Michael Purifoy, Senior Vice President - Director of Treasury Management of VeraBank
In the dynamic world of electronic payments, it has become a heavy lift for banks across the country to insulate their small and micro business clients from becoming victims of hackers and fraudsters who prey upon them. Community banks are responding to these threats by investing millions of dollars annually to provide their commercial customers a robust fraud prevention treasury menu with products that offer multiple layers of protection.
Is that enough? The simple answer is no. Often, we are finding that businesses are forfeiting their cash because of issues outside products we provide, including internal communication gaps, a computer or network that is not appropriately hardened, or an attitude that the “bad guys” are not interested in targeting their bank account.
On average small business owners invest 50-60 hours a week on a wide range of activities focused on managing, improving, and growing their enterprise. This type of hard work and dedication is necessary if the business is going to experience success. However, this focus on growth and development often includes only a minimal amount of time dedicated to the measures and tools needed to protect against fraudulent electronic transactions that can quickly destroy everything they have achieved.
Recognizing Our Dual Role
For most community banks, the majority of their commercial portfolio is made up of small and micro-businesses. The expectation from these businesses is their banker act as both a banker and a trusted advisor who will protect them from fraud that results in a monetary and reputational loss. The fact of the matter is, while our institutions do have control over the solutions we provide to our commercial clients, we do not have control over the strength of their IT perimeter, their internal controls or operational practices. It is the responsibility of each small business owner to create, manage, and enforce internal policies and practices that minimize their risk of loss. The question for them is, to what extent do they know, understand, and accept ownership for those responsibilities?
"Most small and micro businesses have an attitude that they are immune from payment fraud because they are too small to be the target of an outside threat"
And the question for us is, in addition to offering a full suite of treasury products, what else can we as trusted advisors do to protect our customers from the risk of becoming a victim of payment fraud?
Executing Our Dual Role
I believe that it is our job to assist our customers in identifying gaps and vulnerabilities they may have when conducting their daily business. Are they taking steps to ensure their computer does not get infected with a virus or malware? Can they identify phishing attempts to gain financial information? Do they have good practices in place that will protect them while sending or accepting electronic payments both online and at their storefront? Many times, we can help identify vulnerabilities by asking these questions during the onboarding process of a treasury product and making sure we’re fulfilling our dual role as a product provider andtrusted advisor.
Once we have identified the gaps, then we can:
1. Make sure they are taking full advantage of any available treasury fraud prevention products like positive pay, real-time alerts, and token authentication.
2. Advise them on how they should structure operational rules and guidelines, manage cybersecurity at both the enterprise and endpoint, and offer continuous cybersecurity awareness training to their employees.
3. Tell the real and sobering stories (leaving out the names to protect the innocent of course) that we see far too often.
Most small and micro businesses have an attitude that they are immune from payment fraud because they are too small to be the target of an outside threat. The fact is that most hackers and digital thieves see them as ripe for the picking. I have seen too many instances where an employee has followed through with transmitting a fraudulent request based on receiving a spoofed emergency email from “the boss” instructing them to wire money out immediately.
Most of the time, the result of these fake requests is an unrecovered monetary loss, a hard conversation between the banker and the business owner, and the risk of losing the commercial relationship to a competitor. On the other hand, if you as a banker and trusted advisor, are willing to go the extra mile upstream in the process to identify gaps, educate customers, and have honest conversations about existing threats, you may be able to ensure you have a customer that is loyal to your institution for life.