Trends and Tips from Fraud Experts
Learn how you can protect, mitigate and resolve the effects of fraud committed against your business, and how these threats continue to evolve.
CHRISTY SAMMONS: Welcome to Let's Go, a podcast production of BB&T Treasury Services. I'm your host Christy Sammons. Let's Go podcasts are designed to help you ask those important questions about where your business is headed and how you'll get there. We'll give you the industry tips, tools, and advice on how to reach your goals. Let's go.
For the past several months, I've had the great privilege to meet and discuss concerns with our clients and BB&T executives. One of those major issues is the ongoing cyber threats that commercial clients face. Our conversation today is with a few of our BB&T experts on the subject, Ben Wallach and Tom Salkeld.
Just a little background on these guys before we begin. Recently joining BB&T, Ben is our Chief Fraud Director. He has extensive fraud management experience at several top financial institutions. He is leading our efforts to establish enterprise fraud management programs designed to prevent, detect, mitigate, and resolve fraud. We're excited to have his expertise at BB&T.
And then with over 18 years of service at BB&T, Tom Salkeld is a Product Manager and Vice President in our Treasury Services division with our fraud protection solutions, which include positive pay, account recon, ACH Positive Pay, ACH and Check Block services. So guys, let's start our conversation.
Tom, Ben, thank you so much for being with me today and talking about our subject of fraud. We've all been around this table in banking for 20 or so years, and fraud has really changed in that time. I know initially, when I joined banking and it was a different organization, I was in international correspondent banking. Wire fraud was really rare. We would have that rare instance where we had that prince from another country saying hey, send me $40 million and I'll give you back all of it. And it was the odd little instance. And it was just unheard of, wire, ACH fraud not happening.
But now it's every single day. Every moment, it seems like, we're hearing of that in the marketplace. We're hearing it from our clients. We're hearing it internally of where we're stopping these things. Talk to me a little bit-- both of you, Tom, Ben, both of you, talk to me about how you've seen that fraud, because this is just my outsider view. Talk to me about where you've seen fraud change and grow over the past couple of years.
TOM SALKELD: Christy, thank you. I'd say, hearing your statement there and thinking about fraud, immediately you may think about what's the most primary form of payments that are out there. And checks are still out there as a primary element for commercial clients to be using. And the fraud is still prevalent with those type of payments.
The good thing is around that there are some controls to help mitigate that, too, and the losses aren't always, on an individual transaction, that large. Managing your check stock, looking at segregation of duties, considering a payee or positive pay solution, that can have a lot of mitigating factors to help reduce check fraud.
But as clients are starting to look at electronic payments, that landscape is changing, and where our fraudsters are looking for vulnerabilities through systems and associates. And we've seen a sharp rise in fraud attempts and business email compromises. And that really is attacking primarily a wire type of transaction. And the attempted loss opportunities really can be much greater in the six- or seven figure opportunities for fraudsters to pursue.
CHRISTY SAMMONS: Ben, from your perspective, what have you seen in this as far as change in these last couple of years? It does seem like it's really just exponential about-- every day, we're hit with more.
BEN WALLACH: Absolutely. You know, I think the main driver is obviously the capability of the fraudsters. Their capabilities evolve daily, so they're constantly looking for new ways to circumvent existing controls and get around that.
The other two main things that have happened in the industry over the past decade or so is banks have done a couple of things. Banks have implemented a lot of controls. And the tighter controls, from a broad perspective, pushed the fraudsters to a path of least resistance, which is normally the business clients.
The other thing that's happened is banks have introduced a lot of capabilities to make it easier for our clients to bank with us. And the pure definition of easy is implementing things where you don't really have to think. It's not disruptive. It is, in every essence, easy. So those two things coming together make it an opportunity for the fraudsters to really take advantage of our clients.
