Scale faster with smarter spending

You can’t save your way to growth. Which is why Brex focuses on smarter spending that helps make every dollar count.

Brex offers the world’s smartest corporate card on a full-stack global platform that has everything CFOs need — banking and treasury, expense management, accounting automation, bill pay, and travel. So you can spend smarter and scale faster.

Learn more.

Panic mode

My heart rate doubled in a matter of seconds.

I could feel my pulse in my throat and temples, and an instant numb sensation in my head.

There isn’t much worse for a CFO than hearing from your team that the business just made a fraudulent payment.

In my head, I’m catastrophizing. How big was the payment? How many payments? What if it’s every payment? Why didn’t the callback pick it up?

But I know I have to stay and appear calm. If this is how I’m feeling, the team will be feeling even worse. And I need them to stay calm too, to work through the issue rationally. Prevent any contagion, and maximize the chance of recovery.

This was the second time in my career that a team I was leading had been caught by phishing scams.

Twice, nearly ten years apart, out of hundreds of millions of payments, totaling several billion dollars. But still… two times too many.

The two together totaled nearly $1.5m. And even though we were eventually able to recover over 90% of the losses each time, it’s still not a record I’m particularly proud of.

Both times it was a bad actor successfully impersonating an established supplier. Using social engineering and fraudulent documents to convince someone on the supplier master data team to change the supplier bank details.

Each time there was the inevitable post-mortem. Internal audit would pore over every step of the transaction. Setting out what should have happened and what did happen. Testing for whether it was a one-off or a recurring problem.

Both times it was the same answer. The fraud was sophisticated, convincing, and cleverly coordinated. Nevertheless, the internal controls themselves (as designed) should have been good enough to root out scams like this one.

But for whatever reason someone in the team didn’t do their job properly that day. They skipped the callback. Or the reviewer didn’t check the source documentation before approving the master data change.

With payment controls, you are only as strong as your weakest point.

All humans make errors. Fraudsters know this, which is why they target your last lines of defense - like payment master data.

However paranoid you are about transaction risk, it probably isn’t paranoid enough.

Today’s newsletter is a special Spotlight edition. I teamed up with Brex’s EVP of Global Financial Products, Erica Dorfman, to dive deep on transaction and payment risk. You can expect your regular Playbook newsletter on Saturday morning.

Lost in transaction: You're only as strong as your weakest point

I apologize in advance for keeping every CFO up tonight.

Whether you’re sending payments across town or halfway around the world, there is an inherent risk any time money leaves your account.

As a CFO it’s (part) of your job to mitigate that risk. You’ll NEVER be able to fully eliminate it. But you better try. Your (work) life depends on it.

One bad actor or one careless mistake can cost your company money and can cost you your job and reputation. Just ask British engineering company Arup.

Remember: you’re only as strong as your weakest point when it comes to payment and transaction risk.

Unfortunately, there isn’t a one-size-fits-all approach to plugging every hole and defending every attack.

But what you can do is build a foundation and culture of control that will help minimize, or, with a little bit of luck, totally eliminate payments fraud under your watch. Seriously, leave that for the next person…

So let’s dive into this month’s ‘Spotlight’ edition of CFO Secrets.

In collaboration with Erica Dorfman, EVP, Global Financial Products at Brex, where they are always thinking about how to keep their customers (and their own payments) safe, I’ve outlined steps you can take to reduce payment risk:

1. Drink your own champagne

2. Keep your authorization matrix live

3. Use payment methods with built-in protections

4. Automate vendor and payment workflows

5. Double down on vendor diligence

6. Give extra care to global vendors

7. Keep an eye on emerging fraud tech

8. Build a culture of skepticism

Let's take each in turn with a little (ok a lot) of help from Erica:

1) Drink your own champagne

Erica’s right. Sometimes we like to overcomplicate things with technology. Sometimes the best defense is rolling up your sleeves and doing the dirty work yourself.

Walk though your internal processes. It’s not as sexy as doing all the strategic FP&A stuff (or literally anything), but it’s important. If not more important. Go step by step through the new vendor process, the master data change process, payment processes. And make sure you are there to review live, don’t delegate and forget about it.

Whenever I’ve done this, I’ve got two benefits from it:

• You get a good firsthand feel for the risk

• Your broader perspective might spot issues that others might miss: higher-risk vendors, overlap with other business processes, manual payments, etc.

