Confronting the challenges of third-party fraud
Martin Naraschewski, general manager, global head of line of business finance at SAP, discusses the types of third-party fraud companies are now facing and ways that finance departments can mitigate the risk.
What you’ll learn from this episode:
- How technology is enabling an increase in third-party fraud.
- Where companies tend to be most vulnerable to fraud.
- Ways companies can instil vigilance against phishing and other scams.
- The role that finance departments play in protecting against fraud.
Play the episode below or read the transcript at the bottom of the page:
To comment on this podcast or to suggest an idea for another podcast, contact Drew Adamek, an FM magazine senior editor, at Andrew.firstname.lastname@example.org.
Hello: I'm Drew Adamek, a senior editor with FM magazine, and you’re listening to the Financial Management podcast. Today I’m speaking with Martin Naraschewski global head of line of business finance at SAP, and today we'll be talking about the kinds of third-party frauds now threatening companies, how to identify internal weaknesses, and how companies can train employees to help prevent third-party fraud.
Drew Adamek: Martin, thank you so much for joining us.
Martin Naraschewski: Thank you for myself as well.
Drew Adamek: Will you start by talking about what third-party fraud is and how pervasive it is?
Martin Naraschewski: Third-party fraud comes in different angles. It comes from potential customers, it can come from customers, from suppliers, from business partners, from employees, which is an important part, and in particular from third parties who are pretending to be any of these groups. The real amount of fraud that is happening, this is a pretty well-kept secret. Nobody knows just really because as you understand, nobody likes to talk about these events, but clearly things are happening, and we see a clear shift towards fraud that is induced from the outside, via digital media like emails, for example. Phishing is a keyword, or the fake emails that pretend to be one of these groups, that then try to induce an employee to do a wrong transaction or do something wrong on the belief that a certain influence or certain email was coming from an executive or supplier.
Drew Adamek: And what are the types of fraud or risky transactions that financial teams are susceptible to?
Martin Naraschewski: At the end of the day, what everybody is concerned about is money leaving the company to sources or to bank accounts where it should not go. The mechanisms of how this is happening are different, depending on where it's coming from. It can be from people who make believe they are supplier pretending that the bank account information of a certain supplier has changed so that the next payment, which is a new payment and a correct payment, is going to the wrong bank account. It can be people pretending they are high-ranking executives ordering an accountant to transfer money to an account in the context of a confidential affair, and their employees believing this and making the transfer. It can be customers who are finding ways to not pay for goods and orders. It can also be employees who create their own company and subcontract with their own companies, and direct business from the company towards their own pockets. The events which I mentioned that involve social engineering from the outside and influence an employee from the outside are becoming more prominent recently.
Drew Adamek: And what are the factors that contribute to that increase in outside influences acting fraudulently with companies?
Martin Naraschewski: Yeah, I mean there is a certain ecosystem, of hackers who already for a long time have tried to, let’s say, influence or break into company systems. What has played an important role is the availability of information through social media and other means, where you can basically create a fake email that has all the right ingredients, to look like an insider is really talking. Because you can get so much information on the web about a person you have really the ability to pretend that it’s realistic. These people are getting smarter and smarter about how to do it, and so companies need to get smarter and smarter about how to counteract against it.
Drew Adamek: And what are the most susceptible parts of a financial management system to fraud? Is it purchasing? Is it accounts receivable? Is it in the supply chain?
Martin Naraschewski: It is typically on the finance side, the treasury function, plus the procure-to-pay process plus the travel and expenses process, because those are, in the end, the processes where money is actually being paid out
Drew Adamek: And what's the risk to companies of not keeping financial data safe?
Martin Naraschewski: We have seen a number of significant data breaches where data has been published, not necessarily financial data but exposure of data to the outside world. It can also be confidential data. Competitors steal information, for example, bid offers and so on. And so these things have also happened and often, and cybercrime has played a role in phishing emails. Emails that had not been properly secured, that may have been intercepted by others. The theft of data can be a reputation problem, or it can deliver important information to competitors.
