Article
What Businesses Can Do to Avoid Financial Fraud
How to prevent fraud with simple improvements to your security posture
Financial fraud is one of the most common (and growing) cyberthreats to businesses today. In the first half of 2024, financial fraud accounted for 72% of all email-related claims in At-Bay’s portfolio, up from 61% in 2023.
These attacks are not only widespread, but they can also be devastating to a growing company. In 2023, cybercriminals stole an average of $219K per incident — and in the most severe cases more than $5M, according to At-Bay’s new 2024 InsurSec Rankings: Email Security and Financial Fraud Report.
The unfortunate truth is this: Financial fraud can be tricky to identify and prevent.
Nearly 75% of the time financial fraud occurs when making a transaction with a previously known vendor and 89% of the time financial fraud happens during an expected transaction. This means fraud almost always occurs when things seem normal — but clearly aren’t.
So what can businesses do?
A combination of email security, identity management and control, plus processes and training can lead to significantly lower risk. We’ve assembled an extensive list of best practices below, but we know it’s not always feasible to check all of these boxes right away, so we’ve also included three quick tips you can implement right now at the very top.
3 Financial Fraud Prevention Tips to Use Right Now
Implementing a more comprehensive fraud prevention program is your best bet to prevent your business from experiencing financial fraud, however here are three tactics you can use to improve your fraud mitigation right now:
- Voice Verification. Nine of 10 financial fraud incidents happen via email — and more sophisticated tactics, such as business email compromise, are making email-related fraud harder to identify. The simplest solution is to not rely on email alone. Before authorizing any major transaction, call your trusted contact at the vendor, customer, or partner and verify all financial details, especially requests for changes.
- Warning Labels. Whenever you’re relaying payment or wire transfer instructions to a vendor, customer, or partner, place a warning label at the top of the document. “Before you send money, call us at [your phone number]. Do not ever accept changes to payment or bank information without verifying via phone call.” Reminding your partners to check all of the details can help prevent malicious discrepancies.
- Vendor Due Diligence. Two-thirds of financial fraud incidents were due to a vendor, customer, or partner either being impersonated or compromised. Talk to the businesses you work with and make sure they have similar security controls and processes in place to identify and prevent financial fraud. At the very least, make sure they’re taking the same steps you are to mitigate an incident from happening.
For more extensive fraud prevention tactics, continue reading.
Build a Strong Base With Your Email Solutions
90% of financial fraud incidents begin with email, so focusing your efforts on securing your email is a good place to start. Implementing the right tools (i.e., the right email solution and email security solution) can significantly enhance your organization’s fraud prevention strategies.
Choose the Right Email Solution
Cloud-based email solutions tend to be the best fit for growing businesses because they automatically push updates and patches without requiring manual intervention, and in addition, some providers (like Google Workspace) add advanced security settings by default. According to At-Bay’s 2024 InsurSec Rankings Report, Google Workspace customers experienced the lowest frequency of incidents among solutions we analyzed for the second year in a row, seeing 54% lower claims frequency than average in 2023.
On the other hand, businesses using legacy on-premises email solutions (like Microsoft Exchange) saw the worst outcomes for the second year in a row. This is likely because on-premises software requires constant review and maintenance to stay on top of updates and patches, which places undue strain on smaller teams.
Migrating to a new email platform may not be possible, so if your business uses an on-premises solution and isn’t in a position to switch to a cloud-based option, you can work with a cybersecurity expert to audit your email security and get suggestions for updating/patching protocols, implementing additional security controls, etc.
If you’re an At-Bay Cyber or Tech E&O policyholder with Embedded Security, you have access to At-Bay Stance™ Advisory Services1. This team of cybersecurity experts can assess the current state of your email security and advise you on actions to reduce fraud risk.
Add an Additional Security Layer With a Secure Email Gateway
Complementing your email solution with a secure email gateway (SEG) can help add another layer of defense to your security program. These specialized tools scan incoming emails in real time for fraudulent activity like phishing attempts, malware, or ransomware and divert or block any suspicious emails before they reach users’ inboxes.
In the 2024 InsurSec Rankings Report, At-Bay analyzed claims and cybercrime data to compare outcomes for email security solutions. For the second year in a row, businesses in At-Bay’s portfolio that used Mimecast saw the lowest email claims frequency, experiencing an impressive 37% fewer incidents than the average.
While choosing an email solution and SEG associated with positive security outcomes is helpful in overall risk mitigation, these tools do not completely safeguard you from complex financial fraud attacks. Rather, make sure to pair these foundational solutions with proper identity management, configuration and education in the following sections.
Implement Critical Identity Management and Configuration Practices That Enhance Security
Many organizations (understandably) prioritize ease of use over security when it comes to email security. They do this at their own peril: Fraudsters often exploit configuration pitfalls and human errors to carry out scams and steal funds. It turns out, when it comes to security, user friction is a good thing. These six configuration best practices can help secure your organization’s email against financial crimes:
#1 Use MFA on All Business Accounts
Multi-factor authentication (MFA) adds an extra layer of protection to email accounts by requiring two or more verification factors to log in. MFA makes unauthorized access significantly more difficult and should therefore be applied to 100% of business accounts. Without MFA, a single compromised password can grant attackers full access to sensitive systems and data.
#2 Use a Password Manager
A password manager generates and securely stores complex passwords, enhancing email security by preventing employees from choosing simple or reused passwords. It also supports MFA and secure password sharing for team access to email accounts.
