NextGen Treasury: Protecting Your Organization from a Cybersecurity Attack

It’s a matter of when, not if, your organization will be the target of a cyberattack. Fraudsters have become extremely creative with their approaches to invading networks and devices. Even the most innocent actions, such as an employee clicking a link in a fraudulent email, can lead to disaster.

A few facts to consider:

• 71% of organizations were victims of payment fraud in attacks and attempts in 2021, according to the 2022 AFP Payments Fraud and Control Survey.

• 68% of organizations were targeted by business email compromise, or BEC, according to the AFP survey.

• Fraud victims lost $2.4 billion in 2021 due to BEC, according to the FBI.

Fraud can result in significant financial costs, lost productivity and negative impacts to a company’s brand. The larger the business, the more susceptible it is to an attack, but businesses of all sizes are at risk. Cybercrime is rampant, and safeguards for protecting your assets are more critical now than ever before.

We recently hosted a forum with four BMO cybersecurity and treasury experts on the nature of current cybersecurity threats and what you can do to protect your organization and yourself. Our featured speakers were:  

• Brad Botting, Managing Director and Regional Leader, Prairies, Treasury and Payment Solutions

• John Galluzzo, Director, Financial Crimes Unit

• Doug Malin, Managing Director, Financial Crimes Unit  

• Andrew Matheou, Head of BMO Capital Markets Global Transaction Banking

Following is a summary of the discussion.  

Where fraudsters are lurking

The tools fraudsters use are readily available online, allowing them to launch their attacks from anywhere in the world. And as Galluzzo explained, these tools are increasingly sophisticated, allowing bad actors to use your devices against you. By installing malware, fraudsters can perpetrate a variety of cyberattacks, including:  

• Using your mobile phone’s GPS and location services to pinpoint your exact location.  

• Copying all of your text messages, including contact information, which they can later use to send fraudulent texts that appear to be legitimate.  

• Activating your phone’s microphone or front-facing camera without your knowledge, which they could use to access confidential financial information.  

These tools are not limited to mobile devices. Any internet-connected device is a potential target, even a printer. “Everything you've recently printed are on the memory in that printer,” Galluzzo said. “Any personal information, any financial information, any customer information could be available on that printer. Just be mindful of the things that you're inviting onto your home network and make sure that you have them locked down and protected.”

The five P’s: Strategies for protecting yourself

Hackers are sophisticated, and the threats they pose are both insidious and ubiquitous. So, what can organizations and individuals do to protect themselves? Malin outlined a series of tips that he calls “the five P’s.”  

1. Passwords.

If a device or social media account requires a password, at minimum you should set a complex password. That means at least eight characters long, with upper- and lower-case letters, and at least one number and one special character. Better yet, Malin said, make it a complex passphrase. "Take the first word of your favorite country and western song lyric, put in some special characters and a number, and now you've got a passphrase,” he said. “A lyric that you can remember, but a passphrase that you put into your devices that is much, much harder to track."

2. Patching.

“When your phone, tablet or computer lets you know it's time to update the operating system, do not delay,” Malin said. “These patches, or updates, are locking doors that should have been locked, which the bad guys can use to get into your network or into your system. The same goes with apps. If the apps on your phone and your tablet say it's time to update, let them update.”

3. Permissions.

You've probably noticed how you’re suddenly inundated with ads for specific items after you’ve visited a store. That’s the result of marketers using your phone’s location services to send you targeted advertisements. While that isn’t a malicious use, Galluzzo said fraudsters can use the same information to launch a cyberattack. That’s why it’s important to take time to set the permissions for each app on your mobile device.

Malin recommends deleting any apps that you don’t use. For the apps you use frequently, go to the settings and examine the permissions that are enabled. Not all apps need access to your camera, microphone or locations services. Turning off those permissions can help minimize your exposure.  

4. Parents.

Be the first line of defense for your children. Teenagers are notorious for oversharing personal details on the internet. They also download apps and games that include in-app chat features, all of which bad actors can use to compromise your children. Similarly, elder abuse is a growing concern. Take time to help your own parents with their technology use, such as making sure they don’t click on suspicious links.

5. Protect your identity.

Install antivirus software on your devices, whether it’s your laptop, phone or tablet. Also, don't overshare on social media. “By all means, stop telling me where you’re going, when you're leaving and when you're going to be back,” Malin said. “Stop doing social media quizzes. All the answers to all those quizzes are designed for you to offer up your information freely so that the bad guys can use that information, send you an email or a text, and use some really good hooks. Because they know what you're interested in, they know what you're doing and what you're talking about.”

While our devices provide the means for fraudsters to commit their crimes, it’s the human factor that the five P’s address. “You and I with a keyboard and a mouse are probably the weakest link,” Malin said. “We're the most dangerous part of the whole chain of events. Usually, it comes down to a device that’s poorly protected—they're very vulnerable and they're easy for a bad guy to get ahold of.”

Protecting your organization

From an organizational perspective, Matheou said investing in IT solutions such as antivirus software or tools that monitor your systems for suspicious behavior are essential. But the most important tactic is to establish a culture around fraud prevention. That includes leaders holding regular discussions with their employees about fraud, as well as implementing processes and procedures to mitigate your exposure.  

"An email bulletin is not enough,” Matheou said. “You’ve got to get in the room and talk about it. Also, do some war games to work through scenarios on what you would do if a fraudulent event happens and document the outcomes. Set up strong impenetrable procedures. This means reconciliations—do them frequently, maybe every day. If you catch the issue every month, it's probably too late. Also, segregation of duties—that means one person initiating and multiple people approving.”  

In the event that your company has suffered a fraud attack, Botting said the first order of business is to contact your bank immediately. “You have to act quickly,” he said. “This is not one of those situations where we need perfect information. Even if you don't know all the details, reach out and we can leverage our resources to work through this situation with you.”

Botting also said to immediately file a police report and authorize your bank to share internal information about your accounts and activity with the authorities. Depending on the type and severity of the breach, he also recommends a third-party forensic scan of your systems.  

“In some cases, this is the only way you can be certain that you're free from ransomware, that your confidential information is secured, and that you know how the breach occurred and can assure yourself that the same type of breach is not going to happen again,” Botting said. “It's common for fraudsters to return to the scene of the crime. If you leave the door open, they're going to come back and you're going to be exposed once again.”

Fighting cyberfraud is a situation where it’s good to have a healthy level of paranoia. If something doesn't feel right, it probably isn't. Ask questions, alert the right people, and investigate until you’re confident that your systems and your data are secure. As Matheou said, “When an inch of doubt exists in your mind, just pick up the phone and have a conversation with your CFO.”