Why risk managers should check the social media profiles of their company accountants

Risk managers for companies transferring money outside of Canada might want to check the social media profiles of workers in their accounting departments.

Criminals sometimes research the social media profiles of workers at financial institutions and people who have authority to make payments, Stephanie Zee, global payments regulatory head at Citigroup Inc., suggested at a recent conference in Toronto.

“You need to think about how bad actors could infiltrate your own accounting system,” Zee said during a presentation, Cyber Security: Is your Business Ready? on May 10 at the Payments Canada Summit in Toronto.

Companies may be vulnerable if they use Society for Worldwide Interbank Financial Telecommunication (SWIFT)’s messaging system for cross-border payments. Belgium-based SWIFT is an organization overseen by the Bank of Canada and several other central banks.

“If your LinkedIn profile says ‘I am a SWIFT operator’ or ‘I am an accounts payable manager’ or ‘I am a controller’ – [hackers looking to steal money] are looking for you,” Zee said at the summit. Workers “who have the ability to approve payments, have access to proprietary payments systems, to your [enterprise resource planning] systems that create those payments” may be particularly vulnerable to phishing attacks, Zee said.

Zee cited one recent attack involving the SWIFT network, in which the victim was Bangladesh’s central bank. In 2016, hackers tried to steal $1 billion from Bangladesh Bank, the Associated Press reported at the time.  In the attack, hackers tried to steal the money through 35 international money transfer orders, 30 of which were stopped.

In that case, the SWIFT system itself was not compromised, but the criminals were able to get computer network credentials of a Bank of Bangladesh worker with access to the SWIFT system. As a result, the “bad actors got away with about (US) $81 million,” Zee reported.

Multiple crime syndicates are showing an increasing sophistication in learning how to hack into corporate systems and make fraudulent payments, Zee said. This is why some organizations are teaching their workers basic information security practices, such as changing passwords frequently and not clicking on links in emails from unknown senders.

Companies can manage risk by hiring so-called “ethical hackers” to try to get into corporate computer systems, Zee noted.

Using so-called “outlier detection” software, Citibank is using machine learning to find unusual patterns.

For example, some companies might make payments of  $50,000 or has high as $5 billion. “But that $5-billion payment only happens once a month and always goes to the same place,” Zee said. So if there are three $5-billion payments to three different places, the outlier detection tool is designed to pick up on that.