Insights that move businesses forward

First Citizens Bank®

Outsmart scammers: Strategies to secure your business from fraud

Featured speakers:

Kristen Saranteas
Treasury Management Services Executive
First Citizens Bank

David Myroup
Executive Director, Enterprise Fraud
First Citizens Bank

Ed Adams
Cybersecurity advisor and author

Kristen Saranteas: Okay, well, we're going to get started. Thank you so much for everyone joining today. We're going to have a discussion called "Outsmart scammers: Strategies to secure your business from fraud." We are so excited to have you join. We've had such great engagement for people that have signed up to join today's webinar, and a lot of presubmitted questions, so we're excited in today's discussion to get through this.

Let me start by introducing our panel. So I'm thrilled today to be joined by David Myroup, who here at First Citizens heads up our enterprise fraud department, and also Ed Adams, who is a cybersecurity advisor and bestselling author. I am Kristen Saranteas, and I lead our treasury management team here at First Citizens Bank, and we're thrilled to get going in this discussion.

Let me first start by showing you the agenda of today's dialog. We're going to talk a little bit about the environment of fraud today, today's fraud trends, but we're also going to be in conversation around real-life use cases and response steps that you can take. And also, if we have time, we'll wrap up with some Q and A.

Know that we have tried to incorporate as many of the presubmitted questions as possible in today's discussion, but if you have additional ones, even if we don't get to those answers today, if you'd like to use the Q and A button in your video, you're able to do so, but please include your email address if possible so that if we don't get to the discussion today, we can respond to you directly.

So now, I would like to know what you're interested in hearing about, so let's hear from you directly. What is your business's top fraud concerns as we head into the latter half of the year? We've given you five things that we are going to touch on today, but we'd like to hear what's most important to you: check and payment fraud, impersonator scams, business email compromise, AI deepfakes and ransomware. So I will give you all a moment to let us know what you're most interested in hearing.

Okay, so let's see what that poll is telling us. I am not surprised to hear that check and payment fraud is the number one. We are going to touch a little bit on all of these things, but know that check and payments, specifically checks, are the most used vehicle when it comes to fraud, and so we're glad that we're going to be hitting on a topic that's important to you.

So if we go to the next slide, I just thought it would be helpful to show the backdrop. Some of the presubmitted questions had a lot to do with who is most a victim? What size company? What types of companies are the most victim? Sad but true, all companies are potential targets for fraud, and you can just see the growth.

This is dollars. These are billions of dollars that the FBI is reporting on as the losses experienced just through 2025. Over $20 billion in losses. But sad, small businesses and nonprofits are also some of the most victimized companies. Why? Larger companies do have protections that they've put in place, and often smaller companies don't take advantage of some of those protections.

It's not to say that every business size isn't vulnerable—we all are. But smaller companies tend to be disproportionately part of these numbers because of the fact that they may not have put the great protections in place. So we're going to talk a little bit more about that. And, David, I thought I'd start with you.

Tell us a little bit about the way in which fraud is happening. It used to be a little bit more isolated, it used to be a little bit more manual, and now we're seeing a shift in that in the industry. Can you tell us a little bit more about that?

David Myroup: Yeah, Kristen, thanks for the question. I appreciate the opportunity to share our knowledge with the audience here and hopefully we can give you a couple nuggets of information to take away and protect yourself from the bad actors.

But fraud does feel very new with automation, AI and organized rings that are attacking faster and at scale. But ultimately, the core schemes really haven't changed. So when it comes to fraud, the more things change, the more they stay the same.

The biggest losses are still coming from familiar schemes, and you can see here the $20 billion is a big number, and some of those familiar schemes involve investment fraud, which is about $8.6 billion. Business email compromise comes in at $3 billion. Social engineering, especially those impersonator schemes, which look to exploit trust, $1 billion to $3 billion. And again, that number is depending on how you aggregate the various flavors of social engineering make up that number.

And then check fraud still a very material number at $280 million a year, and this is, again, what's being reported to the FBI, not what is actually happening across the environment.