CHRISTY SAMMONS: So as Tom pointed out, everybody wants to move electronic, but as we move electronic we've certainly opened ourselves up to two more potential risks. So tell me, then, Ben, from your perspective at BB&T, what are we doing? At one hand, in treasury we're saying, hey, let's move you electronic. It's easier, it's faster, makes your business process work better. But at the same time we're trying to mitigate all of that as well. So tell me what are we doing here at BB&T to try to-- without opening the kimono for the bad guys out here who might be listening to our fraud podcast-- what are we doing?
BEN WALLACH: So the most important two things that we do is we are constantly analyzing our products and services to make sure that we roll them out in a secure way. The other thing that we do is we analyze the threat landscape to make sure that we understand the threats that are going to come into play in those products and services once our clients begin to utilize those.
So the intersection of those two things is really where the fraud risk lies. So by analyzing those ahead of time and being prepared for the fraud threats that are going to come, we can help our clients be more prepared. Now the other thing that we've got to do is have more things like this podcast to help educate our clients and create what I called knowledge equity.
So the banks have a lot of knowledge when it comes to fraud. We've gained that over many, many years. Our clients have been insulated to a large degree, and now the fraudsters are really targeting them. So we have to create knowledge equity across the banks and the knowledge we have and span that over to our clients and make sure that they're knowledgeable on the threats that they have, make sure they have the right controls in place.
CHRISTY SAMMONS: let me follow up on that because you certainly touched on you know not only do we have to educate our clients, we have to be a part of the education to other banks and financial institutions because fraud hits all of us across all these industries.
Yes, we have electronic, but what's the escalation, because it just feels like we're hitting a peak here. And is it just-- do you see anything really behind that from your research, your inside view?
BEN WALLACH: As far as the peak and the manifestation of the BEC, the business email compromise and the malware and things like that? Well, I think the capabilities of the fraudsters make it very easy for them to enter those markets. So it doesn't take a lot of knowledge on their part and it doesn't take a lot of money on their part. So they can very easily go out and acquire malware and deploy that malware. They can very easily hack into someone's email account and create a business email compromise, or mimic their domain and create business email compromise.
So the entry for the fraudsters is very, very easy. The gains are very large. So when you put those two together, obviously the volume is going to go up.
CHRISTY SAMMONS: So Tom, let me point to you. Ben just spoke about BEC, business email compromise. We're certainly seeing that come through in the treasury side of thing in more and more of our companies. And you and I have talked recently with a lot of our commercial clients who are being hit by BEC and impostors, fraud attempts. Talk to me about what you see as some red flags as part of that BEC. What should our clients be really looking for, because that seems to be a big way. We're seeing a little bit of malware, but a lot of BEC.
TOM SALKELD: Yeah. Christy, I would say there are a few that come to mind. One is the urgency and timing of the email and the request. They're looking to evoke emotion of this needs to get out immediately and getting you out of your comfort zone. There's no time to wait, maybe disregard your procedure or policy, getting you to think a little differently than a normal wire payment request.
Also, thinking about changes to the payment information, anything that is a change-- so the instructions, the account information, contact information, anything that seems a little bit off that you haven't received before from a vendor or from your management, you need to think about it and question it, as well as what Ben mentioned earlier, the email domains. So looking at who is sending the email.
If you think of a red flag or something seems fishy, check that domain name. Is it exactly who should be sending it? Is there anything that is a little bit off, in terms of fraudsters are very good about adding an additional letter, transposing letters, trying to not have you validate that demand from the email.
And also, we've seen from clients and heard about BEC fraud is what are you publishing on your website? So what information about your leadership is out there, what information about your vendors, who you do business with that fraudsters have access to, understand, and know, and maybe use that as a vulnerability in the future with you.
CHRISTY SAMMONS: Great. So urgency to push that information out quickly, a change in payment instructions, email domain, and then certainly being aware and being careful what you're publishing out in social media on your company website.
Ben, anything, though, deeper? Any kind of less common red flags or trends, maybe new trends that you're seeing in BEC, because those are certainly some that I've heard before. But is there something more?
BEN WALLACH: Yeah, absolutely, Christy. I think, as Tom alluded to, there's really good red flags to look for that are going to help you catch the majority of business email compromise. But the most complex and the hardest to catch are truly when a company's email is hacked. And it's not necessarily the company that's going to be creating the payment instructions. There's a big target on law firms right now because criminals know that law firms are at the center of mergers and acquisitions, and they know that those are big transactions.
