This article was originally published by ELFA in October 2023.
Reprinted with permission from the author.

AS THE PANDEMIC ACCELERATED DIGITAL ADOPTION OVER THE PAST FEW YEARS, the evolution of technology tools like artificial intelligence (AI), machine learning (ML) and the Internet of Things (IoT) has changed how many companies do business.

From AI’s utility to automate rote tasks and accelerate deal approvals to the connected devices that help companies streamline operations, better maintain equipment and even anticipate problems before they cause down time, such innovation is increasingly embedded in the tools companies use every day.

However, as technology gets more sophisticated and delivers benefits to the business world, a more nefarious group is also seeing its advantages: fraudsters. The very tools that can help ELFA member companies and their clients be more efficient and effective also allow criminals to accelerate the volume and quality of their attempts to breach systems, submit fraudulent credentials and otherwise commit cybercrime.

The cost of cybercrime

Phishing, ransomware and other forms of cyber fraud can be devastating, both operationally and financially. According to the annual “True Cost of Fraud” study by data analytics firm LexisNexis, every dollar of fraud loss now costs U.S. financial services firms $4.00, compared to $3.64 in 2020 and $3.25 in 2019. Another survey by IT security firm Cohesity found almost all companies surveyed (93%) believed that cyberattacks had increased in their industry since 2022—and more than two-thirds (67%) lacked confidence that their companies could recover at all if faced with a system-wide attack.

And while solutions to help detect and prevent fraud exist, ELFA members need to walk a fine line between risk management and customer expectations, says Deborah Reuben, Chair of ELFA’s Innovation Advisory Council and CEO and Founder of TomorrowZone, a technology consulting firm based in Minnetonka, Minnesota. “It’s a delicate balance,” she says. “[And] if you’re adding checks and balances and controls into your end-to-end processes, how do you remain streamlined but still compliant?”

To answer some of the thorny questions related to members’ cybersecurity and fraud concerns, Reuben will be moderating a panel entitled “Intelligent Automation & Fraud Management: Cutting-Edge Strategies to Safeguard Your Business” at the 2023 ELFA Annual Convention which will take place from October 22 through 24 in Phoenix, Arizona. Panelists will include Harmony Oswald, Esq., Managing Attorney at Oswald Law Firm in San Jose, California; Moto Tohda, Vice President of Information Systems at Tokyo Century (USA) Inc., based in Purchase, New York; and Mark Blais, Chief Information Officer of Channel Partners Capital, based in Minnetonka, Minnesota. The panel will also include highlights from a forthcoming Equipment Leasing & Finance Foundation study that will be released after the Convention, “Combatting Fraud in Equipment Finance.”

Creating a fraud-prevention environment

Cybersecurity is often thought of as an IT issue. However, preventing fraud is a company-wide endeavor. Reuben says that AI has accelerated the types and volume of fraud attempts. Fighting them requires an all-hands-on-deck, holistic approach to identify vulnerabilities. Fortunately, there are some effective steps to get started.

1. Map your processes.

Before you go out and buy new software, Reuben recommends taking a careful look at your company’s current processes. “Even if you plug the best software into your systems, if you still have a bad process, you’re not going to get the best return on your technology investment, and you still may have vulnerabilities,” she says.

Plot out your processes for approving deals, from the moment of first contact until the deal is closed. When you plot out the process step-by-step, you can see where security gaps may have emerged. “I bet there are elements in your process that are less relevant now than when you first created them,” she says. “And if they are not reviewed from time to time, they will actually deteriorate.” Once you identify the gaps, you can work to fix them.

2. Train employees to spot fraud.

Cyber fraud can take a number of different forms, Reuben says. Fraudulent transactions are one form. Malicious email messages and websites may embed code that allows hackers to access systems. AI and other tools can be used to create personalized documents like fake invoices that look legitimate. And the evolution of “deep fake” videos that can mimic images and voices could potentially lead to other forms of fraud.

Train employees to carefully scrutinize email messages and look for misspellings, lack of personalization, unusual “from” addresses and other anomalies. They should also avoid clicking on links within email messages unless they are certain it’s from a legitimate entity. Oswald says it’s a good idea to periodically test your team to see if they can recognize AI or AI-assisted fraud. (Oswald, who is a practicing attorney in California, says her comments for this article and on the panel are for information only and should not be construed as legal advice.)

3. Think critically.

Maggie Holly, Senior Vice President and Credit and Operations Manager at Hanmi Bank’s Commercial Equipment Leasing Division in Irvine, California says her company trains employees to think critically about transactions. “We have to look for the small businesses like a small liquor store or a restaurant buying very expensive software,” she says. “That should be a big red flag.” If a transaction seems unusual, dig a little deeper to ensure that it’s not fraudulent.