So these are big numbers, big problems that we need to solve, and it takes everyone to solve it. So these really aren't new, they're just being executed better. So what has changed? To your earlier point, fraud is no longer isolated. It's not manual. We're seeing it's very automated with faster execution.

It is operating at machine speed. It's organized. No more lone wolves. These are fraud rings that are operating as businesses with little barriers, no rules, regulations. They have access to very sophisticated technology. They can scale quickly. They push out high volumes of fraud attempts to individuals and businesses.

And AI is lowering that barrier to scale highly sophisticated and realistic fraud schemes. So to your earlier point, you know, fraud is being productized, and this group is probably familiar with software as a service, but fraudsters have their own version, which is fraud as a service, which makes it accessible to anybody who is interested in starting up their own fraud shop. So it's not that fraud types are entirely new, it's really these are the same plays, and they're being run with more precision, speed and scale.

Kristen: Yeah, I think that scale is the number one word, right? It's people used to victimize one company at a time. Now there's whole organizations that can do multiple entry points of companies that they want to victimize.

If we go to the next slide, this is some data that we always take a viewpoint of based from the Association of Financial Professionals, the AFP. They do a Payments Fraud and Control Survey Report every year, and this is some of the summary of information that they are seeing. We mentioned that obviously payment fraud is on the rise, and certainly with that $20 billion that we're seeing, we are seeing the victimization of it being true dollars.

But strangely, checks often are still the most vulnerable implement of volume. So while electronic transactions may move more dollars faster, checks are still the most vulnerable instrument. And you can see some of the other things that they're seeing. Business email compromise we've mentioned, the vulnerability of things by mail and within the mail, or mail tampering. But it is something that is much more automated that we're seeing.

And Ed, let me bring you into the discussion as well. Where do you see this from a vulnerability perspective? Where do you see businesses potentially underestimating their exposure? Or how would you respond to seeing some of these results?

Ed Adams: You know, I wish I could say that I'm surprised, but I'm not. To look at the FBI Internet Crime Study and to see the just sheer dollar amounts double from 2022 to 2025, more than double, it definitely speaks to the fact that there are more and more businesses being included in that number.

And I think there are two areas where companies, particularly small- to medium-sized companies and small- to medium-sized enterprises are underestimating.

One, I think they're underestimating how invisible they are. These attacks are increasingly indiscriminate, and it does not matter if you're just a mom-and-pop grocery store chain, if you're a small credit union.

And I advise a lot of organizations, and they always ask the why question after they've been attacked. "Why me? Why did this happen?"

Kristen: It feels personal. It feels, you've been victimized.

Ed: It feels very personal. Exactly. But to dive deeper on that very point, just on April 30 of 2026, the IRS, US IRS, extradited a criminal from Colombia as part of a sting that was called the Versus Project.

And what this individual had done is he basically started a company, an organization, that was built and modeled after an e-commerce website. It was called Versus. And this highly automated, productize and nearly commoditized criminal activity. So users could register, create a free account and go online, and then purchase services or products that included not just classically illicit items like drugs, but they could also purchase fraud schemes. They can purchase software and malware schemes and ransomware.

He really productized fraud, and that really helps make this at scale, and it completely anonymizes it, makes it very indiscriminate. So users are underestimating, one, how invisible they are, but two, they're also underestimating how much help is available from their payment and banking supply chains.

Most small businesses that I work with don't realize and don't take advantage of a lot of the products and services that their financial partners offer them, some for free and some for an additional fee. Almost always well worth that additional fee, by the way. So those are, I think, the two areas where organizations are underestimating this particular threat and how to protect themselves.

Kristen Saranteas: I agree. I certainly agree with that, Ed. And I've been in banking for more than 30 years and, and certainly in treasury management it's where the rubber meets the road. That's where the transactions happen. So I've been talking to companies about mitigating against fraud for years. And I will say that, in the beginning, when I first started talking to companies about it, they didn't want to mention, “I was a victim.” It was embarrassing. They felt vulnerable that they had done something wrong, that it was somehow something that they had done.

