Balancing digitization and security risk

CHELSEY OSBORNE: Hello and thank you for joining us today for our second webinar in our Digital Transformation webcast series. Our topic today is on the cybersecurity landscape and how to stay a step ahead to protect your company. My name is Chelsey Osborne, commercial real estate, central region, deposit and payment solutions manager. Our group is dedicated to optimizing working capital for our clients within the commercial real estate industry. 

With me today to speak on this topic is Troy Ellis, chief compliance officer with Aparium Hotel Group. Troy has spent the last 16 years in hospitality working for the likes of Hyatt, and most recently with Aparium, where he's held numerous positions across the finance organization, before taking on the role of chief compliance officer in 2019. 

Aparium Hotel Group is a pioneer in the lifestyle hotel industry, with individually unique, awe-inspiring, award-winning independent hotels in distinct, yet underserved, markets across the United States. They were just recently named number 12 on Travel and Leisure's "Top 25 Hotel Brands" in the world. 

Before we begin, I wanted to share a few statistics as it relates to fraud within the financial services industry. Fraud trends, based on the AFP 2020 Fraud and Control Survey, indicate that 82% of all companies surveyed had some sort of attempt of payments fraud, with business email compromise topping the list of sources of fraud attempts. Business email scams continue to grow and evolve. They target small, medium, and large-size companies and personal transactions. 

Between May 2018 and July 2019, there was a 100% increase in identified global losses. Business email compromise scams have been reported in all 50 states, as well as 177 countries, with fraudulent transfers being sent to at least 140 countries. Between June 2016 and July 2019, the Internet Crime Complaint Center received over 166,000 incident complaints, with total exposed dollar losses of over $26 billion and true total losses in just 2019 of $3.5 billion. 

With all those statistics in mind, let's get started. Troy, thank you for joining us today. There are many ways the fraudsters can target a company through business email compromise and phishing. Can you walk through some fraud attempts that you have experienced in your tenure? 

TROY ELLIS: Hi, Chelsey. Thanks for allowing me an opportunity to discuss. There are a tremendous number of attempts at both our headquarters and at our hotels. Beyond the blatantly obvious attempts that I'm confident our audience has already experienced, I have a couple of stories that stand out that are rather complex, and a couple one-off attempts outside of wire fraud. 

First, when I say blatant, I'm referring to those emails that many of our email users have received, where the sender appears to be an executive or principle of our company and is asking for the employee to take action on something. I think the most traditional example of those is a request to transfer wire funds. But we've also seen requests to purchase large quantity of gift cards, changing bank account information for a vendor, or changing direct deposit information for an employee. 

These emails tend to stand out, because they're written in a different tone than the person you think the email is coming from. And there's usually misspelled words or the sentence structure is off-beat. 

Second were the one-off requests that I mentioned. Those are the scariest ones for me, because they're usually directed to an associate who does not regularly see these attempts, compared to those times where the request is directed to a director of finance or controller, positions that are trying to catch these attempts. And then they either disregard or forward to IT. 

For example, a fraudster will email an executive assistant or supervisor and say something similar to, hi, it's Troy. I'm traveling and I'd like to provide all of our investors a gift card to thank them for their support. The employee will usually engage with the other side. They'll run out and purchase gift cards, and later ask to be scratched off-- ask to scratch off the backs of the cards, and then communicate the gift card number. 

Another example is when a fraudster calls our HR department or accounting department and requests to change direct deposit information or remit to information. Again, these are scary for me, because they're targeting employees that might not even know these types of attempts exist. We have to be vigilant about communicating these things to our entire staff, not just our accounting and finance departments. 

Lastly, and of course the most material of these attempts, are the ones that you're asking about, the ACH or wire fraud attempts. 

CHELSEY OSBORNE: Yeah. It's interesting, because the environment-- it used to be very obvious, these attempts, like a misspelled word or the language didn't match our normal conversation. And now they've gotten so sophisticated. So Troy, how could a fraudulent wire or ACH transaction actually get sent? 

