As we’ve been presenting, we’ve gotten a couple of questions here. And I’d like to start with one for the folks in the room here. You know, I think there’s this sentiment that when fraud happens, that it doesn’t -- it may not impact me by a large margin. Or, it may be small dollar activity. So, I guess the question here is, “Are small businesses at more risk for fraud than large corporations?”
I think we referred to it in the presentation. But, Dan, you see this daily, right? I will say that one of our friends, a business email compromise scenario, and then think about what you’re hearing from small business customers, and that level of frustration, and maybe the magnitude of the impact in some of the most recent examples that you’ve have in terms of a dollar impact.
But I want to first start with, I was just recently engaged with a client of the bank that had a business email compromise. I would call them a very sophisticated company, by the way. This is not a group of individuals in this company that aren’t paying attention to the details or don’t have a level of intellectual capability to really drive protection of very large balances in their business.
But it was almost precisely how Dan described it. They spoofed the CEO’s email, and asked the individual that was running the U.S. operation to send them proceeds. And it was urgent, it was a matter of hours that the money was needed for. And this was to the tune of a million dollars. A million dollars. And those types of transactions were not uncommon for this business, so the amount didn’t startle the business owner and the operator in the U.S. But the threat is very real, and the level of spoofing that goes on is quite sophisticated.
So the magnitude of the impact, and the most recent interactions that I’ve had with my clients is meaningful, and I think it’s helpful for folks on the phone to hear some of the recent examples, or maybe even the size of issues that we’re contending with, even within our client base, Dan.
Absolutely. So certainly on a regular basis, these types of schemes are being attempted, and several examples where it’s over a million dollars that’s being attempted. So, you know, and just in thinking about previous lives, too, and talking with peers, you know, for some small businesses, you fall victim to this, and this can effectively shut your doors, right? If those funds can’t be recovered.
In terms of the level of sophistication that we’re seeing and how that’s evolved over time, in talking with contacts from the FBI, they would tell you that, you know, fraudsters share information to be more effective. That, you know, people think of someone sitting in their basement on a laptop and hoodie and aviators, while those folks are still around, we have, you know, sponsored organizations.
They have -- they sit in cubicles, they have quotas, they have human resources teams, right? They’re putting together -- they have statistics. “When you use this type of language in the request for a BEC scam, here’s the percentage of time it’s effective,” and that helps them get -- just kind of sharpen their tools over time.
So what we’re up against, and what, you know, we all on this phone are up against, is a very sophisticated group that’s constantly getting better. And there’s a lot of money to be made, right?
In terms of the kind of the beginning of that question, in small businesses versus some of the larger commercial businesses, we do see them targeted more often. And really, the fraud contingent is looking for the path of least resistance. So it’s more likely that some of these larger organizations are going to have robust fraud programs, and it’s probably going to make life a little bit more difficult for the fraudster to be successful. So, as a result of that, they do typically go after the small businesses.
But again, something like BEC, now it’s not -- you don’t need advanced infosec tools. I mean, there’s things you can do on that front, but really, it’s -- 98 percent of it is just awareness and education on what this looks like. And having the right controls in place so that when you receive that email, people aren’t reacting to it.
Very good. Appreciate it. Yeah, I think it’s important for us to underscore that this is a meaningful issue for all of us to contend with. And I think you said it earlier, it’s a shared responsibility to protect what we cherish the most, and that’s the valued (inaudible) operating and try to grow and protect.
I have one question maybe for Tim. You know, we’ve talked about a few different fraud themes and threats. What’s emerging? What’s new? What are you seeing out there that hasn’t been covered today?
Yeah, absolutely. Fraud threats, first off, are always changing. Once we think that we’ve built a really good mousetrap, the mouses change completely. Just like Dan said, there are advanced analytical teams out there that are specifically doing this on a day-to-day business.
I specifically see an industry problem coming with faster payments. Many businesses and consumers alike are really clamoring for real-time payments. Consumers expect faster movement of funds. Very often you’ll see a lot of scams in the ecosystem when it comes to P2P or person-to-person payments. This is your Zelles, your Venmos, your Square Cashes. Those are ripe for fraudsters as the fund movement is instantaneous.
And then also, a lot of businesses are really looking for faster movement of funds, because the want real-time accounts payable, receivable, and vendor payments. With these faster methods of payments, come increased risks of fraud. I know what I’m speaking about kind of sounds like motherhood and apple pie, it’s very simple statements, but in the two to three years, I would anticipate a sharp increase in payments fraud, and even identity-based frauds as we try to catch up as an industry.