I would say the fraud topic that we talked before earlier, where money is leaving the company rather than data is leaving the company, has probably a little bit higher concern level and it’s happening more often. The few things which have happened on the data side simply have become very prominent and become a very big trust problem for the company in view of their customers.
Drew Adamek: I want to go back to something that you mentioned earlier about employees being manipulated. Where are the real weaknesses in the system? Is it with humans, or is it with technology?
Martin Naraschewski: The safeguarding of technology has reached a fairly high limit, now that basically most of the things [threats] have become known in the market. In the end, they’re manipulating people by using electronic means like fake emails to get passwords into a system. Most of the publicised incidents somehow involved employees of the company, in most cases involuntarily, people pushing the wrong button.
Drew Adamek: On the other side of that, how can data and technology help detect and protect businesses from financial fraud?
Martin Naraschewski: Clearly it can, and a “several lines of defence” approach is necessary. First, of course, the obvious is to make sure that the right people have access to the right screens on the system that can trigger transactions or payments. Make sure that nobody can do this without being, for example, in treasury. That is something that has been established already for a while, but that’s, of course, still necessary. The next thing is that internal controls are safeguarding that people who have access to the system are only using it in certain ways. For example, imposing a “for-eyes” principle. Then, of course, other things like virus firewall to avoid intrusion through viruses. For example, password information permanently needs to be updated. If we cannot upgrade people as much as we can upgrade technology, people will open these viruses. If enough money is invested, time is invested, and smartness is invested, people may get over this barrier. That's why the next focus and the next line of defence is now really to have monitoring systems in place that are at least detecting as soon as possible if something has gone wrong. So the thinking is, even if we can’t prevent an intrusion, we can detect it early and then react faster before a lot of damage has happened.
Think about the downloading of data. With today’s high-performance computer applications and computer systems, it is possible to monitor, in real time, behaviour of people in the system, and find patterns that are unusual. Such a pattern could be, for example, a massive data download of a person who normally is not doing this. And with the use of artificial intelligence, the algorithms get smarter and smarter in order to find these unusual patterns, and so the hope is, to find somebody who’s starting to download massive amounts of data at an unusual point in time, from an unusual place, for example, to still stop this where only a small amount of data has left the company or where you can still work with your bank to stop a bank payment that has been triggered. So there’s real-time monitoring of what real people are doing in a system. Transaction staff are now the next line of defence. That is being rolled out in more companies. We see that as a significant front in the fight against fraud.
Drew Adamek: Even with the advent of new real-time monitoring technology it still comes back to people. How do you recommend companies train their people to help prevent third-party fraud?
Martin Naraschewski: The training of people is the means to “upskill” the human barrier here. It’s so important, creating a culture of resilience in a company where people are aware of these things, to think twice before opening certain emails, informing them about patterns that are emerging. It’s like you’re updating them with new information about new viruses. You need to update your people about attempts that you’re seeing, with constant training, with constant information. This is a very important matter, and it’s not just IT which is protecting. You also need to get the human factor addressed.
Drew Adamek: Outside of financial damage from third-party fraud, will you talk about some of the reputational risk some of the other kinds of damage that third-party fraud can inflict?
Martin Naraschewski: So clearly the reputational damage is probably the largest versus the immediate monetary damage, but when it’s coming to data that are being stolen, there can be also a competitive advantage that's being lost. It can be information that can be extremely valuable in a competitive and bidding process, Clearly there’s a lot of information that can be valuable for competitors outside of finance, plans of products, but that’s a different corner on the finance side. The reputational damage is probably the biggest [risk]: Are you really a business partner you want to interact with if they don’t have control over their data? This is too big, either thinking that in your customers, in your business partners, and that’s a significant damage.
Drew Adamek: Speaking of control of data, how will the new GPDR data access controls impact fraud?
