The dust has settled, and the media has moved on to other topics, but what is there to glean from the recent banking crises that headlined the news?

The collapse of Silicon Valley Bank (SVB) marked the start of a tumultuous time in the banking industry. A second bank collapsed, and consumer confidence – plus stock prices for many financial services firms – dropped. Those of us who do not have accounts at the institutions in the news should feel safe. But we should still take notice for two very important reasons.

First, these types of events can cause disruptions in payment processing. This could be related to (outgoing) online bill payments or (incoming) payments from customers. For a specific example: SVB was a component to the Melio payment processing platform. Most processors have redundancy built-in, so hopefully no one on this chain has experienced any issues or delays in executing transactions through payment processors.

Second, this situation is especially concerning from a security perspective. We know that the likelihood of fraud increases when uncertainty, perhaps even chaos, occurs. We also know that payment processing is a prime target for financial fraud. Disruptions in the banking industry are therefore a perfect time for fraudsters to take advantage of the situation. While no official warnings have been declared, security experts are sounding the alarm that we should expect a rise in scams that involve the redirection of funds.

What does that mean for us? Each of us in our respective businesses exchange money. We need to raise our level of vigilance around any changes to payment processing. Any request related to the payment or receipt of funds should be verified with two methods. New customer accounts, changes to bank account information, and changes to payment method are examples of what to look for. Every request should be validated before a change is made or money exchanged.

Do’s!
- Do maintain contact lists for vendors and customers.
- Do use your contact lists to validate change requests.
- Do use two communication methods to validate change requests. Example: email AND telephone.
- Do provide your customers an email address and phone number to validate any change requests they may receive from you.
- Do create and stick to your accounts payable and accounts receivable processes.
- Do pass along this message to your internal teams who handle finances.

Don’ts!
- Don’t use contact information provided in a change request to validate the request – you may end up calling the fraudster.
- Don’t use your personal accounts for business purposes.
- Don’t be rushed, shamed, or tricked… fraudsters can be experts in manipulation.

Sample Scenario 1: Your Accounts Payable (AP) team receives an email from your largest vendor requesting a change in banking information. The new bank account and routing number is provided along with a phone number to verify the request. Your AP team looks up the vendor in the contact list and calls the primary point of contact for billing matters. On the phone, your AP team confirms with the point of contact that the email was legitimate and verifies the last four digits of the account and routing numbers. Your AP team then replies to the initial email and cites the phone conversation as verifying the request. Once completed, the billing change is made.

Sample Scenario 2: The same scenario above unfolds, but your AP team is unable to reach the primary point of contact for billing matters at your vendor. This is likely due to the request coming in late on a Friday afternoon. No billing change is made until validation can occur on the next workday. Your AP team notifies their direct manager of the activity. The manager requests that payments to that vendor be placed on hold in an abundance of caution.

Have you talked to your team about business processes like this?  Do you have a trusted security advisor that brings matters like this to your attention?  Our Affinity team is dedicated to helping our clients and the community protect their organizations through technical expertise and best practices.  Please reach out if you have questions about this or other security matters.  We love to help.

 About The Author:

Bart Holzer recently joined Affinity Technology Partners as fractional Chief Information Security Officer (CISO). He is the owner of Overt Channel, LLC, working as a fractional or virtual Chief Security Officer and Chief Information Security Officer for mid-size firms and nonprofits. A former federal law enforcement engineer, Holzer advises clients on security strategy, risk management, security program development and incident response.