4. Don’t trust—verify.

Identity verification and even researching the background of an individual or business before approving a transaction can prevent various types of fraudulent transactions. Holly’s team will even use “old-school” search engines to find out more. “We Google everyone,” she says. She says this approach has prevented risky transactions like a loan to a former physician who had been convicted of fraud.

Bouncing Back from a Breach

On a Monday morning in April 2023, Howard Shiebler, CEO of Crossroads Equipment Lease & Finance, was heading to his office in southern California. The ELFA member company is a small truck and trailer finance firm affiliated with a large truck dealership group. But upon arriving at the office, he soon learned that Monday would be different: The company’s systems had been breached and hackers were demanding $2.5 million to restore them.

Crossroads’ IT team had shut down its systems late the night before after hackers breached the firewall, encrypted the company’s main lease accounting system and front-end origination system, and shared files on its servers. “The business was really brought to a halt because we all rely on these systems to operate the business day-to-day,” Shiebler said in an interview with Deborah Reuben, Chair of ELFA’s Innovation Advisory Council and CEO and Founder of TomorrowZone, a technology consulting firm.

The company’s cyber insurance carrier immediately sent out a forensic team to help them understand the extent of the breach. They learned that the hackers had also deleted the company’s backups on Amazon Web Services and servers, leaving Crossroads’ IT team unable to restore the files.

Shiebler gathered his leadership team, and they discussed the situation in-depth. Even if they did pay the ransom, they had no guarantee of getting their systems and data back. They would have to rebuild their systems.

The team had been building a new front-end system, but that was roughly a month away from launch. They rolled up their sleeves and switched to a manual credit approval process, and within a week employees began approving deals again. However, the company couldn’t receive electronic payments from customers and was unable to make payments to lenders for about three weeks. Shiebler described the recovery process as one of daily communication with customers, lenders and the insurance company. The hackers finally agreed to take a reduced payment, but they claimed they were unable to unlock the system for reasons that were unclear.

Ultimately, the team got their systems back up and running, although Shiebler believes they lost a substantial amount of business during the time it took to do so. Since then, the company has instituted a number of protocols to protect against future attacks, including building redundant systems so they have a more failsafe option than just backing up files.

As for Shiebler, he believes that attacks will increase and get more sophisticated, especially as hackers use artificial intelligence to assist them. He is dedicated to getting the word out and helping colleagues in the industry understand what’s at stake. “I’m motivated to share my insights with anyone interested,” he says. “I want our industry to be well-defended and aware, to avoid disruptions or becoming targets.”

5. Fight AI with AI.

Once you understand your process and take steps to improve it, you can make better decisions about the best fraud-prevention software to choose. “Statistically, banks and lenders do see a significant improvement in fraud detection rates when they use AI solutions,” Oswald says. Her own research found that improvement to be around 90%. “AI can be used to analyze multiple points of data at one time. So, it provides a multi-layered and efficient approach,” she adds. Even if one method of authentication is compromised, AI tools can apply another. Holly agrees, saying her team is currently using tools that are effective in verifying and spotting fraudulent bank statements and invoices.

6. Have a backup plan.

Despite the best precautions, cybercrime is a growing problem. It’s important to have proper protections in place in case the worst happens. In an interview with Reuben, Howard Shiebler, CEO of Crossroads Equipment Lease & Finance, a Rancho Cucamonga, California-based small truck and trailer finance firm affiliated with a large truck dealership group, shared the story of a serious and expensive ransomware incident earlier this year.

Schiebler and his team turned to the company that issued their cyber insurance policy for help. The insurance company also negotiated with the hackers. Oswald adds that it’s a good idea to have AI-savvy counsel and advisors to help protect your company and ensure that your team, software providers and other partners are exercising a reasonable standard of care. Shiebler says that his team is also working on creating more sophisticated backup systems to protect against business disruption in case of another hack.

7. Share information.

Holly believes that sharing information about suspicious activity and known fraudsters with industry colleagues can be an effective way to prevent some fraud. “I believe collective efforts can help identify and prevent fraud schemes,” she says. “Fraud management is an ongoing process and requires vigilance. We need to stay informed about the latest fraud trends and technologies to keep fraud prevention strategies up to date.”

Attending opportunities like the panel on fraud at the ELFA Annual Convention is another good way to get more information and understanding. Reuben says the session will share insights, best practices and actionable techniques to optimize fraud prevention measures, and elevate the customer experience. “One thing we talk about a lot in the Innovation Advisory Council is whether businesses are sufficiently increasing their investments to tackle growing fraud challenges,” she says. “It’s not the ‘sexiest’ project to work on in business, but it’s vital.”

Gwen Moran is a New Jersey-based freelance business and finance writer.