Whenever I’ve done a review after a fraud or process issue, I often feel embarrassed at parts of the process. Once I walked through the process myself, the vulnerabilities became obvious.

2) Establish & regularly update an authorization matrix

Your authorization matrix is the most important control you have on spend, payments, and commitments.

Combined with the right segregation of duties, it is your insurance policy. You can bet it will be the first thing the board asks for when things go wrong.

This one also falls into the “it’s not rocket science” category: the level of delegated authority you afford someone should be no greater than the level of trust you have in their competence and integrity.

So, if someone in your business has the authorization to spend $50k, and they make a $49k mistake, you need to be prepared to say that is your fault. After all, you trusted them to that level.

Conduct a full review of the levels each quarter (at a minimum). As CFO you should take direct interest in this review and sign it off yourself quarterly until you are satisfied it is working as you think it is.

One of the weaknesses I see, particularly in more mature, less tech-friendly businesses, is that approvals can be treated like a one-off project rather than something that’s live all the time.

The authorized limits were strong and thoughtful at a point in time, but once something changed—a person left, or the market shifted—and the levels and names never got updated.

3) Use payment methods that include protections

Not all payment methods are created equal. Send a wire, and… if it’s gone it’s gone. A manual keying error, or a compromised system and you are no longer in control of that money.

Purchase cards are fraudsters’ worst nightmare because they’re built to make sure this sort of thing never happens. And if it does, cards can help you catch it more quickly.

But I’ll shut up and let the expert take this one.

Erica laid it out for us: “Using a P-card to pay vendors enables you to control spend by setting a limit on who can spend, how much can be spent per vendor or per spend type (e.g., advertising), per transaction, and even over what time period.”

Additionally, you can see spending in real time. This gives your team visibility, without needing to wait to the end of the month. When you pay by card, if a fraudulent charge appears, the cardholder can initiate a dispute with the bank or card issuer. This process offers a degree of protection that is often absent in wire transfers.

Not to mention, card issuers have some of the most sophisticated fraud monitoring systems that can detect and flag suspicious activity.

While banks also monitor wire transfers, the level of real-time monitoring and automated flagging is generally more advanced with card transactions.

Plus, when you pay on a P-card you can earn rewards or cashback on your purchases. This is not available for wire payments. And, bonus, you have the benefit of paying for your procurement at the end of your P-card statement period, which gives you additional float.”

4) Automate vendor & payment workflows

When I look back at adverts for cigarettes encouraging smoking from 50+ years ago, I always think the same thing “how did we ever think this was ok?” Shame on you, Don Draper.

It won’t be long before we say the same about manual processing in payment workflows.

While it will take time for many organizations to catch up, with the technology and integrations available, there isn’t really any excuse for this today.

You’re only as strong as your weakest point.

If your vendor master data update process can be bypassed by one person in a back office, you’ve got a major hole. Automating that through a proper workflow is the single best way to protect yourself.

5) Perform rigorous vendor diligence

Before you send money to someone, you need to know who they are! Again for everyone in the back: Before you send money to someone, you need to know who they are!

I have seen firsthand the extraordinary lengths a bad actor will go to to appear legitimate. Cleverly forged documents, fake websites, phone numbers, multiple contact details. If only they put their mind to solving world hunger.

But knowing your vendors is not as easy as it once was.

AI voice and video fakes now make even the trusty callback an imperfect control. It’s getting much harder to be confident you are dealing with a trusted vendor contact, which makes diligence all the more important.

6) Give extra care to global payments

Payment risk is real no matter where your vendors are. But working with global vendors and even international subsidiaries brings an additional layer of complexity and risk.

There are local regulations to navigate. At least in most countries, those are codified. But you’ll also come up against customs and practices, too. Not exactly the sort of stuff they teach you in B-School. Lack of familiarity makes it harder to complete diligence, which puts your neck on the line.

I’ve seen teams burned by something as simple as assuming your home market norms apply everywhere.

It falls squarely into the “you don’t know what you don’t know” category. The internet and AI can help you answer questions like, “if I want to pay for embargoed Russian oil through a Latvian shell company of an Estonian multinational, what is the best payment method to ensure the fewest FX fees?” but you really need boots on the ground.

So, who you gonna call?

