Corporate treasury teams have been targeted by a rising number of cyber-attacks over the past two years, with fraudsters employing methods such as CEO fraud, lookalike domains, phishing, spoofing, malware and, increasingly, ransomware. What role can treasurers play in the fight against cybercrime and fraud?
To answer this question, EACT in Action give the speech to Dr. Gerd Berghold and Werner Strecker of Deutsche Bahn AG, to share how the company has structured its technical set-up and how fraud prevention is managed within the treasury function – as well as metrics to improve fraud monitoring and screening. To watch the event in replay, go here.
The speakers:
- Caroline Stockmann, FCA DChA CertT AwardCMF – Deputy Chair, EACT & Chief Executive, ACT (Moderator)
- Werner Strecker, Head of Payment Systems and Electronic Banking, Deutsche Bahn
- Dr Gerd Berghold, Head of Treasury Operations and Digital Treasury, Deutsche Bahn
Once victim of a fraud, Werner Strecker looks back at how the cyber-attack on the Deutsche Bahn group was carried out, and explains how the group reacted.
What are the facts?
SSC Deutsche Bahn wanted to initiate transfers for a subsidiary in France to a vendor in United Kingdom. Four payments have been executed between March 23rd and April 8th, 2021, and the amount was approximately €625.000. On April 26th – on a Friday afternoon – the company SSC Deutsche Bahn received a call from the supplier telling them that he didn’t receive any payment for his bill. After contacting the Group Treasury, SSC quickly understood that they were victim of a fraud attack.
Deutsche Bahn directly locked the amount on fraudulent recipient’s bank account, but it was too late. The money was already split up across several countries in one day… On April 29th, a recall order was made to bank who initiated the payments.
As the group reacted very quickly to engage a recall order, the company was able to recall two of the payments, which means that a loss of €300.000 was avoided.
Deutsche Bahn Group organisation at risk?
Deutsche Bahn Group is a leading supplier on mobility and logistic services with a clear focus on rail transport in Germany. DB Group largely consists of the integrated rail system and the two major international investment : Deutsche Bahn Schenker and Deutsche Bahn Arriva.
The Group works with various banking groups entities all over the world. Its IT and Global organisation is well structured. The group uses one Global Treasury software, one Treasury Management System and one Banking Platform.
But Deutsche Bahn is facing a challenge with its bank portfolio. Before the integration of SSC, payment were done via different tools. Then, three SSC Global Accounting teams were set up in Berlin, Bucarest and Manila.
Cyber and Fraud Protection devices set at Deutsche Bahn
As all group processes are today online, based on the internet, a huge set up of technical organisation has been made.
“Couple years ago, you went directly to your bank to perform a payment. Now, dealing with internet is common, and a challenge.” – Werner Strecker
Chief Information Officer is an important part of the system organisation. This department has to explain how to use new internet technologies in a safety way.
In oder to prevent and detect fraud risks, some protection concepts were adopted by the group to secure their “Cyber Space”:
- ICT/technical, protection against malware
- Vendor onboarding with strict policies and procedures
- Group wide communication of “Red Flags” and mandatory fraud prevention trainings of the staff involved in payment transactions since 2015 (upon implementation of SSC)
- Continuous improvement of processes withinSSCs and DB Groups companies
- Inform and raise / Increase awareness of the employees (awareness plateforme, sending out suspicious email)
- Ad-hoc security warning from CISO
- Training based on KRISTIS standards (German Federal Law on protection of critical infrastructures)
- Use of “new” technologies in DB group “Digital Treasury”
“For Treasurers, it is a real challenge to be on the top of the liquidity pyramid, so their role is to be transparent with the entire Financial department, clients and the banks.” – Werner Strecker
On the other hand, centralised initiative payment is also a challenge to prevent the Group from cyberattacks. Using a decentralised electronic banking tools were the first Group measures taken by the company.
Regarding fraud, something has been missing regarding confirmation emails, supplier ID, bank account details check. Sometimes, only one single character could be different – bank account number, email address – and humain beings just can not see it.
“You have to double check every thing and move, and adopt a strong checking process, even for an email confirmation.” – Werner Strecker
Raise a fraud prevention system
Regarding those threats, DB group set up a strong Fraud Prevention system by:
- Defining role of DB Treasury (transparency about partners, accounts, payments flows, strong compliance)
- Putting in place specific measures (consolidation with providers, downsizing of Bank Portfolio, enforce Strict Cash Management Guidelines)
- Defining minimum requirements and standards (four eyes principle for all payments, any change of payment master data, call-back and strong confirmation processes)
- Seting up Nice to / Must have (secure exchange of payment instructions with banks (SSI), standardised global process “Corporate2Bank” in case of a fraud attack, checked Write/Blacklists before making a payment)
Finally, if you have a doubt or you just want to be sure you are in touch with the right supplier, you can ask yourself some questions to help analyse the situation and realise your money transaction in a safe place.
“IT is at the center of the subject. We are not like “Big Brother Is Watching You”, but we need IT to monitor Master Data and ensure that employees all over the group follow the right processes and rules. Of course, we are not 100% IT, human being still do business, but put your trust in technologies have benefits for sure.” – Werner Strecker
Digital technology to fight wire transfer fraud
It’s nice to have an idea about fraud methodologies. Some devices allow your Treasury department to set up specifics RPA, to be alerted in case of a vendor fraud detection, or at least in case of payment anomalies (for example). That exactly what Gerd Berghold and his team develop over years.
“Our webcrawler is also a fraud radar, which is able to search in a static or dynamic way everywhere on the Internet. Then we put the data in the database. By combining technologies, we believe we give the power to companies to detect and protect themselves from frauds.” – Gerd Berghold
Even if you are not an IT company, it is easy to implement a solution like this one. All you have to share is your payement history, you don’t have to be a record company. There are solutions out of the market to fight fraud and check payments.
To go further than simple monitoring, anti-fraud technological solutions such as Trustpair can help you to prevent and detect fraud attacks. By checking all third party bank details while adding or editing one in your database, or analyse in real time all your supplier data in your Vendor Master File through a continuous audit, Trustpair allows all your financial department to master data, secure payements and make your entire Procure-to-Pay process more reliable.
To conclude
“The most vulnerable part of the process is the human action. Fraud attack can be prepared for weeks or months, and fraudsters know exactly the right moment to launch an attack. At least, 100% Robotic Process don’t make mistake. One advise is to use your commun sense and check every data you receive.” – Werner Strecker
“If I should give one advice to the audience, I would say to support your people, collect data and learn from it.” – Gerd Berghold
