Share this

Treasuries leave “doors open” to fraud without supplier checks

0
fintech

A lack of checks on third party and supplier identity authentication strategies is leaving corporate treasuries with “open doors” to cyber fraud, a new study warns.

Having the authority to move large amounts of money fast, corporate treasuries are increasingly a top target for cyber criminals. Yet, serious gaps remain in their cybersecurity strategies, highlights a new report by the Economist Intelligence Unit and Deutsche Bank.

“Sophisticated cyber criminals often use social engineering and inside information to execute high-value thefts via corporate treasuries,” says Michael Spiegel, head of cash management at Deutsche Bank. “Our research has identified serious gaps in corporate defence, including vulnerabilities hidden with third parties and their subcontractors. This gives cyber criminals the opportunity to steal data.”

The report points out that because an increasing number of treasuries have outsourced their back office and payment factory processes to shared services, treasury departments are particularly vulnerable. According to the research, one in five companies do not check if suppliers use the same methods for identity authentication as they do, do not co-ordinate regulatory and compliance rules, and do not ensure that requirements on information security which apply to third parties are extended to their subcontractors.

While most companies in the survey performed internal penetration testing (92%), one-third of companies (33%) did not conduct external testing and only 38% of companies require all third parties and suppliers to perform penetration testing.

Internal penetration testing allows organisations to test, if a hacker had the equivalent of internal access, how they may gain access to perform unauthorised data disclosure or misuse. An external penetration test exploits vulnerabilities to determine what information is exposed to the outside world by mimicking the actions of an actual attacker exploiting weaknesses in the network security.

“This leaves an open door for fraud,” says Spiegel.

Sectors with the lowest rate of authentication testing are manufacturing (43%), agriculture and agribusiness (38%), energy and natural resources (32%), construction and real estate (31%) and professional services (25%).

“Cyber criminals target corporate treasury for a simple reason: it’s where the money is,” says the report, titled Third party risks; the cyber dimension. “Hacking treasury is one of only a few ways to steal very large amounts of money very quickly. And unlike data theft or even ransomware, which can cause damage and cost over time, treasury hacks can cause immediate, significant and usually irreversible financial loss.”

Hackers are also aware that many companies still do not take cybersecurity seriously. While most experts agree that it’s impossible to fully protect yourself from an attack, companies could be doing a lot more.

“No matter what you do, you can never protect yourself 100%, that’s simply not possible – everybody gets penetrated every now and then,” Lars Jensen, CEO of maritime industry cybersecurity firm CyberKeel, told GTR in a recent interview.

According to experts, contingency planning and incident response platforms (IRP) are among the most effective ways to become more cyber-resilient. Last year, however, a survey by IBM and Ponemon of 2,400 security and IT professionals found that 75% didn’t have a formal cybersecurity incident response plan across their organisation. 66% were not confident in their organisation’s ability to recover from an attack.

Top scams

The simplest scams are, according to the study, invoicing frauds. Once systems have been hacked to discover who makes payments and how, fraudsters can easily send false invoices from made up suppliers to the right person in accounts payable and then harass them into paying them.

Another popular method is known as man-in-the-middle (MIM) attacks. These see attackers intercept communication between buyers and suppliers and then send their own versions of invoices or payment instructions, but with their own bank details. The buyers think they are sending their payment to the supplier, but they are really sending it to a hacker.

In June 2015 Europol announced it had dismantled a group of cyber criminals active in Italy, Spain, Poland, the UK, Belgium and Georgia, who used MIM fraud to steal €6mn within a very short time.

The most sophisticated hacks involve attackers hacking into corporate emails and other systems to build up a detailed picture of staff and company operations. This information is then used to create email sequences that include confidential company information and which appear to come from senior management, often requesting urgent requests to transfer money.

These attacks, known as business email compromise (BEC) scams or CEO fraud, differ from spam-based malware attacks, which generally carry ransomware. They use social engineering and inside information gathered through reconnaissance to target specific individuals with customised, believable emails. BEC fraud has claimed a number of high-profile victims. In August last year, leading wire and cable manufacturer Leoni announced a loss amounting to around €40mn owing to a case of BEC fraud.

Call for common platform and terminology

In a bid to establish deeper understanding and better cyber defence in the financial sector, Swift has recently published some research papers and called for establishing common terminology to allow for better communication.

In one of its papers Sharing Insider Threat Indicators: Examining the Potential Use of SWIFT’s Messaging Platform to Combat Cyber Fraud the organisation discusses using its own platform to communicate cyber fraud threat information.