TROY ELLIS: I think the two most memorable attempts were both organized and transacted via email. They're similar to one another in that way, but slightly different in how the attempt was carried out-- I think a good example of how these fraudsters have adapted over time. 

A few years ago, our policies and procedures surrounding the protection against wire fraud were very manual-- lots of internal phone calls or calls to the receiver to confirm account information. In this instance, a procurement company we were working with was compromised. The fraudster knew of a large wire transfer that we were going to be sending later that month. They actually took the time to create a bank account with a similar name to the procurement company. I recall they used LLC at the end of the name instead of Inc, and they set up a splash page, which was identical to the procurement company. 

So at the time, one of our internal processes, in addition to calling the vendor to confirm banking information, was to click on the email signature tagline and make sure it was the correct company. We called. We couldn't get anyone to answer the phone. We went to the fraudulent splash page and it passed our sniff test. So thankfully, we were able to catch that wire attempt by reaching out to another contact with the same company who helped us with the account verification, which resulted in the mismatched numbers. 

Looking back on the events, we were able to catch this with the help of our third-party IT company. They helped us piece together how everything unfolded. 

And I think more recently, one of our hotels was a recipient of the PPP loan, which allowed for us to pay interest on that note. The financial institution for the hotel's debt was very supportive during the COVID mess and it deferred a large portion of the hotel's interest. We were communicating with the lender for a few weeks, negotiating a large pay down on the deferred interest, and one of the people communication had been compromised. 

In this situation, the user was prompted a week or so before the attempt via an email that requested their change of password. So when the wire transformation came in from the actual financial institution and it was received correctly for someone else in the email chain, the person sending the wires received a separate set of instructions from the fraudster from a similar email address. 

And I think with all of the people that were included in the email, the person just thought that the email address and the information was correct. Again, we caught this before approving the wire, because our approver checked against the prior instructions received from our lender. 

CHELSEY OSBORNE: Yeah, Troy, I think a lot of folks get nervous, especially lower-level maybe associates or analysts get nervous when they see, oh, the CEO is on an email, or oh, our VP of finance is on an email. I need to just do this. But really, it goes back to, hey, you need to do all those checks and balances, even if it is the CEO or even if it is the CFO, because at the end of the day, you need to protect yourself and your company from those funds getting out there. 

With that in mind, Troy, if a fraudulent wire was ever sent, how would you go about trying to get those funds back? Or do you have any thoughts on best practices there? 

TROY ELLIS: Yeah. Sure, Chelsey. So part of my role here, above ensuring that we aren't a victim, is to make sure that we're prepared to mitigate through these situations if we ever do become a victim. So first, we purchased cyber insurance-- and this ever-evolving conversations with carriers and brokers to ensure that the coverage is appropriate. I think some companies may place coverage for cyber without fully understanding the policy, and they may come to find out that the coverage is not what they thought. 

For example, we actually carry two policies. One to protect our employees, if there's an employee error as it relates to cyber, and then another at each hotel to protect equipment that the cyber crime could actually be carried out on. So when push comes to shove, you may be carrying some sort of blanket coverage for cyber and later find out that there's an exclusion in the policy's language, and comes to find out you don't actually have the coverage when you need it. 

So I make sure to go through some hypothetical events with the carrier or broker before we place any of our insurance lines, just to make sure that coverage is there for all sorts of things that could potentially happen. 

I think any reputable carrier or broker will have some resources for risk to prepare for these crimes. For example, counsel specifically for cyber events or forensic accountant, et cetera. For me, specifically, I view of these attempts as a personal attack against me. So I never want to use our cyber insurance, so we're prepared to try to mitigate our own using some resources we have already identified to recover. 

I think secondly, you need to act immediately. If the funds leave your bank account and are deposited into the fraudster's account, the first thing that the fraudster intends to do is to transfer those funds into another account. If you can contact your wire room at the issuing bank on the same day, the issuing bank can usually contact the wire room at the recipient's bank and request the account to be placed on hold. With the account on hold, the fraudster doesn't have the ability to access the funds. 

