Speaker 0: The Payments Podcast from Bottomline. Owen McDonald (host): Welcome to the Paymode edition of The Payments Podcast. I'm Bottomline Managing Editor, Owen McDonald. In this special series of Paymode themed podcasts, Paul McMeekin, Vice President of Marketing at Bottomline, explores the hottest trends in business payments with expert guests. In this episode, Paul welcomes Katie Elliott, Senior Risk and Fraud Officer at Bottomline, to discuss business email compromise and the so-called fraud triangle while looking at ways to detect and defeat fraud in the time of Generative AI. Here's Paul McMeekin and Katie Elliott. Paul McMeekin (cohost): Hi, and welcome to the Paymode Podcast Series. My name is Paul McMeekin. I'm joined today by Katie Elliott. Katie, thank you for joining me today. And if you want to give the audience a quick introduction about yourself. Katie Elliots: Sure, Paul. Thanks for having me. My name is Katie Elliott. I'm the Senior Risk and Fraud Officer here at Bottomline. I've been in the payment slash financial institution industry for more years than I want to mention on a podcast. But I'm a certified fraud examiner, and I have a lot of experience in history in in the fraud industry here. Thanks for having me again. Paul McMeekin: I hear in the news all the time about business email compromise. It's these mind-boggling stats out there from the FBI and various other entities who talk about how big of a problem this is. What makes business email compromise such a significant threat? Katie Elliots: Very good question. There's a theory out there that there's this fraud triangle. Right? And you need three things to facilitate fraud: opportunity, incentive or pressure, and rationalization. And that kind of perfect culmination puts an individual in a position where they would conduct fraud. I have my own triangle, that I like to say, has a really big impact especially when it comes to business email compromise. Is it cheap, easy, and fast? And so, when you look at business email compromises, these fraudsters are sending emails, pretending to be various entities, a vendor, a member of your organization, for example, a CEO or a CFO. And they are trying to trick you into clicking on a link, sending a payment instruction, doing something in your normal day-to-day business that makes sense for your business, but actually ends up going to the fraudster. Well, fraudsters, when they look at this kind of fraud, it's easy to do. Right? It's cheap. You're sending some emails. Email is free. It's easy. You're just sending out a huge number of emails to a vast audience. And it's fast. Right? You click a button. There you go. And so, I think that's what fraudsters really look for. On top of that, you've got this kind of vulnerable group of individuals when it comes to just human nature. Right? Your biggest risk with anything is your human people. That tendency to either over trust or overuse or move too quickly. If you think about your day-to-day business, you're in your email, gosh, what? All day? And so, when you have that kind of volume and you're relying so heavily on email, it's easy to kind of ignore or not see or bypass certain red flags that if you slowed down and took the time, you could actually see. Paul McMeekin: So, this could be like a classic email from the CEO. Hey, get me a gift card type email. Right? Katie Elliot: Yeah. I actually saw one at a former place where the CEO was impersonated. So, I sent an email to our HR person and said, hey I want to switch where my payroll goes. And HR was just like, oh, okay. That makes sense. She's in a rush. She doesn't want to do it herself. I'll go change her payroll. Totally a business email compromise. Complete fraud. So, again, it's really easy to get into that day-to-day business. Have you communicated through email? I mean, how many people nowadays would prefer a text over a phone call? So, I think those two combinations of it's just really easy for the fraudsters to do, and it's something that we are all moving at the speed of light trying to get things done as quickly and efficiently as possible that we're prone to click on those links or to send those payments. Paul McMeekin: Yeah. Absolutely. So cheap, fast, and easy. What proactive steps can businesses take to mitigate risk? And from my own personal question, how is check fraud still happening? Katie Elliot: So, some proactive steps, one is education. Really talk to everyone in your line of business. It doesn't matter if you're a small business owner, a huge corporation, a financial institution. No matter what, you have a risk of fraud, especially if you're moving money in any way shape or form. And we all are. Right? We all have to pay our vendors. We all have to pay our bills. So, that's why you can get attacked individually. And so, education, I think, is really key. Another big aspect is using secure portals for communication. So, instead of just relying on that email, do you have another way to ask your vendors for payment instructions, for bank change information? Because relying on email, again, it's just so easy to fake an email or fake an invoice through an email, that secure portal with perhaps a multi-factor authentication step, something else that would secure that communication, I think is a really big, proactive step that businesses can take. When it comes to check fraud, I'm with you. But I will repeat my own triangle. Cheap, easy, fast. So, you can buy check stock at an OfficeMax, Office Depot, Staples, whatever is in your local area. You can print them online nowadays. It's easy to steal from the mailboxes and just wash it and alter it. And on top of that, it does take a long time to identify. I had a situation where I had a business who saw the check clear their account, cleared for the right amount of money. They didn't check to see who the payee was. And so, it wasn't until their vendor called them to say, hey, you guys never paid us, that they went back and said, yes, we did. And they went to go get the proof and lo and behold the payee had changed. And so, by that point they were outside of a normal recoup time frame from a financial institution perspective. And so, they were out that money. So again, check fraud is just cheap, easy, and fast. And it unfortunately works. So, fraudsters will always target where they can get the money diverted to them. Paul McMeekin: So, it all goes back to education on what you started with. Right? Katie Elliot: Educate and then, again, partner. So, working with something like Paymode and Bottomline to relieve that risk of bank change fraud, check fraud, etcetera, and