And now it's, you know, everyone I talk to has had some sort of element of fraud or fraud attempt happen to them. So it is not personal. It is a business that is being run to perpetrate fraud against those companies.

And so it is something that you do need to be aware of and protect yourself from, and that's why hundreds and hundreds of people have joined just today's call alone. But it is something that people should not be embarrassed about. They need to be prepared for so that they know what to do.

If we go into the next slide, I think that one of the things that we wanted to do is make this more real for each of you, to give real-life examples of how these fraud trends could take place.

And so Dave, I'm going to start with you. We've mentioned business email compromise a few times. Can you tell us a little bit about what it is and how it shows up?

David: Yeah, and the unfortunate truth with the business email compromise, it has been around for a very long time. And the bad actors really are just getting much, much better at inserting themselves.

So they are doing reconnaissance. They're studying how you interact with your suppliers. They're getting better at their timing when they do insert themselves.

And the way this is working is it's pretty simple and straightforward is, obviously they've intervened, hacked into somebody's email account, typically one of your suppliers. They studied the email flows. They've really generated some messaging back and forth to you as the end user to remit payment to that supplier, and it's more personalized, it's data-driven. They may create some urgencies around the messaging, but ultimately they're giving you a new account number to send money to.

They may make up a story that they've recently changed banks, and here is the new number. Just go ahead and send it. And the one mistake that is often made is that human behavior in our trust-based environment is one where we want to do the right thing, and we want to get these things done quickly.

So ultimately, we see many businesses that just don't have the right dual control or the controls in place to potentially make a secondary call. So never trust the email that's coming through the door just alone. There needs to be another process set up where you validate the change of money movement.

And again, that's the red flag there. Any time there is a request for personal information, a change of information that involves the movement of money, there needs to be an additional moment of pause and a process hopefully in place to validate the information. And it's that validation that is so very important.

So just kind of reinforcing a couple maybe takeaways relative to business email compromise and really some of the other schemes that are out there is your verification processes are important. Dual control, make sure you've got that in place for high-value and high-risk activities. But employee awareness goes hand in hand with everything that we're discussing today.

So there is no single control, no single action you can take that will mitigate the risk of fraud. There are hundreds and thousands of attacks that come at us on a routine basis. They're studying the gaps in the controls.

Employee awareness is a component of that, and every single person in your organization represents another line of defense to identify red flags, raise their hand, stop the things that are coming through, question what's coming through.

And again, leveraging those modern tools that you have at your disposals is critically important. Positive pay is certainly something that sits out there, is available. But, you know, a more basic, fundamental feature is just the security controls that exist within your online banking platforms, making sure that you've got the full suite activated, that you're alerted of things that are happening in your environment and not just waiting to respond to something a day or two down the road.

So those are the things that I would ensure that are in place. And just remember that fraud may be looking more advanced, but at its core it's still exploiting the same seams that we've always seen, and that's in building on trust, fear, greed or urgency. And that's what we tend to see with some of the business email compromise events that are occurring out there is that trust factor and the urgency factor come to life.

Kristen: Yeah, long are the days from the Nigerian prince, right? I mean, these are not these emails from people that are unknown to you. They look like emails from known people in your ecosystem, and that is one of the biggest things about business email compromise. We all use our phone to review things.

It might come after hours. There's a sense of urgency, and-or it comes from the companies or businesses that you know. And so they’re preying on that trust that you've already instilled with the people that you do business. And so it does mean take a beat when you've seen a request for something urgent, a request for a change, anything like that.

And don't call the phone number on that email. Call the trusted number that you know because that will be a sign. They will know how to prepare all of it to make it go back full circle to the change that they want to have happen so that money goes into their hands and not the people that you're trying to send funds to.

So I do think that we all operate in a very quick environment. We do try to please our business partners, and so they prey on that. That trust, that desire to do the right thing, is being preyed upon. And so taking that beat and knowing that it doesn't mean you have to always assume bad intent, but you do need to have that moment of pause when something comes.

So I appreciate those words, Dave. Thanks.

So why don't we move into more of a more modern way of doing things? Deepfakes have always existed, but AI deepfakes? Ed, tell us a little bit about that.