If the amount's material, you can also call your local FBI office and report the transaction. Once the FBI is involved, it's sort of out of our hands. But my understanding is that they'll work with the recipient's bank to release the hold and try to pull the funds themselves. There's some risk here, because when the account's released from hold, it's fair game to withdraw the funds. So I'm aware of some financial institutions that require you to sign a hold harmless agreement. But the intent is for the FBI to grab those funds after they unlock the account before the fraudster can and return them to your account. 

CHELSEY OSBORNE: Thanks, Troy. I think the first and foremost is, like you said, act immediately. If you don't act immediately, you wait a few days, like you said, those funds could be long gone, because like you said, their intent is to get that money and get it out of that account, because it's traceable to that account. But where it goes after that could be a little bit less easily-- you would have a harder time finding the funds. So really good points there. 

Thinking through advice or best practices that you may have, can you talk a little bit about updating policies and procedures? You mentioned it a little bit in your thoughts at the beginning. But can you walk through a little bit more? 

TROY ELLIS: Yeah, sure. There's a few things that come to mind right away. The validating the wire instructions timely-- so for example, when we're closing on a transaction, we obtain all the required wire information beforehand. And we go through all of our internal procedures to confirm the accounts are correct a few days before closing. This minimizes any stress or anxiety related to the transfers during what is probably an already stressful day. 

Second thing is callbacks to confirm the wire is received. To your point, Chelsey, on timing, I've set this up to identify and help us identify events-- what happens. One reason why fraudsters are successful is because the initiator and approver send the wire. They approve. And then they just move on to the next task. The following day, the intended recipient will always reach out and ask where the funds are, and by then, it's too late. 

I think the third thing that comes to mind is only sending wires when necessary. Probably one of the easiest deterrents-- so outside of these major capital events or closings, I think wires are mostly sent because they're a quick solution or maybe an outstanding payable or commitment. Trying to move quickly is another opportunity for the employee to abandon a policy or procedure and the perfect opportunity for a fraudster. So eliminating wire transfers, to the extent we can, is always one of my initiatives. 

It may seem a bit old-school or less productive, but these crimes are a huge issue. The CEOs for the entire NASDAQ index met in DC a couple weeks ago to try to solve this issue. So it's a real issue. And some of the smartest people in our country are trying to solve it, and don't have the answers yet. So during the interim, my team owes it to our partners and investors to protect our cash. If our policies are a bit slower but we're protected, so be it. 

CHELSEY OSBORNE: Yeah. Those are all really great points. And another thing I think banks are doing now is offering some type of account validation services, where you, as the client, can go into our bank portal, type in the routing and account number for wire or ACH instructions that you receive, and validate the name, validate the account status. 

Like you were saying, Troy, a lot of the fraudsters open these new bank accounts and then automatically try and transfer money in there. So I think banks are looking at tools to help mitigate the fraud, in addition to all the things that you spoke about, as well. So all really helpful items that you shared. 

Thinking through a little bit about hospitality industry, you handle confidential information daily. How do you ensure that information is secure and protected? And then how do you also handle contracts, et cetera, from your vendors to ensure that you're protected from a security standpoint? 

TROY ELLIS: Chelsey, understanding your vendor contracts is a huge, huge thing. Most of our guests' information is warehoused in a cloud provided by one of our property management or point-of-sale systems. The data's always encrypted, but only to the extent you force. There's always an opportunity to talk through with your providers how they do this and to see if there's another level of encryption provided that maybe you can pay for it to further protect the guests. 

Of course, we're always PCI-compliant and we're always looking to our merchants or processors for updates on how we can continue to protect our guests' credit card or personal information. 

CHELSEY OSBORNE: So Troy, who is liable if there is a breach? Or how do you handle those situations? 

TROY ELLIS: That's a good question, Chelsey, and largely dependent on how the agreements are written with your vendors. Some agreements require us to have specific cyber insurance to help respond or mitigate. Some of our agreements are written up so that the vendor's the responsible party. It usually comes down to who owns the equipment or who's doing the work. That's something we look at for every single remit. I always run through our broker carrier to make sure there's coverage. 