“As cyber threats become increasingly prevalent within the financial services industry, firms are having to step up their cyber defences,” says Peter Ware, director of the SWIFT Institute. “It is only by collaborating as an industry that we will be in a stronger position to mitigate these threats. It is our hope to eventually build on this published research to more effectively recognise forces at play, to establish a common language, and to build tools that will identify patterns of behaviour.”

Tags: , , , , , , , , , , ,

take me back

Comments


Recommended for you

T&CsPrivacy Policy© Exporta Publishing & Events Ltd 2018

Privacy Policy

Our privacy commitments

This Privacy Policy outlines the information we may collect about you in relation to your use of our websites, events, related publications and services (“personal data”) and how we may use that personal data. It also outlines the methods by which we and our service providers may (subject to necessary consents) monitor your online behaviour to deliver customised advertisements, marketing materials and other tailored services. This Privacy Policy also tells you how you can verify the accuracy of your personal data and how you can request that we delete or update it.

This Privacy Policy applies to all websites operated by Exporta Publishing & Events Ltd (as indicated on the relevant website).

This privacy statement does not cover the activities of third parties, and you should consult those third-party sites’ privacy policies for information on how your data is used by them.

Any questions regarding this Policy and our privacy practices should be sent by e-mail to privacy@gtreview.com or by writing to Data Protection Officer at, Exporta Publishing & Events Ltd, 4 Hillgate Place, London, SW12 9ER, United Kingdom. Alternatively, you can telephone our London headquarters at +44 (0) 20 8673 9666.

Who are we?

Established in 2002 and with offices in London and Singapore, Exporta Publishing & Events Ltd is the world’s leading trade and trade finance media company, offering information, news, events and services for companies and individuals involved in global trade.

Our principal business activities are:

  • Business-to-Business financial publishing. We provide a range of products and services focused on international commodities, export, supply chain and trade finance markets including magazines, newsletters, electronic information and data
  • Organisers of seminars, conferences, training courses and exhibitions for the finance industry

Exporta Publishing & Events Ltd is a company registered in the United Kingdom with company number 4407327 | VAT Registration: 799 1585 59

Data Protection Policy

This Data Protection Policy explains when and why we collect personal information about people who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

Why do we collect information from you?

Our primary goal in collecting personal data from you is to give you an enjoyable customised experience whilst allowing us to provide services and features that will meet your needs.
We collect certain personal data from you, which you give to us when using our Site and/or registering or subscribing for our products and services. However, we also give you the option to access our Sites’ home pages without subscribing or registering or disclosing your personal data.

We also collect certain personal data from other group companies to whom you have given information through their websites (including, by way of example, Exporta Publishing & Events Ltd and subsidiaries, in accordance with the purposes listed below). Should we discover that any such personal data has been delivered to any of the Sites, we will remove that information as soon as possible.

Why this policy exists

This Data Protection Policy ensures Exporta Publishing & Events Ltd:

  • Complies with data protection law and follow good practice
  • Protects the rights of staff, customers and partners
  • Is open about how it stores and processes individuals’ data
  • pretexts itself from the risk of a data breach

We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you’re agreeing to be bound by this Policy.

Data protection law

The Data Protection Act 1998 described how organisations – including Exporta Publishing & Events Ltd – must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information collected must be stored safely, not disclosed unlawfully and used fairly.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Processed in accordance with the rights of data subjects
  • Be protected in appropriate ways
  • Not be transferred outside the European Economic Area (EEA), unless that country of territory also ensures an adequate level of protection

How do we collect information from you?

We obtain information about you when you use our website, for example, when you contact us about products and services, when you register for an event, register to receive eNewsletters, subscribe or register for a trial to our GTR magazine/website.

 Types of Personal Data Held and its Use

1.      Customer Services and Administration

On some Sites, Exporta Publishing & Events Ltd collects personal data such as your name, job title, department, company, e-mail, phone, work and/or home address, in order to register you for access to certain content, subscriptions and events. In addition, we may also store information including IP address and page analytics, including information regarding what pages are accessed, by whom and when.

This information is used to administer and deliver to you the products and/or services you have requested, to operate our Sites efficiently and improve our service to you, and to retain records of our business transactions and communications. By using the Sites and submitting personal information through the registration process you are agreeing that we may collect, hold, process and use your information (including personal information) for the purpose of providing you with the Site services and developing our business, which shall include (without limitation) the purposes described in the below paragraphs.

