Alan Greenblatt, PaymentWorks: “you cannot expect your workers to never be tricked”

With hundreds of fraud attempts happening on a daily basis, businesses become increasingly worried about falling victim to one of them.

Organizations can buy all types of cybersecurity tools to prevent ransomware and malware, but these cannot always guarantee a 100% mitigation of fraudulent messages. Unfortunately, it is also not possible to ensure that employees will never be accidentally deceived by fraudsters. With a dim possibility of mistakes that could cost an enterprise millions, it is crucial to understand how to prevent fraud from happening.

To learn more about fraud attempts and their prevention methods, we had a discussion with Alan Greenblatt, the CTO and Co-Founder of PaymentWorks – a company that strives to eliminate business payments fraud.

Can you tell us a little bit about what you do? How did PaymentWorks originate?

I am the CTO and co-founder of PaymentWorks, which does digital supplier onboarding for secure, compliant, and optimized business payments. Thayer Stewart, our CEO and my Co-Founder, worked for many years in financial services and the fintech space. He recognized the pain around vendor onboarding and management, and the opportunity for fraudsters to exploit what is generally a very manual process. He had a vision for a vendor master file in the cloud, which could be shared by any company who wanted it. The key was that everyone needed to be able to trust the data in the master file. So trust is where we started – we knew that without it, we’d be done before we started.

We founded this company to secure how vendor information is handled at the customer company, and in the process, created a product that additionally brings compliance and efficiency wins.

You often talk about the identity gap problem. Can you briefly describe what it is and why it should be taken seriously?

We use the term “identity gap” to highlight the difference between information about a business that is proven to be authentic and information that just appears to be authentic. If it is not proven, you have a “gap” in the integrity of your data, and you will spend a lot of time trying to ascertain the accuracy of the identity elements of the entity you are dealing with. To be more specific: it is no secret that fraudsters know how to, really precisely, fool the best-intentioned employee into believing they are dealing with their actual vendor. And once they have succeeded in doing that, along comes the new banking info for that next invoice.

Leaders are beginning to understand that asking their people to be more careful - and not taking other, more meaningful steps to secure their process- is an invitation for a potentially costly mistake, not to mention a recipe for chronic sleep loss and indigestion for the people who are given that responsibility.

“Be careful” is not a sound defensive process and implies that if someone gets tricked, they aren’t being careful. This isn’t true. People lose jobs over this! They need to have a fighting chance.

Which red flags indicate that a vendor might be malicious or that someone is impersonating them?

I cannot stress enough the importance of being wary of urgency. If someone has created the sense that something related to a payment needs to happen right now, you can almost guarantee it’s a fraud attempt.

Another, a less obvious one, has to do with phone numbers. We know that many folks attempt to call vendors to ensure that the email is real – and you should, too! This is a time-consuming but great method to have in place. However, with so many people working from home, you are likely not reaching the vendor with your outbound phone call. If the vendor calls you back from a different number than you used to call them, you are right back to the “identity gap” problem. If you cannot authenticate that number as belonging to the vendor, then you cannot really be sure who just called you to verify that bank account change.

Did you notice threat actors using any new techniques during the pandemic?

The biggest change was in the frequency. We have seen more of the same types of attempts of vendor impersonation, whether it be email spoofing or vendor email compromise. Many of them use remote work as a cover to create a sense of urgency we talked about earlier.

What security risks do new business owners often fail to take into account?

Three big security risks immediately spring to mind. The first is expecting that your IT infrastructure is enough to protect you. It might secure you from being hacked and impersonated, but it does nothing to let you know if your vendor has been hacked.

The second is expecting your human workers to be infallible and to never be tricked. The most diligent, well-intentioned, and well-trained employee is still not going to be perfect. So it is unreasonable to expect that mistakes will not happen.

The third is believing that their cyber insurance policy will cover any losses stemming from a vendor email compromise. These types of frauds are not due to a cyberattack on your side, they are due to the social engineering of a person, i.e., an employee being tricked, and it is likely you will not be covered in this case.

Why do you think certain companies struggle with vendor management?

I think almost all companies struggle with the weight of it, but the ones that are most vulnerable are those with distributed procurement in their organizations, meaning those that give business units the freedom to work with the vendors of their choosing. In higher education, for instance, the folks of facilities can hire any mason they want, the soccer coach can buy any uniforms he (or she) wants, and the food service director can source from wherever. When there are so many possible points of entry for a fraudster, you end up with a lot of opportunities for fraud attempts.

On top of this, onboarding a new supplier involves collecting and checking all sorts of documentation – all of which needs to be verified by someone because it is so easily forged. But beyond the public sector, social engineering fraud is beginning to proliferate into the enterprises as well. We see this becoming an important agenda item for all corporate CFOs and CPOs as they contend with losses estimated to be 5% of revenue each year.

In your opinion, which organizations are a high target for fraudsters and should implement proper security measures as soon as possible?

Any organization with distributed procurement, but especially those required to comply with public disclosures, such as public higher education institutions, state and local governments, and K-12, are all in the cross-hairs of fraudsters. But no one is immune. The smallest mom-and-pop can be swindled, as can the largest and most sophisticated enterprises.

How about this? If you are expecting your workers to detect and defend against social engineering fraud, you belong to the list of high targets for fraudsters.

What cybersecurity threats do you think are often overlooked but pose serious damages to enterprises as well as individual users?

I might sound like a broken record at this point, but the threats are with the people. All the cyber defense in the world is no match for a sophisticated fraud attempt that targets a person and gets him to believe the ruse. No one even needs to be hacked for this type of scam to succeed.

And finally, what’s next for PaymentWorks?

We are the only platform out there that targets stopping these types of fraud at the source – the vendor master file. We make sure no bad data gets into the ERP. Moreover, we don’t just talk the talk – we back it up. Using PaymentWorks eliminates our customers’ risk of losing funds to a fraudster. If we say that a bank account is trustworthy and the client can pay – then our customers can press “send” on that payment file and go back to doing their jobs.

We are beyond excited for the opportunity that is in front of us – one to make a meaningful change towards the way people in vendor management, and in procurement, and AP by extension, do their jobs. No more worrying about W9’s, Tax IDs, and verifying bank accounts. And definitely no more concerns about paying a fraudster instead of your intended vendor. PaymentWorks has your back.