Scott Southall, Regional Head of Innovation, Asia Pacific, Citi
The cost of cybercrime is projected to exceed $6 trillion globally by 2021, and COVID-19 has only accelerated the threat of cyber-attacks on corporates worldwide.
Even before the pandemic hit, cyberattacks had become more frequent and sophisticated. As recently as June in Australia we saw a significant example when a significant state-based actor attacked local organisations and government across a wide scale of industries. This growing threat coupled with increasing transaction volumes as a result of digitisation, and the rapid growth of instant payments have forced corporates to be more vigilant than ever, particularly when it comes to protecting their payments.
Working in Citi’s Treasury and Trade Solutions business, which provides integrated cash management and trade finance services to multinational corporations, moving around $4 trillion in payments across 120 countries, we are particularly conscious of this problem and helping our clients navigate this growing threat.
There are a number of ways businesses are more exposed today than ever before. For example, over the last few years, we’ve witnessed digitisation and automation enable faster, real-time payments anywhere in the world. Cyber criminals similarly have evolved in sophistication, from activities such as cheque fraud to advanced techniques like social engineering, malware and phishing.
Safeguarding the funds in payments is only half the battle. Often, it is the information within a transaction, including personal details like birth date or home address that are just as attractive to cybercriminals as the money itself. Data can often be the key to perpetrating larger-scale fraud and financial crime.
Additionally, the rapid transition to a virtual workforce to assist with social distancing this year has lessened some of the traditional checks and balances that take place in a physical workplace. This can be as simple as asking a colleague to look over your shoulder to check if something looks right. In this way, the pandemic has illustrated the importance of ensuring our working practices are compatible with continuity of business plans.
One way corporates can defend against this cyber threat is through leveraging technology. Citi is bolstering our risk management using the latest in AI and biometric authentication technology to tackle complex cyber-attacks on payments.
Launched across 90 markets thus far, Citi’s AI solution, branded Citi Payments Outlier Detection (CPOD), utilises machine learning, biometric authentication and data analytics to detect suspicious payments. An outlier payment could be anything outside a client’s regular activity – such as a large payments where the vendor just changed their bank details, or a payment on an unusual day. The solution flags the irregularity and gives clients the opportunity to approve or reject such payments.
The solution is ideal for detecting complex fraud like executive impersonation, (such as a CEO or CFO), which is often a combination of Cyber and Social Engineering. Cyber criminals typically use LinkedIn or similar tools to build a profile of a company from CEO/CFO right down to an Accounts Payable Manager or equivalent. They will then send a fraudulent email mimicking an internal email message where they purport to be the CEO or CFO, with a directive to make an urgent payment to a new supplier with fictitious supplier bank details included.
We see this occur often when an executive is out of the office and aren’t as accessible to employees to double check their instructions (we always recommend out of office should be set to internal only). Robust controls are often abandoned in an attempt to meet the request from the senior executive and the fraudulent disbursement is made. In this instance, Citi’s AI technology could be set to flag payments to a new supplier and/or above a certain amount to give clients the option to review before they release the funds. With the speed of today’s clearing systems the money is unlikely to come back.
Whilst we’re in the early stages of adopting AI, in examples such as this CPOD has already proved successful in eliminating human error and spotting patterns in payments that seem irregular.
However technology is only one part of the solution. Other risk management tactics start with people. We work with clients to help them communicate with and educate employees about what to do when something comes up that doesn’t seem right. A simple tip we often share with our clients is to simply pause. If something doesn’t add up, or you receive an unusually urgent call, take a moment to pause and check with a colleague before executing.
It seems unlikely that the threat of cybercrime will diminish, and as a result the impetus lies with corporates to ensure they have adequate defensive tools in place to protect their data and customers.