2.      Monitoring use of our Sites

Where, as part of our Site services, we enable you to post information or materials on our Site, we may access and monitor any information which you upload or input, including in any password-protected sections. Subject to any necessary consents, we also monitor and/or record the different Sites you visit and actions taken on those Sites, e.g. content viewed or searched for. If you are a registered user (e.g. a subscriber or taking a trial), when you log on, this places a cookie on your machine. This enables your access to content and services that

are not publicly available. Once you are logged on, the actions you take – for example, viewing an article – will be recorded (subject to any necessary consents). We may use technology or a service provider to do this for us. This information may be used for one or more of the following purposes:

  • to fulfil our obligations to you;
  • to improve the efficiency, quality and design of our Sites and services;
  • to see which articles, features and services are most read and used
  • to track compliance with our terms and conditions of use, e.g. to ensure that you are acting within the scope of your user licence;
  • for marketing purposes (subject to your rights to opt-in and opt-out of receiving certain marketing communications) – see paragraph 3 below;
  • for advertising purposes, although the information used for these purposes does not identify you personally. Please see paragraph 5 below for more details;
  • to protect or comply with our legal rights and obligations; and
  • to enable our journalists to contact and interact with you online in connection with any content you may post to our Sites.

Please see paragraph 5 below for more information on cookies and similar technologies and a link to a page where you can turn them on or off.

3.      Marketing

Some of your personal data collected under paragraphs 1 and 2 above may be used by us to contact you by e-mail, telephone and/or post for sending information or promotional material on our products and/or services and/or those of our other group companies.
We give you the opportunity to opt-out of receiving marketing communications. Further detail can be found on the applicable Site and in the footer of each marketing communication sent by us, our group companies or service providers. See also “Consents and opt-outs” section below.
We will not share your information with third parties for marketing purposes.

4.      Profiling

We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you.

5.      Cookies and similar technologies

All our Sites use cookies and similar technical tools to collect information about your access to the Site and the services we provide.

What is a cookie?

When you enter some sites, your computer will be issued with a cookie. Cookies are text files that identify your computer to servers. Cookies in themselves do not identify the individual user, just the computer used.

Many sites do this whenever a user visits their site in order to track traffic flows, recording those areas of the site that have been visited by the computer in question, and for how long.

Users have the opportunity to set their computers to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. Selecting not to receive means that certain personalised services Exporta Publishing & Events Ltd offers cannot then be provided to that user.

 

Why do we use cookies?

  1. Log In – Where we provide log in mechanisms for site users a cookie is created at login and for the duration of the session. Each cookie contains a unique reference number only (no personal information) which is used to confirm you are authorised.
  2. Analytics – To allow us to keep track of traffic to our website we use cookies. The cookies simply tell us if you have previously visited our website so we can get more accurate figures for New vs Returning visitors.

Find and control your cookies

All of the major browser providers offer advice on setting up and using the privacy and security functions for their products. If you require technical advice or support for a specific browser/version please contact the provider or visit their website for further details: www.microsoft.com / www.mozilla.com / www.apple.com
 / www.opera.com / www.aol.com / www.netscape.com
 / www.flock.com / www.google.com

We may use cookies to:

  • remember that you have used the Site before; this means we can identify the number of unique visitors we receive to different parts of the Site. This allows us to make sure we have enough capacity for the number of users that we get and make sure that the Site runs fast enough
  • remember your login session so you can move from one page to another within the Site;
  • store your preferences or your user name and password so that you do not need to input these details every time you visit the Site;
  • customise elements of the layout and/or content of the pages of Site for you;
  • record activity on our Sites so that we understand how you use our Sites enabling us to better tailor our content, services and marketing to your needs;
  • collect statistical information about how you use the Site so that we can improve the Site; and
  • gather information about the pages on the Site that you visit, and other information about other websites that you visit, so as to place you in a “market segment”. This information is only collected by reference to the IP address that you are using, but does include information about the county and city you are in, together with the name of your internet service provider.

Most web browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that, or to notify you each time a cookie is set. You can also learn more about cookies in general by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking, deleting or turning off cookies used on the Site you may not be able to take full advantage of the Site.

6.      E-mail tracking

E-mail tracking is a method for monitoring the e-mail delivery to those subscribers who have opted-in to receive marketing e-mails from GTR, including GTR Africa, GTR Asia, GTR Americas, GTR Europe, GTR Mena, GTR eNews, Third party e-mails and GTR Ventures.

Why do we track e-mails?

So that we can better understand our users’ needs, we track responses, subscription behaviour and engagement to our e-mails – for example, to see which links are the most popular in newsletters. They enable us to understand the consumers journey through metrics including open rate, click-through rate, bounces and unsubscribes. Any other purposes for which Exporta Publishing & Events Ltd wishes to use your personal data will be notified to you and your personal data will not be used for any such purpose without obtaining your prior consent.

How do you track GTR eNewsletters?