Martin Naraschewski: I mean generally, I think they’re another reason to upgrade systems and to store data in a safer way. It’s probably an indirect impact in a sense of just more awareness that you need to create with employees about data protection, system protection, which then also is helping on the fraud front. Otherwise that's not 100% immediate link. It’s more this indirect consequence of “upskilling”.
Drew Adamek: Who’s responsible for managing third-party data and being aware of third-party fraud in the C suite?
Martin Naraschewski: This is a very important and interesting question. It’s like the “for-eyes” principle, and monitoring of the use of the system, plus virus common sense, plus enablement of the people, and in a nutshell, there are different activities involved. And one of the problems we’ve seen today is that all too often is different executives are responsible for the individual steps here. The training can be a natural thing. The access governance is typically the responsibility of a CIO, the monitoring of system belongs to chief information security officer or maybe an audit officer. So there are a lot of people today involved in while what’s needed is really an end-to-end approach. And this is why we’re seeing that cybersecurity has become a security overload. I would say really became a top concern of the CFO and treasurers in the last 12 to18 months because now the understanding is emerging that this is an internal business responsibility. Before, it was yours if you were treasurer and it was your employees reporting to you who pushed the wrong button, and therefore as a manager, you’re responsible, in addition to the fact that you’re responsible for the money in your treasury. Now there’s a growing awareness that on the business side that they need to step up to take this responsibility, while on the other hand, a treasury will not run an access governance system or a threat monitoring system. These are highly technical systems which are still being operated by technical functions like a CIO or chief information security officer. I think is a lot of room for improvement in a lot of companies. We see now the recognition from more of our customers on the finance side that they need to step up and talk to their IT counterparts to get this addressed.
Drew Adamek: For students or new entrants into the finance profession, what advice would you give them about preparing for this kind of insecure, or ultra-secure, world of finance that they're entering?
Martin Naraschewski: I would say if you’re really new in that space and you’re coming from a finance space, this is probably not your first concern. There are others who take care of this. Of course you need to get involved, but it’s more the experienced people who need to define the right controls and so on. But it is, let’s say, an internal policy, and you need to learn how to deal with this. Initially you will concentrate on doing the job the right way. Otherwise, I think it’s a matter for all of us. Phishing is a problem everywhere.
In your personal life, you want to protect your personal email account, your personal Instagram account, whatever. And so, in particular, younger people are probably more aware already because they may be more technology savvy about the core intrusion path and may also, have an advantage already just from their personal life.
Drew Adamek: In today's climate, what does finance need in its approach to security?
Martin Naraschewski: In the end, if you have all these different lines of defence that are organised for different people in the company, this interplay needs to work seamlessly end-to-end, and the only person who really knows how to do this end-to-end is the business owner. If you want to protect the finance system, finances, the business owner, and it’s up to everyone to work with these technical support functions, to really address end-to-end function.
Drew Adamek: Martin, thank you so much for joining us.
Martin Naraschewski: Thanks a lot. It’s a very interesting, up-to-date topic.
Drew Adamek: Once again, you've been listening to the Financial Management podcast. I’m Drew Adamek, senior editor with FM magazine, and I’ve been speaking with Martin Naraschewski, global head of line of business finance at SAP. If you’d like to know more about this podcast topic or suggest another one, please email me at Andrew.Adamek@aicpa-cima.com.
Thank you for listening. This podcast is designed to provide illustrative information with respect to the subject matter covered and does not represent an official opinion or position of the AICPA or AICPA.org. It is provided with the understanding that the AICPA and the AICPA.org are not engaged in offering legal, accounting or other professional service. If such advice or expert assistance is required, the services of a competent professional person should be sought. The AICPA and the AICPA.org make no representations, warranties or guarantees as to and assume no responsibility for the content or application of the material contained here. In and especially disclaim all liability for any damages arising out of the use of reference to, or reliance on such material.