Combating Payment Fraud in a Digital Age

Today, all aspects of commerce and society are digitising rapidly. In this age of digital-first commerce, corporate treasurers have a pivotal role to play as the gatekeepers of their company’s finances. As systems and processes become increasingly automated, treasurers must be vigilant against current and emerging cyber threats.

While cybersecurity has traditionally been the domain of IT teams, the increasing operational and financial impact of cybercrime has made it treasury’s responsibility too. To illustrate this, HSBC research estimates the cost of cybercrime will be USD 10.5 trillion by 2025.¹

This article highlights key risks that treasurers need to be aware of, and best practices on prevention. It is not a comprehensive guide for all matters on cybersecurity.

There are generally 4 major categories that motivate cybercrimes:

• Financial - "For the Money": where the goal is to generate revenue.
• Espionage - "For the Intelligence": where the goal is to steal information of economic or political value.
• Hacktivism - "For the Cause": where the goal is to increase awareness for a cause or issue.
• Sabotage - "For the Impact": where the goal is to disrupt organisations or manipulate victims.

For now, we will be focusing on financial motivations.

Fraudsters use a combination of social engineering tactics² - (e.g. phishing, vishing, smishing, and business email compromise) to impersonate customers, bank employees or even senior executives. With the rise of AI and deep fake technology, the threats have only increased.

For example, in 2024, a clerk at the Hong Kong branch of a multinational company was tricked into making payments valuing HKD200M by joining a conference call where the other participants were AI-generated deepfakes of his colleagues.

Fraudsters may use one or more of the following tactics. These are continuously evolving, which makes close collaboration with IT important for awareness:

1. You receive a call from an unknown number or a redirect from the operator.
2. Overtly friendly or intimidating people claiming that something is very urgent or important to pressure you into action.
3. Unusual requests that require you to make exceptions to established procedures.
4. You receive an email that appears to be from a colleague, but the recipient’s email changes to an external address when replying.
5. An unexpected text is sent to your mobile phone claiming to be from your bank asking you to click a link to take an urgent action.

More information on social engineering tactics can be found here.

Additionally, suspicious emails and SMSes often contain malware, which is malicious software that can steal information, damage data, hijack website visits or spy on Internet activity. There were more than 6 billion malware attacks in 2023³, which can have serious potential impact. Recently, while a treasurer of a large Asian multinational was accessing their HSBCnet accounts, our security protocols identified malware that was attempting to force them to make payments. We were able to quickly intervene, saving the company a potential >USD500,000 loss.

Minimising cybercrime requires a multilayered approach that involves Culture, People, Processes and Technology:

Culture:

1. Make cybersecurity a board-level priority. The board should set the tone, and factor cybersecurity into business/strategic decisions. A sense of vigilance should be fostered, and periodic trainings or other programs provided to raise awareness.

People:

2. Be on guard for unusual payment requests. If in doubt, don’t make the payment.
3. Be aware of keying in passwords in public areas.
4. Never click on links or open attachments in text messages or emails, unless you are sure they are safe.
5. Avoid questionable websites, and prevent use of free software/apps, MS Office macros or USB sticks from unverified sources.

Process:

6. Strong password protection guidelines – change passwords frequently, and prevent password sharing.
7. Have a policy on reporting and responding to suspected cases.
8. Ensure anti-virus software is frequently updated on all machines, servers etc.

Technology:

9. Application whitelisting – prevent unauthorised software from being blocked by users.
10. Use Multi-Factor Authentication and independent passwords across business logins.
11. Mandate staff keep your PCs, mobile devices and associated hardware up to date devices are constantly up to date with the latest security patches.

In addition to the steps above, one of our clients, a service provider has mentioned that they also run real-time simulated cybersecurity exercises, similar to fire drills. Through this, they evaluate their teams’ abilities to follow protocols, and processes the comfort level of key appointment holders in their roles. This is then reviewed and enhanced to ensure it is fit for purpose.

To conclude, fraud can happen to any type of business in many different ways. Combatting cybercrime requires an agile, cross-functional strategy. There are additional steps Treasurers can take to protect against fraud and cybercrime.

Please see https://www.hsbcnet.com/online-security to find out more.