And many times there's already an email thread within the attorney's inbox that contains all the relevant information about a deal that's underway. They could have already settled on how much they're willing to purchase a company for and all those things. And so the very last email that could come from a fraudster is we're ready to close the deal, and here's the account you need to wire the money to.
And so in fact, the largest wire I've heard of in the industry was exactly that case, and the email was less than 10 words, and the wire was over $10 million. So those are the toughest. But again, it can be stopped with very simple policies and procedures as long as you've got a policy and procedure in place to make sure that the person creating the wire instructions or ACH instructions take a pause, and they do some form of verification before they send those wire instructions.
CHRISTY SAMMONS: So-- and this may be a question for both of you-- so what are the best practices for that outgoing wire? What should companies really be looking at? So they take a pause, but what do you mean by that? Tom or Ben, either one. I don't know who wants to talk about that.
BEN WALLACH: Tom, you want to take that?
TOM SALKELD: Sure, yeah. Obviously, as Ben said, the procedure and the policy, and what to do when things go right and according to plan is important. But taking the pause-- if you see any red flag, also train and have from a top down management in your finance and treasury area what you should do, who you should contact, what you need to do if you do see a red flag, or a plan B if the right validation or second approver isn't available, or you're not able to contact a vendor.
Have a Plan B, a Plan C if your normal processes aren't working properly, and make sure your staff that are initiating wires feel comfortable in knowing that Plan B and C and delaying a potential payment versus sending it because that's what the normal process is. And making sure that you have conversations and you test on this as well so you would know what to look for, making sure they know how to handle these potential situations, or you show them examples of what these e-mails and how sophisticated they can be.
CHRISTY SAMMONS: And along those lines, though, Ben, I know your area here at BB&T, they're kind of monitoring and making sure and doing a level of verification. They're often contacting our clients and doing that. Talk about, if you will, what you're seeing from that line. Your folks are out there going, hey, did you really mean to send this? What are you seeing, though, changes in that? Are clients changing their behavior? Are fraudsters changing their behavior because we're double checking behind folks.
BEN WALLACH: Absolutely. Absolutely. You know, I think as we implement more controls, as new threats come out, the fraudsters obviously adapt their tactics. So we obviously monitor the wires that are going out. And there are some key indicators that we can key in on and pause those wires and make a call out to the client and see if there's anything suspicious there.
So many times, we do that on business email compromise. But the large majority of those, when we get in touch with the client, the client tells us those are legitimate only to call back several days later and let us know that they were fraudulent. And several of those lately, we've asked the clients, have you taken our training, did you implement procedures? And the answers were yes.
So we are getting the word out there. But once people go back to the office and actually implement policy and procedures, something's fallen short. So we've got to make sure that we're helping clients to implement those correctly. The other things that can happen-- if we are suspicious of a wire, we are trying to get in touch with the client, or even if the client's trying to get in touch with us-- if the fraudsters believe that they have a large opportunity, then they will deploy other tactics like a TDoS attack.
CHRISTY SAMMONS: TDoS. What is TDoS? That's totally new to me.
BEN WALLACH: So a TDoS attack is telephony denial of service.
CHRISTY SAMMONS: Easy to say.
BEN WALLACH: Yes. Simply put, it is where the fraudsters will, through a hired service, make enough phone calls into that company's phone number to basically bring their phone system to its knees. So no incoming calls are going to come in, no outgoing calls are going to go out.
CHRISTY SAMMONS: So nobody can verify anything.
BEN WALLACH: Exactly. Exactly. So that goes back to what Tom alluded to earlier, where the email is going to create a sense of urgency. That person that's supposed to be entering the wire instructions are going to know that they're under the gun from a time perspective, and now their phone system's down.
So you have to take your policies and procedures to the next level and say if the phones are down, then you should be even more suspicious, and you should pick up your cell phone or walk down the hall to the CEO, CFO, someone that's accountable for the wire activity, and make sure that you double check before that wire goes out.