It’s ever evolving, for sure. And, you know, one of the things that -- one of the questions that we received here is, “Are there other resources? Do you, at Santander, have resources?” And I would say, the answer is yes. Tim mentioned the hub that focuses on fraud protection. And we also have a Business First content hub, which, essentially, sits on our website at Santander.com. but it is businesshub.santanderbank.com.
So there are plenty of resources available to you inside of Santander that, if you’re a prospect today on the phone and not one of our customers quite yet, your bank, I’m sure, has resources as well, but important for you to know that.
Also, one of the questions is, “Can we get a copy of the deck or the webinar?” The webinar will have a replay that will be available on Business First, the content hub that I just described. So, absolutely, we’ll have something available.
One of the questions, Dan, I think maybe meant for you. You know, “If there is fraud, how to recapture that? Will Santander or other providers be responsible?” Like, how does that work? I’m sure it’s a very emotionally charge moment to learn that I just had fraud on my account. They call your team essentially. So how do we handle that, and what advice would you give business owners around how to recapture if it’s at all possible?
Absolutely, yeah. So it’s, you know, each one the different fraud type, extremely nuanced in terms of that process. But I would say it’s kind of a, you know, something that underscores virtually every single tactic that used. Or a way you could lose money is, just reach out to your financial institution. If you bank with Santander, call Santander immediately.
And then, particularly with our team, we’re equipped for whatever the fraud type is, whether it’s check or wire. We utilize context and best practices to go through, and, to the best of our ability, to recover those funds. And then, you know, there are obviously instances as well where the customer would not be in a loss position, right? Even if we were unable to recover.
So, again, that’s all case by case. There’s a lot of nuance there. But I would tell you that any time -- immediately when you become aware of fraud or fraud attempt, reach out to your FI. You know the quicker (inaudible), the better we chance we have of a recovery, because, as you know, that whole sense of urgency we’ve been underscoring this whole time, they want to quickly move the money and withdraw the money, right? So, you know, they’re operating very expediently, so as much as we can, too, we want to enforce that.
Yeah, I think it’s a good point, Dan. And, listen, let me -- you know, I have over a half a million interactions on a yearly basis with small businesses, either through face-to-face interactions, phone calls, our call center. And so we have a long list of examples of how we help people.
One of the things that I couldn’t underscore more is the level of responsibility that you have as a business owner to take precautionary measures, right? And so, one of the things that I think the team could help with is, what are some of the services that the bank could offer to protect our customers or other bank customers from fraud? What are some of the things that you guys have seen, maybe with check fraud, as an example, and then maybe other things that are available to clients to ensure that they have in possession, and working in the right order, for their accounts and their business to be protected?
So, you know, I would say one thing that seems relatively simple is turning on alerts, you know, opting onto alerts. And that’s really true whether it’s business or consumer. I have alerts turned on for all of my accounts, right? And I’m constantly preaching it. That just general awareness of when these transactions take place, kind of keeping your finger on the pulse of the accounts I think is exceptionally important.
And then outside of that, you know, I think we talked about something like Positive Pay. You know, tools like that that give you the ability to take a look at these items before they’re negotiated and they hit your account. I think you have to have something like that, particularly when it comes to checks in today’s day and age.
Yeah, I think Dan also talked about segregation of duties, or dual review. That’s important. You don’t want one employee that has all of the availability to create items, issue items, and approve. And then, just also, I can’t undersell the value of education. Making sure that you invest into your employees so they understand what fraud could potentially look, smell, and feel like, and that they raise their hand. And, see something, say something.
Yeah. Really good, and you know, if any of the solutions that we’ve referred to are foreign to you, or just not familiar, please engage somebody at the bank. That’s what we’re here for. This is one of those opportunities where we can genuinely show you value for services that we offer, and truly protect yourself. There’s, as we’ve already said, an emerging trend, and there’s a huge opportunity for us to do.
I’m going to try to ask another question that we have here, is, “If we identify check fraud after the fact?” Dan, you might have touched on this before, so forgive me if it’s a repeat for you. What is the recourse for a business owner?