#3 Apply the “Account of Least Privilege” Rule
According to the “account of least privilege” rule, every employee should be given only the bare minimum of access their role requires. Dedicated administrator accounts with full privileges should be limited to individual users, used with MFA, and incorporated with additional security measures such as email alerts and physical security keys to prevent cybercriminal targeting.
Ideally, a company’s CEO should never have an administrator account, as CEOs tend to be prime targets for cyberattacks. If an administrator account is compromised, the attacker gains control over the entire email system, increasing financial fraud risk.
#4 Disable Automatic Email Forwarding
Automatic email forwarding can pose significant cybersecurity risks by sending emails outside the secured corporate environment, potentially exposing them to cybercriminals. Disabling this feature helps maintain message privacy, reduces the risk of phishing and spoofing attacks, and ensures that email security measures remain effective.
#5 Adopt Email Security Protocols
Implementing email security protocols such as SPF, DKIM, and DMARC (see below for resources) is crucial for businesses to enhance their defenses against phishing and email spoofing. These protocols authenticate the origin of emails, verify message integrity, and provide a framework for handling unauthorized emails.
- Set up SPF (Google Workspace, Microsoft 365)
- Set up DKIM (Google Workspace, Microsoft 365)
- Set up DMARC (Google Workspace, Microsoft 365)
#6 Check Your MX Records
In our research, At-Bay identified a subset of claims from businesses using a Secure Email Gateway (SEG) with misconfigured MX (Mail Exchange) records. A properly configured MX record will route all incoming emails to the email security solution. A misconfigured MX record allows email traffic to be sent directly to the email server, bypassing security solutions and exposing businesses to potential security risks. These misconfigurations are easy for threat actors to both discover and exploit, opening the door to potentially damaging financial fraud, data breach, and/or ransomware attacks.
Create a Process and Never Deviate From It
Establishing and enforcing robust processes and internal controls, especially around financial transactions with both new and existing providers and partners, is crucial in mitigating the human errors that can lead to financial fraud.
Even with the most advanced security tools and fraud prevention methods in place, a single lapse in judgment or lack of awareness can expose an organization to significant risk.
The following are some best practices to consider when building your organization’s financial transaction protocols:
Verify, Authenticate, Confirm
One example of an effective process is to implement a “Verify, Authenticate, Confirm” protocol. It looks like this:
- Verify the Request: The employee should first verify the legitimacy of a payment request by checking the source of the communication. They can do this by contacting the supposed requester directly using a known and trusted contact method (e.g., calling a known phone number or emailing a verified email address).
- Authenticate the Request: Once the legitimacy of the request is verified, the employee should authenticate the request by asking specific questions or requesting additional information that only the legitimate requester would know, such as the recipient’s financial account information, account numbers, or ACH.
- Confirm the Request: After verifying the request and authenticating the account information, the employee should confirm the legitimacy of the transaction with a supervisor or another authorized party within the organization. This additional step ensures that multiple individuals review and approve high-risk financial transactions, reducing the likelihood of fraudulent wire transfers being processed.
Ongoing Vigilance and Education
Implementing a plan to provide ongoing employee education can pay huge dividends towards risk management. Here are some protocols that will help keep you safer:
- Segregation of Duties: Ensure that no single individual has control over an entire financial transaction from start to finish. Segregate duties related to authorization, recording, custody, and reconciliation of financial transactions to create checks and balances. This might mean having an employee of your business be the point of contact to review and approve an invoice, but then having the finance team actually authorize and send the payment.
- Training and Awareness: Provide thorough training to employees on recognizing red flags of fraud, cybersecurity best practices, and the importance of adhering to internal controls and protocols.
- Whistleblower Hotline: Encourage employees to report any suspicious activity or concerns through a confidential whistleblower hotline or other reporting mechanisms.
- Regular Audits: Conduct regular internal and external audits to independently assess the effectiveness of internal controls and identify any weaknesses or areas of improvement.
- Vendor Due Diligence: Conduct due diligence on vendors, suppliers, and other third parties to ensure they adhere to similar security controls and standards.
By implementing and consistently following these internal processes, organizations can significantly reduce the risk of financial fraud and protect their financial assets.
Know What Right Looks Like
I served in the US Secret Service Cyber Crime Task Force. The U.S. Secret Service had to be able to spot counterfeit money. The variations of counterfeit bills were infinite, so instead of training on every possible fake permutation, they studied what the correct version of the bill looked like so everyone would know if there was any deviation that it was potentially a fake.
You can take a similar approach to financial fraud. Since it’s impossible to train employees on every potential scenario, making sure they know the right process for invoicing and vendor payments backwards and forwards can help. That way, you can trust that they’ll recognize any deviation as a red flag.
Take Action to Prevent Financial Fraud
Financial fraud poses a significant threat to small businesses, but you don’t have to be a sitting duck. By working with cybersecurity experts to audit your tooling, level up your configuration, and establish rigid protocols for all financial transactions, you can fortify your fraud detection and prevention capabilities and reduce your overall cyber risk.
Need help making sure your business is protected from financial fraud? At-Bay Cyber and Tech E&O policyholders with Embedded Security have access to At-Bay Stance Advisory Services1, a team of cybersecurity experts who can assess and advise you on your cyber risk.
Schedule a call with At-Bay’s Advisory Services team to get started →
1 Access to At-Bay Stance Advisory Services is available to policyholders via the “Embedded Security” fee and the corresponding endorsement. Your Embedded Security Endorsement refers to “At-Bay Stance Advisory Services” as “At-Bay Stance Managed Security.” Please contact your authorized insurance representative for information concerning your Policy.