CHRISTY SAMMONS: Yeah. And I hear both of you saying, you've got to be communicating within the office, and you've got to verify, verify it on the phone with your person, the person you know, whether. It's internal or even external. So you're talking to that vendor, you need to pay, verify you changed your payment instructions to x, y, and z.
But talk about more that importance. How do we really make that happen? We've talked about we've got education programs for our clients. How do you see best practices? How do people go into their company and go, OK, we've got a fraud program, crowd control program in place. How do they actually implement that, make that happen, other than oh, we did our check the box fraud training for the year? How do you instill this sense in folks?
BEN WALLACH: It's easy to say, right? It's easy to say, go put this on paper and have your associates perform that properly. It's a whole other thing to deploy that. So if it was my company and I was the CEO, what I would do is not only deploy the right policy procedures, but go sit down with my associates, go through that, and tell them not only is it OK for you to challenge even me if I send you a wire instruction, but I expect you to.
So it's not just putting it in black and white, but it's making it OK because even when you're looking at those instructions, you're going my CEO or my CFO or someone in power and authority just told me to do something, and now I'm going to challenge them. Even though it says it on paper, it feels a little bit different to do it in action, right? So you've got to not only put it on paper, you've got to make it OK to follow that paper.
CHRISTY SAMMONS: That's really good. I think so many of us would get in our daily task and head down, I got instructions coming across the board. You're not going to pause, much less raise an issue or have a kerfuffle somewhere with somebody. It just is not in our nature, often, to do that. So I think that's a really good suggestion or insistence that we've got to set it up where this open communication is the only real way to really put a pause and control on that.
BEN WALLACH: And we have to instill in those associates to be aware and be agile and nimble and not just depend on the written word in our policy and procedures, but be prepared for change because the next thing the fraudsters are going to do is in that email, they're going to say, I know this is against our policies and procedures, but I'm out of the country on a trip. I'm not accessible via my cell phone. So I'm giving you permission to have an exception from the policy and procedure this time to initiate this wire.
CHRISTY SAMMONS: Right. So back to Tom's earlier comment, they're creating urgency. They're creating an instance where it's out of the normal practice, and so they know what we're doing and what are our norms are. hard to believe that you know they know how we operate.
BEN WALLACH: Absolutely.
CHRISTY SAMMONS: So anything else, Tom, Ben, as far as best practices? So something that companies should be keeping their staff aware of? Any other outside resources? We have a whole site. We do educational training. But any other resources, any other spaces that are there for them so they can keep on top of training kind of consistently?
TOM SALKELD: Obviously, Christy, as we mentioned earlier, we're going to continue from a BB&T perspective give this information out to our clients and educate and have awareness. But obviously there are a lot of industry resources that are available that do surveys and trends and see what's going on from a fraud landscape. But also, what we want to make sure of awareness, too, as well, the FBI has a website. Obviously, if there is a BEC type of attack or cyber attack, too, they put out publications on the latest statistics, as well as making sure if you had a loss or attempted loss, to record that with the FBI website, which is ic3.gov.
CHRISTY SAMMONS: And then Ben, any new technologies that are out there for our clients? Is there something-- obviously we're not in the position to advocate for one company. But is there anything out there that our clients should be looking into, thinking about more holistically, that can help protect them other than following their policies and procedures? But is there anything else that can just kind of be there as a control or safety?
BEN WALLACH: I think the most commonly used phrase in the fraud industry is there is no silver bullet. And so there are technologies out there. It's important to understand that we need our clients to have exactly what we have, which is a layered defense. We have layers of controls to defend against these things. And that's what clients need to have. So policies and procedures, education and training, those kind of things.
There are technologies out there like DMARC, which is D-M-A-R-C, and it's Domain Based Message Authentication Reporting and Conformance. So what that does, very simply put, is it helps to catch some of the business email compromise type of activities that might otherwise go unnoticed. And it does that by connecting where those e-mails are coming from and where they're going. And it does some of that behind the scenes. It is a very, very complex process to implement, but there are third parties out there that can help with that. But that's another layer of control that can be added into a company's layered defense approach.