CHELSEY OSBORNE: Those are really great points, Troy. Thank you for walking through that with us. What additional ways can companies protect themselves from these fraud attempts, outside of what we've already spoke about? 

TROY ELLIS: Penetration testing is one. There are companies that you could hire to actually break into your space, whether it be the physical space or the systems. For example, there's an internal penetration test, where the company will actually disguise themselves as a vendor and try to access your systems via an unlocked door or unlocked computer. There's also external penetration tests, where someone will try to gain access to your systems or network from outside the building. And then the companies report back to you and tell you where your risk is, and then helps you address those items. 

We discussed having cyber insurance and the importance of that. There's also two-factor authentication. It's something that we work with our email provider on. It's something that we mandate now in all of our hotels and our corporate office. It takes care of those attempts where a fraudster tries to obtain your password. When you try to change your password, you receive a text to authorize the request. It's usually via text message or an email to a separate email address, other than the address that you're trying to change the password for. 

There's email flagging. This isn't a pretty one, and so it's not our favorite. But we type in very bold print language on the top of any email that comes from our outside source, identifying it as something coming from an outside source. So it's just one more thing for our employees to recognize when they receive an email to show that the email address that is coming in from, it might be from out-of-network. And it might not be the person that you think it's from. 

And then, of course, there's company training and testing. This is kind of a fun way to get your entire team involved. I'll hire a friend or I'll find a recently hired employee and I'll try to change a direct deposit account number or vendor payment system with one of our controllers or directors of finance. It sort of keeps everyone on their toes. It can't be presented or even handled as a gotcha moment, or it might be a turnoff for the team. So instead, it's just a reminder of sometimes we lose our focus and could let something slip. We just can't do that when it involves wire transfers. 

CHELSEY OSBORNE: Yeah. Those are all great. And we do the company training at US Bank, as well, and have the testing. And it's always interesting when you get something that looks a little fishy, but it goes along with your day-to-day, so you second-guess clicking it. So all of those things are really important to help train your employees. 

Last question. How have you seen the cybersecurity landscape change over the years in your role? 

TROY ELLIS: Going back a few years, protecting our office and our hotels from any cyber events was something we just discussed internally and with our finance and accounting teams. Now it's something that we need to discuss with any email users, and indirectly with our employees, our guests, and sometimes our vendors who don't have corporate-issue email accounts. 

So if we ask for an employee to come to an office and sign a change in direct deposit in person, or if we ask a guest to confirm a credit card number before we charge or credit it, it might be a slight inconvenience. But it's always there to protect them. 

And then I think from an expense side, it's no longer sufficient to just have a third party IT company monitoring the IT environment. You need cyber insurance. You need to constantly purchase new software or hardware. You really need to invest a lot of capital into the issue from the onset, and then spend money to maintain later. So I'd say we've gone from a line item on the P&L for IT and security to almost an entire page on the P&L. 

CHELSEY OSBORNE: Yeah. Those are all really interesting about how-- I think about it, way back when, it was like maybe our biggest issue was check fraud. Check fraud is still a huge issue, but we're talking huge dollar amounts with this wire fraud and business email compromise. So you have to be on your toes at all times and make sure you're aware of what's going on in that space. 

So in closing, Troy, thank you so much for your insights today, and your willingness to share your experiences as a leader in the commercial real estate hospitality industry. It is clear to me that you have done extended research to try and keep your company protected from any cyber fraud event. 

To our audience, thank you for taking time to join us today, and we hope that you found the information Troy shared helpful when you think about your own cyber fraud mitigation at your organization. A couple of notes before we wrap up. First, please take a few minutes to complete the survey for this webinar, as your feedback is helpful as we look to future Webcasts 

In addition, we will be sending out our invitation for our next webinar this fall, so please keep an eye out. We appreciate your time today. Thank you, and have a great week.