move to something that's electronic. Move to somewhere where you've got a trained team of individuals looking at those very critical pieces of information regarding your payments to ensure that you do reduce that fraud risk that you have, wherever your business is. Paul McMeekin: Okay. Makes sense. So, we talked a little bit about preventing that. Let's talk about the future. So, I could pick up a newspaper, whatever day this gets published, and I guarantee this will go with AI in there. Right? What trends in fraud prevention should companies prepare for? Katie Elliot: So, like you already said, AI, I think is going to be the big thing to look out for. I saw an article this morning where an AI company was saying, hey, look how easy this is. And they went to ChatGPT, they said, create me a realistic looking receipt from XYZ business. Make it wrinkled. Put it on a wood table. Make the numbers add up correctly for the bill. And in seconds, ChatGPT gave them this realistic looking picture of a receipt. And an employee would go and use that to get reimbursed for money that they may have not even spent from their company. So, it's so easy nowadays using AI to facilitate fraud. Simple red flags for emails. So, we are talking about business email compromise earlier. Right? We used to say, look for grammar errors, look for misspellings, looks for incorrect punctuation. Those would be huge red flags that the email that you got was actually fake and not a real legitimate request. Go to ChatGPT if Rowser can say, I don't even know English. Give me an English email that will say, send this payment to blah blah blah at blah blah blah blah blah. Paul McMeekin: It's scary. Katie Elliot: Well, and even there was this, it's much more labor intensive. So, it goes against my cheap, easy, fast triangle, but there was a fraudster that did a complete deepfake. So, they used AI Generative everything to impersonate the CFO of a Hong Kong company on a Zoom call. So, they had the face likeness, the voice, everything, all the mannerisms. And during that Zoom call, the quote, unquote CFO instructed a $35,000,000 payment. Paul McMeekin: Wow. That probably goes to the high reward and effort quadrant. Right? Katie Elliot: Correct. Yeah. So, that company lost $35,000,000 because of a deep fake. So, again, you've got the cheap, easy, fast way that you'll see a lot of the fraudsters tend to go to using ChatGPT invoice generation. There was something I saw the other day where you can generate a pay stub or a bank account statement. Just pay a dollar and here's this document that looks realistic. And so there's that side. And then there's also this technology that's out there and how many companies are using voice recognition now. So, I think AI and all of the capabilities that it has, it can be a great wonderful thing that can advance technology in our culture, but fraudsters are going to use that to their advantage for sure. Paul McMeekin: Exploited. Okay. So, Katie, last question. If you could give one piece of advice to CFOs, treasurers, anyone who's involved in making payments, I guess, about the future of payments and your particular case about securing payments, what would it be? Katie Elliot: I've got two. Paul McMeekin: Okay. Katie Elliot: So, I've got education and awareness. I will tout that until the day I stop working and even after that. The more aware you are of what's out there, the more prepared you can be to combat against it and to identify it when it comes across your desk, your computer, your email, whatever the case may be. If you're unaware of BECs, you're just going to rely on your email and think everything that you get is legitimate. So, I think the more you can educate and make people aware, the better. My second is slow down. If you talk about the future of payments. Right? Payments are just going to be faster. We have FedNow real-time, same day, everything is, how do I get things? How do I get money moving from point A to point B as fast as humanly possible? So, from a technology standpoint, a processing standpoint, payments are quick and they're going to continue to be quick. So, when I say slow down, I'm talking about all the people in these businesses and this line of work that are involved in that payment process. Don't just click approve. Don't just say okay. Take the time to slow down and say, does this make sense? And if you ever question it, pick up the phone and do the old-fashioned way of making a phone call and verifying that the information is accurate. Because if you don't take that extra step, that money can fly away with little to no way of recouping in the end. Paul McMeekin: You talk about education awareness and slowing down picking the phone. For new people entering the workforce, that's a skill they don't typically have. Right? You read all the time that people entering workforce today are afraid to pick up the phone because they're not used to this. It's all through text. It's all through various social media apps. So, that's going to be a huge area of focus, I imagine for companies and banks to double their efforts on educating people how to make a phone call. Katie Elliot: How to validate that the phone number you're calling is the right one. Don't just call the email that the phone number in the email. You have to do your own research. But yeah. It's funny. Even in my generation and like I said, I've been in the industry for a long time now. I'm not new here, but even the way I grew up, I was very hesitant to pick up the phone, and I would always prefer to do things via email or text. But you learn really quick. It's not secure. So, pick up the phone. Don't trust the phone calling you even. I think there's always that, we don't want to be too suspicious of everything, but I do think everyone needs to have a layer of suspicion in them. Paul McMeekin: Healthy dose. Katie Elliot: Yes. A healthy dose of questioning. Paul McMeekin: Good stuff. Well, Katie, thank you for joining me today, and we look forward to the next episode of Paymode Podcast. Katie Elliot: Yeah. Thanks for having me, Paul. Owen McDonald (host): Generative AI, various types of deepfakes, and continuing business email compromise fraud make the shadowy world of fraud even scarier. It's time to drop the habit of just hitting approve on invoices and get some protection. Thanks to Katie Elliott, Senior Risk and Fraud Officer at Bottomline, and to cohost Paul McMeekin. To our fantastic audience, thanks for listening. Hit subscribe. Catch us again on your favorite podcast platforms, including Apple and Spotify. Bye for now. Speaker 0: The Payments Podcast from Bottomline.