CHRISTY SAMMONS: And Tom, from your perspective, anything on new technologies from a product standpoint?
TOM SALKELD: I wouldn't say from a product standpoint. I'd say from a just best piece of advice, from a procedural standpoint, maybe, to consider developing that process and procedure with your executive CEO as validation, but developing good vendor relationships and trading partner relationships so they know, any time there is a change in the process or instructions, what is your normal process, how are you validating it.
But also to understand what they're doing because we have seen clients, while you might not be attacked or have a BEC attack, your vendor partner might be, and be making an imposter of you as a client. And that just delays the nuisance and of you getting a payment. Or maybe you would not be able to receive a payment from one of your vendors that you're expecting that could have impact to you as an organization as well.
So just making sure how prevalent is out there. You may be protecting all of your data. but all of your vendors pursuing that same level of security from their IT areas and their finance and treasury areas, and what protections are they putting in place as, well and having that kind of level setting understanding of payment initiation.
CHRISTY SAMMONS: I think that's a really good point because you talk about not only are you doing it, but are your vendors doing it? And to your point earlier, Ben, we're seeing vendors hacked. And that's where the BEC, the fraud, the business email compromise is coming in, and they're hacking in from the vendor to the site. And so not only controlling your own, but really starting that dialogue with your vendors and talking it through them, and knowing who they are verifying. That's great, great advice.
CHRISTY SAMMONS: So Ben, let me ask you any last piece of advice that you would want to share with our commercial clients in the treasury, finance, and info security space as they think about fraud prevention?
BEN WALLACH: Well, I think the biggest thing is knowledge. Knowledge is power. But the power from that can only be harnessed if we take action. So the biggest thing for everyone that listens to this is to take action. There are some opportunities in their company, and they really need to take action on those. Even if it's as simple as asking more questions and learning more, that's a good first step.
But just take action. Don't just take this, and think, OK, we're already doing this. We're good. Take it back. Look at the controls that are in place. Test those controls against what you're seeing, what you've learned. And if nothing else, ask your banker questions. Go to our website. Just gain more knowledge, and then put that knowledge in action.
CHRISTY SAMMONS: Good advice. And thank you both for the advice and the information today. Really appreciate it. And hopefully it will help our clients and help them control their fraud a little bit more and keep it a little under wraps. So thank you so much. Appreciate it.
BEN WALLACH: Absolutely, Happy to do it.
TOM SALKELD: Thank you.
CHRISTY SAMMONS: Thank you to our listeners for joining the conversation today, and a big thank you to Ben and Tom for all their advice and insight. And here are your Let's Go takeaways.
Fraud is not going away. We can't eliminate it entirely, as the fraudsters are ever-evolving, so it is so important for all of us to create strong controls around our [AUDIO OUT] review and verify that payments are secure and valid.
If you'd like to sit down with us at BB&T and review the ways that your organization can make improvements, reach out to me or your BB&T relationship manager or BB&T treasury consultant. We'd be happy to help you review your systems and look for ways to help you improve your fraud controls.
The information provided should not be considered as tax or legal advice. Please consult with your tax advisor and/or attorney regarding your individual circumstances.
Only deposit products are FDIC insured.
Branch Banking and Trust Company, Member FDIC.
New York City residents: Translation or other language access services may be available. When calling our office regarding collection activity, if you speak a language other than English and need verbal translation services, be sure to inform the representative. A description and translation of commonly-used debt collection terms is available in multiple languages at www.nyc.gov/dca.
Branch Banking and Trust Company is now Truist Bank. Learn more.
BB&T and SunTrust have merged to become Truist. Both institutions will continue to offer independent product lines for a period of time. This may include differing underwriting guidelines, product features, terms, fees and pricing. Our friendly teammates at your local SunTrust branches will be happy to walk you through their respective products. You can also learn more by contacting them at 800-SUNTRUST or SunTrust.com.