To do this, we use pixel GIFs, also known as “pixel tags” – these are small image files that are placed within the body of our e-mail messages. When that image is downloaded from our web servers, the e-mail is recorded as being opened. By using some form of digitally time-stamped record to reveal the exact time and date that an e-mail was received or opened, as well the IP address of the recipient.

7.      Consents and opt-outs

You can give your consent to opt-out of all or any particular uses of your data as indicated above by:

  • Indicating at the point on the relevant Site where personal data is collected
  • Informing us by e-mail, post or phone
  • Updating your preferences on the applicable Site or eNewsletter (unsubscribe and preference options are available in the footer of each eNewsletter)

To turn cookies and similar technologies on and off, see the information in paragraph 5 above. Any questions regarding consents and opt-outs should be sent by e-mail to privacy@gtreview.com or by writing to Data Protection Officer at, Exporta Publishing & Events Ltd, 4 Hillgate Place, London, SW12 9ER, United Kingdom. Alternatively, you can telephone our London headquarters at +44 (0) 20 8673 9666.

8.      Disclosures

Information collected at one Site may be shared between Exporta Publishing & Events Ltd and other group companies for the purposes listed above.

We may transfer, sell or assign any of the information described in this policy to third parties as a result of a sale, merger, consolidation, change of control, transfer of assets or reorganisation of our business.

9.      Public forums, message boards and blogs

Some of our Sites may have a message board, blogs or other facilities for user generated content available and users can participate in these facilities. Any information that is disclosed in these areas becomes public information and you should always be careful when deciding to disclose your personal information.

10.  Data outside the EEA

Services on the Internet are accessible globally so collection and transmission of personal data is not always limited to one country. Exporta Publishing & Events Ltd may transfer your personal data, for the above-listed purposes to other third parties, which may be located outside the European Economic Area and/or with a different level of personal data protection. However, when conducting transfers, we take all necessary steps to ensure that your data is treated reasonably, securely and in accordance with this Privacy Statement.

Who has access to your information?

Confidentiality and Security of Your Personal Data

We are committed to keeping the data you provide us secure and will take reasonable precautions to protect your personal data from loss, misuse or alteration.

However, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features described above to try to prevent unauthorised access.

We have implemented information security policies, rules and technical measures to protect the personal data that we have under our control from:

  • unauthorised access
  • improper use or disclosure
  • unauthorised modification
  • unlawful destruction or accidental loss

All our employees, contractors and data processors (i.e. those who process your personal data on our behalf, for the purposes listed above), who have access to, and are associated with the processing of your personal data, are obliged to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for us.

Responsibilities

Everyone who works for or with Exporta Publishing & Events Ltd has some responsibility for ensuring data is collected, stored and handled appropriately. Each team handling personal data must ensure that it is handled and processed in line with this policy and data protection principles. However, the following people have key areas of responsibility. The board of directors is ultimately responsible for ensuring that Exporta Publishing & Events Ltd meets its legal obligations.

Name of Data Controller


The Data Controller is Exporta Publishing & Events Ltd. Exporta Publishing & Events Ltd is subject to the UK Data Protection Act 1998 and is registered in the UK with the Information Commissioner`s Office.

How to access, update and erase your personal information

If you wish to know whether we are keeping personal data about you, or if you have an enquiry about our privacy policy or your personal data held by us, in relation to any of the Sites, you can contact the Data Protection Officer via:

  • By writing to this address: Data Protection Officer, Exporta Publishing & Events Ltd, 4 Hillgate Place, London, SW12 9ER, UK
  • Telephone: +44 (0) 20 8673 9666
  • E-mail: privacy@gtreview.com

Upon request, we will provide you with a readable copy of the personal data which we keep about you. We may require proof of your identity and may charge a small fee (not exceeding the statutory maximum fee that can be charged) to cover administration and postage.

Exporta Publishing & Events Ltd allows you to challenge the data that we hold about you and, where appropriate in accordance with applicable laws, you may have your personal information:

  • erased
  • rectified or amended
  • completed

Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Exporta Publishing & Events Ltd, will disclose requested data. However, the Data Controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisors where necessary.

Changes to this Privacy Statement

We will occasionally update this Privacy Statement to reflect new legislation or industry practice, group company changes and customer feedback. We encourage you to review this Privacy Statement periodically to be informed of how we are protecting your personal data.

Providing information

Exporta Publishing & Events Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand.

  • How the data is being used
  • How to exercise their rights

To this end, the company has a privacy statement, setting out how data relating to individuals is used by the company. This is available on request and available on the company’s website.

Review of this policy

We keep this Policy under regular review. This Privacy Statement was last updated in April 2018.