Knowledge Centre

If news headlines make you think that fraudsters and cyber-criminals mainly attack big corporations – or deceive unsuspecting individuals by phone or email – think again. Canada’s mid-sized companies are increasingly the targets of crime syndicates and computer hackers who deploy ever-more devious techniques, from ‘old school’ cheque fraud to sophisticated cyber-attacks.

Despite this escalation of criminal activity, mid-size companies can fend off these attacks, through a mix of technology upgrades to electronic payment methods, and good-old-fashioned training to make employees ‘fraud aware.’

“Fraudsters are always trying to be one step ahead, but it’s amazing how much you can do to protect your business, by confronting it head on, raising fraud awareness on your team, and taking some simple actions,” says Paula Merrier, Scotiabank’s Director and Group Lead, Payments and Cash Management for Western Canada.

Learning about evolving threats

Although March is Fraud Prevention Month – when law enforcement and financial institutions run fraud awareness campaigns – Merrier and her team meet with clients year-round to educate their mid-size business clients about evolving fraud and cyber security safeguards.

These discussions include awareness around classic scams like cheque fraud, by which criminals steal a company’s cheque stock – perhaps by posing as a courier who snatches envelopes from a reception desk or breaking into mailboxes – and altering amounts and payee names on existing cheques or creating counterfeit items with the stolen bank information.

However, cyber-crime is experiencing the most growth, particularly business email compromise. This can occur when a hacker penetrates a company’s servers to monitor internal email exchanges, interjects themself into conversations and tricks a finance or payroll department employee. For example, they may pose as an employee to ask a payroll clerk to change their bank account information in order to steal their electronically-deposited pay.

Similarly, they might pretend to be a vendor and contact a company’s accounts payable clerk to change their banking instructions and steal upcoming payments by wire or electronic funds transfers.  They could even pose as a company executive to trick a finance department employee into issuing a rush payment for an urgent business deal.

“These scams are surprisingly easy, and most could have been avoided if the employee had been trained to always call back the ‘requestor’ (using contract information the company has on file) to confirm the change in instructions,” explains Merrier.

"

It comes down to education, and sitting down with your staff to explain or reinforce safe financial protocols. And, you should empower staff at every level to question any transaction.

Company training also should ensure employees are ‘fraud aware’ of today’s cyber-risks. This means reminding individuals to surf the web with caution, and warning employees not to ‘click a suspicious link.’ The latter, notes Merrier, is often how hackers break into companies: “Fraudsters may go ‘phishing,’ by sending an employee an authentic-looking email that encourages them to ‘click the link.’ Unfortunately, this lets the hacker access your company network, install malware and conduct fraud.”

Arming business to fight fraud

While fraud is multiplying in many niches – from corporate spies who break into global firms, to those ‘tax refund’ calls we all get on our mobile phones – mid-size companies are particularly vulnerable.

“Although mid-market companies are not always as ‘electronic’ as they could be, in terms of their payment  processes, COVID-19 has helped drive a huge shift, as the Bank helps clients adopt  electronic payment methods that offer more protection,” observes Merrier. “Sometimes, for example, the company owner-operator still likes to sign the cheques, or the company has a small finance team that is responsible for many business functions and can’t be an expert in all areas. That’s where our team takes our role as trusted advisor very seriously, sharing ways that clients can run their business with more safety, security and efficiency.”

Merrier adds that Scotiabank’s Payments and Cash Management team has intensified its client outreach during the pandemic, when cyber-criminals increasingly targeted companies whose employees are working remotely:

"

We are proactively discussing security issues as part of their financial solutions and COVID-19 helped many clients recognize the cracks in their processes.

Among the easy-to-adopt solutions, cheque-issuers can select the ‘Positive Pay With Payee Match,’ service, by which a company provides the Bank with a data file of issued cheque information whenever it does a cheque run. Scotiabank then matches each item presented for payment against the list of issued cheques provided by the customer and advises of any exception items.  Cheque information can be matched right down to the payee name and address. “We strongly recommend this service to clients,” adds Merrier.

Or, clients who choose Scotiabank’s online platforms for wire or EFT transactions can take advantage of multiple tiers of security safeguards, including customized approval processes, which also provide faster, less expensive and more efficient payments than manual cheque processing.

Security is never ‘one-and-done’

Since fraudsters are relentless, Merrier recommends that companies not consider fraud and cyber-security a ‘one-and-done’ task.  Instead:

1.     Educate yourself and your team: Regularly train or refresh all levels of your organization on safe financial processes and ‘fraud aware’ knowledge, to be cyber-safe in their work and personal lives.  Look to reliable government or industry sources such as the Government of CanadaCanadian Anti-Fraud Centre, Payments Canada, and the Canadian Bankers Association.

2.     It’s a shared responsibility: Remember that fraud prevention is a shared responsibility. Companies must take appropriate steps to protect themselves.  Even though financial institutions utilize best efforts to  recover stolen funds, there is no guarantee that financial losses can be completely recovered.

3.     Protect your systems: Place sufficient ongoing emphasis on protecting your systems, including up-to-date, anti-virus and firewall software, system scans for viruses and malware, and two-factor authentication whenever possible.

4.     Review your financial processes: Regularly review your internal processes and controls, including checks and balances in your payments and reconciliation processes. 

5.     Review bank activity:  Review your bank account activity and reconcile daily.

6.     Discuss your payments practices: Talk with your banker about best practices in payments and cash management services, to find the right mix of service options and safeguards. You can find highlights on Scotiabank.com.

Finally, Merrier urges clients to act quickly if they think they are the victim of a crime: “Time is of the essence, so contact the bank right away, gather as much information as you can and file a police report. Then, take the opportunity to learn from the incident and protect your company, to regain that feeling of control and resiliency.” 

"

Concludes Merrier, “We may never eradicate fraud completely, but you can prevent it by educating your teams, reviewing your banking activity and controls, and moving to more secure, electronic means. It starts with talking with your bank, because we can offer appropriate advice and solutions."