraud and cybercrime:

1. Do you centrally manage and control payment workflows?

2. Are payment workflows consistent within the group?

3. How many payment initiation systems do you run within your group and are limits and processes aligned?

4. Do you link your payments to your Cash flow forecast?

If all of the above questions can be answered with “yes” and the payment systems are limited, some risks are reduced and therewith “Leoni-cases” will hopefully be avoided.

Udo Rademakers

 

Udo Rademakers

Independent Treasury Consultant & Interim Manager

How to avoid payment fraud?

| 05-08-2016 | Udo Rademakers |

Generally speaking, most of the fraud cases don’t make it into the paper because companies are so embarrassed that they choose to keep the affair quiet instead. In some cases however, amounts are too substantial to hide and corporates (need to) publish. One case has been published some months ago by Accell, a Dutch listed company. This triggers us again and brings us to the question: how can we control / “treasure” corporate cash the best and avoid possible fraud?

Fraud case

January 2016:
Press release Accell: Accell Group confronted with theft in Taiwan

Financieele Dagblad (Dutch newspaper): Fabrikant Accell voor miljoenen bestolen door Taiwanees

Accell had to publish a fraud case: according to the Annual Report “an employee could circumvent and misuse the availability of certain payment facilities by misappropriation of systems, processes and trust”. It led to a possible loss of EUR 4 million.

In my work as Treasury Consultant, I have seen more cases where in- and external fraud (almost) took place. All cases have been settled “internally”, however, the learnings out of it were huge.

How can your company avoid losing cash by fraud, or more generally, also avoid human errors?

Without going into too much detail, avoiding fraud or mistakes is avoidable by defining clear Accounting and Internal Control Systematics and sticking to those rules. A fraud is almost never 100% avoidable, but the aim should be to find a balance between the risk on fraud, possible impact and costs (or keeping procedures still “workable”).

Define a “Static” Supplier Data process

  • Separate the Master Data responsibility from the Finance area (Segregation of Duties) with clear defined restrictions
  • Request supplier for original documents/data, verify and capture them
  • Capturing of data should be done by a limited number of employees and with segregation of duties (4 eyes principle)
  • Data should be protected and only be possible to amend via a standardized process (by limited number of employees)
  • Documentation

Define a Payment process (stand-alone banking system)

  • Create standardized payment templates (and make sure this cannot be amended)
  • Reduce the number of banks / bank accounts (less systems, less procedures, etc.)
  • No ad-hoc payments should be allowed (or only with additional secured processes)
  • Define limits according to authorization matrices (per person, department, per day, etc.)
  • Define clear segregations of duties
  • Documentation
  • Transparency

If HQ prefers having full cash control, one way could be to let payments only be released by the treasury department. Another way is to define certain limits on local level and higher limits at HQ. Still the 4 eyes principle (or 6 eyes) should be in place for accepting payments content-wise.

Define a Payment process (interfaced out of your ERP system)

  • Make sure the interface from the ERP system to Payment system is secured where data cannot be amended while being stored on a server or in the payment system itself)
  • Automate the process, no manual intervention should be required

Control cash outflow by comparing it to your Cash Flow Forecast

(see as well my posting of May 2016)

  • Automated reporting of cash balances (MT940/MT942) to Group Treasury
  • Analyze daily variations and link it to the forecast
  • Link the annual budget to the annual CFFC (and analyze the delta regularly)
  • Review on a weekly or monthly base your cash variations and analyze it

In case of any questions, business cases or other questions, please do not hesitate to contact me.

Udo Rademakers

Udo Rademakers

Treasury consultant