7) Keep an eye on emerging fraud tech

You know all that cool technology we enjoy playing with in our businesses?

Fraudsters can access it too. The sophistication of identity fraud in particular is on an exponential curve. This is making traditional failsafes (like callback confirmations) less valid as a ‘catch all’.

Knowing who your trusted source is at a vendor and how to contact them is harder than ever.

You can scrape an earnings call, throw it into an AI tool, replicate someone’s voice, and fool a frontline person over the phone. A lot of finance folks haven’t realized just how easy that is now. I think I could do that if I wanted to, and my technology skills are crap.

But technology works two ways here. Fraud is getting more sophisticated, but so is the tech to detect and prevent it.

There is going to be a very big businesses built in the technology that helps combat this for a distributed workforce (e.g. voiceprint and biometric, technology - combined with AI/real-time transaction monitoring). Expect to spend more on this in the future. Don’t be afraid to spend on it.

8. Build a culture of skepticism

The above is all important, but I’d trade it all for a business with a culture of embedded skepticism.

When I have been caught with payment fraud issues, they weren’t a failure of process design, they were a failure of process execution. And failure to execute processes as defined is a failure in culture.

By keeping the risk front of mind with regular training, it creates a culture where its safe to call out threats.

In the immortal words of the (spoiler alert) CEO of Waystar Royco, Tom Wambsgans, “Trust no one. Ever.”

Ok, so what do you do if sh*t hits the fan?

I wouldn’t wish this section on my worst enemy.

The above helps you prevent payment fraud. But you simply cannot take the risk to zero. So you need to know what to do you do if you get caught. Your controls could be airtight, but that doesn’t mean an AI bot won’t figure out how to make your life a living hell.

Unfortunately, this is part of the game. So, it’s best to be prepared for when (not if) it happens.

Here are the things I’d do if I found myself dealing with payments or transaction fraud (again):

1. Trigger a formal incident response: This is a crisis. And it should be treated as such. The board will be pointing the finger at you. Communicate clearly, don’t sugarcoat it.

2. Stop all payments: The only thing worse than being caught by a fraudulent payment? Getting caught by two… or three. Just until you get things under control.

3. Put all payments on positive release: Triage the payments you need to make. Elevate sign-offs by one to two layers, and manually check every payment with a trusted vendor source. Rebuild your trusted list from scratch.

4. Define the blast radius: Assume everything is contaminated, but make a thorough sweep to identify the particular time period, specific users and vendors, and size or payment type. This helps you de-burden the business of the additional bureaucracy more quickly.

5. Pursue recovery: Act quickly. Speak to your bank, they might be able to help you get your money back - even if you think it’s gone.

As I shared in the opening anecdote, I have been caught twice by phishing scams in my time. What surprised me, was that we were able to recover over 90% of the money on both occasions.

I’m still not sure how this happens (banks are understandably coy on it), but I’m guessing at least one bank in the chain (the bank belonging to the fraudulent party you paid) has failed to do their KYC checks properly. That creates leverage between your bank and the receiving bank.

So call your bank ASAP and apply pressure. There is no guarantee you’ll get anything, but it’s worth a shot. And if that fails, check if you have commercial crime insurance. In my experience, the limitations and exclusions make it nearly worthless, but worth the call.

Net Net

When it comes to payment and transaction risk, the best defense is a good offense.

But as Erica and I discussed during our chat, mitigation meant to prevent risk can be just as bad as fraud itself. Locking down the entire organization can grind processes like payments — and business — to a halt.

One of the key skills of a modern CFO is understanding how to manage risk in a way that helps the business grow. A true balancing act worth a series of its own.

I’ll leave you with this final thought from Erica: "What if CFOs could trust employees to think about spending money or making payments the same way they would trust themselves? Or better yet, what if employees didn’t have to think about how to spend money at all, and they could just do it securely and easily? That's the value of modern payment workflows that CFOs should strive for.”

Global payments don't have to keep CFOs up at night

As we discussed in today's Spotlight with Erica, payment risk grows even more complicated when cross-border transactions come into play.

Brex helps organizations from startups to enterprises spend globally and operate locally with one global card program, real-time controls, and a full suite of compliance and risk-management tools.

Check out the CFO playbook to see how Brex can help you spend globally and operate locally in 50+ countries.

If you enjoyed today’s content, don’t forget to subscribe.