Yeah, I mean, again, I think you just call into your bank’s fraud department, and then we support you and partner with you to try to recover, right? And I would say that’s probably true of any of these scenarios. You know, we’ll work with other financial institutions and try to recover where it’s possible. And, again, obviously time is an issue. If we find out about it a year after the fact, it’s obviously more challenging than if the moment it hits, you’re keeping up with alerts and statements, and you say, “Hey, we’re unfamiliar with this transaction,” and you reach out, there’s a much higher likelihood that we’ll be able to recover.
Yeah, really important. There’s another question here from our attendees. “Are email payments also at risk?”
Yeah. So I can start, and then I don’t know, if Dan, if you have anything you want to jump in with? I would say yes. Anything that’s within the digital environment, just like physical paper is also at risk.
The digital environment may be a little more so, just because that is where things really become more advanced, and you kind of flex the line of fraud and cyber security you’re hacking. I think Dan mentioned a couple concepts, like spoofing, though folks will typically spoof or copy information to make it look legitimate. The dark web is full of user log-in information. We give a lot of this information out willingly to folks, like social media accounts, our LinkedIns, our Facebooks. So I would answer wholeheartedly, yes. I would say that they are at risk as well.
Thank you, Dan. You know, one of the things that we see on our question board here is how to spot phishing emails. So, in case we open the phishing email by mistake, what should we do immediately? So I stumbled upon it. I remembered my training, but I’m already in. So what do I do now?
Yeah, so I would say in -- if the idea here is that you open the email and clicked on a link, or opened an attachment, yeah, the first thing you want to do is, you know -- if you want to log off. Ultimately, what I would tell you is, you’re going to probably need to reboot that computer and have it re-imaged. It is probably -- you know, a lot of people don’t like to hear that, but if you truly want to be sure, you have to re-image the computer.
The other thing is, say you clicked on a link, you clicked on an attachment, and your computer’s been acting up. You think that you had a virus, or you’re certain that you have had a virus. You want to make sure that you go back in on a different device, and log in, and change usernames and passwords. Just as a standard order of business, but certainly for any sites that you might have accessed recently, as any of the sensitive information that you could have transmitted back and forth could have been intercepted by that malware.
So, again, ultimately you want to re-image the computer, but anything you touched while you could have been -- while you could have been infected, you want to make sure you address that as well.
It reinforces the point of having good, rigorous routine on backup. Important information that you shared earlier, Dan. But that will allow you to re-image it with a little less variety, because the content is backed up.
This is another one that I think that comes to you, Dan. I think a lot of times, you know, many times our customers, our business owners are facing fraud, it’s not during kind of the normal banking hours. So we actually have a question about an example where somebody had something that they noticed at 5:30 a.m. They try to access their bank, and they weren’t successful. What kind of suggestions do you have? Or are there alternative ways to get in touch with your financial institution?
Yes. So that the hours of operation is something that we’re constantly assessing, right, and looking at. This one’s challenging. If we did have something at 5:30 a.m., unfortunately, right now, it’s pretty much relegated to calling back in that next morning. And then we can take appropriate action. But I would say that is something that we’re constantly assessing.
Yeah, it’s a fair question. And I think it’s a great way to pose a challenge back to the management team at Santander. And for the entire industry for banking, right? Fraudsters do not sleep.
Many of you out there on the wire, as business owners and entrepreneurs do not sleep, because you are doing all of the jobs inside those four walls. And so, as Dan said, we’ve got to challenge ourselves to be where you are for that moment of truth to really support you.
So, as Dan said, we’re constantly evaluating call volumes. We notice the data that we get in front of us. Tells us when people are noticing fraud, and/or calling in with inquiries. Many times, we’re reaching out to our customers, by the way, because we notice unusual trends in their account activity. So we might be proactive with you to say, “Gosh, we noticed something that isn’t normal for you. Is this okay?”
So, but it’s a great challenge for this industry, and for Santander to continue to do that.
I think one of the other things that I wanted to make sure that we did was review the poll results, because we’ve answered largely the questions that we received. So, if we could move to the poll results, so that you can see how you and your peers and other entrepreneurs feel about the questions that we posed to all of you.
So how often do you backup your business data? It looks like a pretty good portion of folks are doing it on a daily basis, which is really good news. It does divulge that 48 percent of you have an opportunity to potentially do it more frequently to protect your business.
Give me the next result. Has your business encountered a fraud attempt within the last year? You know, this -- I’m glad that not 100 percent is there, because that would be terrible. But this does kind of reflect what we see in the various research studies that we observe and in our interactions with our clients. So, you’re not alone.