Skip to content

Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here

Get in Touch

Talk about cautious optimism. Spoiler alert: This year’s Strategic Treasurer Fraud and Controls survey has plenty of it, from its top-level findings right down to some of its finer points. For example, 78% of respondents have seen increased threat levels over the past year, tempered by 53% who believe they’re in a better position to stop it. 

With its official release set for April 4, we’re releasing some of the data from the report beforehand to provide a sneak peek on some of the fascinating information you’ll be receiving. The survey is a telling snapshot of the state of fraud in an era that continues to see increasing sophistication from criminals who exploit new vulnerabilities like hybrid work arrangements. And as we did last year, we asked Bottomline’s head of go-to-market strategy and operations, Nick Griffin, to field our Q&A on some of the key findings from the report. 

 

Q: Nick, most companies believe they are in a better position concerning fraud compared to the past year. Only a handful felt they were in a worse place. In your experience, since last year’s report, is there a sense that some of the solutions developed to mitigate fraud are working? Or is this optimism unwarranted? 

Griffin: I think optimism is a fair sentiment. There's been a clear drive to increase investment to mitigate fraud. We’ve seen more conversation around this at the proper levels over the past couple of years. I think for me, it's going to be about how we avoid complacency moving forward. We might feel safe today. But fraudsters aren't going to rest on their laurels. So as companies try to combat these criminals, they should constantly reassess their defenses, ensure these discussions stay prevalent and allocate a budget to support the efforts. And the best hedge against complacency is studies like this that keep the risk factors front and center. 

 

Q: Many companies indicated that the reliance on remote work increases the company’s risk to different types of fraud. Over a third of respondents noted three fraud types to varying degrees: Data Theft; Business Email Compromise (BEC); and External Fraud. Tying BEC to hybrid work seems like a new development. Does this surprise you? And second, how have you seen insider fraud evolve since this report was published last April? 

Griffin: It didn't surprise me. The connection to hybrid work makes sense when you think about it. It's a lot easier to believe that that email came from the CEO requesting the funds transfer when you're working remotely versus down the hall from them. BEC is always at the top of our list of fraud concerns. As for insider fraud, nobody wants to admit when insider fraud occurs, and much of it tends to be handled in-house unless it’s part of a major news story. We’re seeing a shift toward more interest in insider fraud solutions, and what will be interesting is to see next year’s data. Will another year of hybrid work mean more insider fraud? Will economic pressure be a factor? Pressure is a big part of the fraud triangle, and the current macroeconomic conditions are a pressure cooker. 

 

Q: Spending on security and fraud controls continues to be strong in 2023. So, two questions here: Is increased spending by itself enough to mitigate fraud? And if you were controlling a bank’s security budget, what would you prioritize? 

Griffin: I think it's a positive trend. It aligns with what we're seeing as far as increased budgets and overall spend. But it's hard to pick a number and say, ‘it's enough.’  I associate that reported uptick in spending with fraud prevention technology and implementing new or different controls within the organization. But we know that the weak link will always be the human being at the end. So, are you doing enough to train them to keep their awareness up on what's going on? Are you staying ahead of that curve? We see a lot of companies do a good job of training and educating their people. And as far as where to focus spend, there are variables. What stage are you at in building out your own payment security ecosystem? What size is your organization and where is your growth coming from? These things matter. If I think back to the last question about a higher interest in insider fraud, I believe that will be the next evolution of spending.

 

Q: Like last year, many respondents consider moving to faster payment methods a potential risk. Is this still a legitimate concern? Why or why not? 

Griffin: I think it's legitimate. I would caveat that by saying it’s more of a legitimate concern in North America versus other geographies in my view. Other geographies have dealt with real-time and near real-time for a lot longer. Those systems have been part of the fraud prevention ecosystem for a longer period. We need to remember that true real-time payment rails in the US (and we’re not talking not same-day ACH here) are still relatively new. It's certainly on the uptick. But anytime we bring in new dimensions it represents a new threat vector, needs a new set of protections and requires a different risk calculation. And you need to balance fraud prevention against the value customers get from the service. You can't hold things up when customers expect the value of an immediate payment and settlement.

 

Q: This year, the survey included a ‘wish list’ from banks. It had four items under the heading of ‘banks wish their customers would…’ Options included using payment control services, implementing dual controls/MFA, reconciling their accounts quickly, and regular security training and testing. Does anything on this list surprise you? 

Griffin: I am a little surprised at the banks’ reaction, mainly because they have a level of control as far as pushing for adoption of or enabling some of these tactics. I think about my personal credit card – I have the option to add MFA when I log in, but I don’t have to use it. Do you make that a mandatory thing for your business customers? Do you add a threshold where it becomes mandated? On the other hand, I completely understand why banks want this, because a payments ecosystem is only as strong as its weakest member. So, from a bank's perspective, your weakest customer is your vulnerability. It makes sense then that the more you can push them to do these things, the better off you are.