Ed: Absolutely. As artificial intelligence just gets better and easier to use, it's so much easier for bad actors to pretend that they are me, either in an image or in a video or in an email.

And, AI has also allowed bad actors to spread their tentacles out across these different columns. So you can use AI to build a more convincing business email compromise attack that gets the hook.

Maybe it's from a salesperson telling the finance department, "Oh, my customer has changed their banking accounts." And because, of an AI deepfake, it looks like a legitimate email. They may actually have a short video call where it looks like it's a legitimate person, a salesperson, so then the person in finance trusts that. And the AI deepfake, the bad actor, will say, "Here's the new information. You can call their new payment processor."

So then that call is made. All of a sudden, now you're into the bank-impersonator scam. "Oh, here, let me give you this one-time code. Please validate that." All of a sudden, the account is compromised. They can start to move money. Maybe it's wire. Maybe it's, "Okay, I've just verified your account. Now I'm going to give you the address now that you're verified, to send this check to."

So AI's allowing us, or bad actors, to spread out across all of these different attack vectors and make things so authentic, so authentic, that the need for fundamental controls becomes even more important.

And I love to talk about the power of twos, and I've got three of them, not two of them.

One is two- or multi-factor authentication. One of the most fundamental but most powerful defense mechanisms. So a second factor of authentication, whether it's username and password followed by a code sent to a telephone or a biometric, something like that, into any system for a key transaction.

But also, two-factor authentication for a payment verification process. Require a phone call or a second approval to be made before any wire transfer, before any vendor banking change to bring home the example I'm just talking about here.

Another power of two is two-person authentications or authorizations, otherwise known as dual-control workflows, which require two people to authorize any type of payment.

And as one of the audience members mentioned, another two, power of two P's, is positive pay. Positive pay systems are very, very useful. Predefined, approved company transactions that allow for an automated cross-check across these to flag outliers.

So the powers of twos, whether it's multi-factor authentication, two-person authorization or using things like positive pay can provide an enormous amount of security coverage for you as these AI deepfakes get even better and stronger.

Kristen: I think that's really powerful, and just to bring it back into the bank, and and we'll talk a little bit about bank-impersonator scams in a second, but I think one of the things that is always a question for companies when transactions do then ultimately, bad transactions ultimately do leave the bank, often if someone has been duped by a deepfake or duped by the business email compromise that they thought was for the vendor's trusted account change, they've gone through their dual authority to move that money out of the bank.

To the bank, it looks like a valid transaction because the people that the company has told us that we should trust in that workflow to move money out of the bank are the people that moved the money out of the bank. They were acting, however, on poor information, or bad actors giving them poor information.

And so that's something that often they're like, "Well, how didn't the bank know?" We've trusted you and your workflow in that dual authority to move things out of the bank, and so it started, however, based on a lie. And so that is the scariest part of that, is to trust your instincts to go back to the source and make sure that you're acting on good information, actual people, the real people that you need to be trusting.

So Dave, let me bring you back into the conversation related to something that's near and dear to our heart, the bank-impersonator scam that is tarnishing the good name of a bank by pretending to be us. So tell us a little bit about what those things are.

David: Yeah, it's certainly a widespread problem, and it does erode trust. But let me start with kind of the punchline, and then we can kind of go through the scenario and red flags on that journey.

At the end of the day, if anybody reaches out to you asking for sensitive information—one-time passcodes, user IDs—hang up and call a trusted number. It's most likely going to be fraud.

Your bank is never going to call you and ask you for that type of information. So that's just, that's one of the initial red flags. But in terms of the scam itself, we've seen this manifest in a number of ways. I think we've all received text messages from a financial institution, "Did you make this transaction?"

And of course, your first immediate response is, "Oh my gosh, somebody's hacked my account. I need to respond right away." So there's that sense of urgency that comes through the text message. And then you're going to respond, "No, I didn't make this transaction." And then moments later, you're going to get a call.

That call's going to show up on your caller ID from your financial institution by name. So there's that trust component coming through the door. And it's all very believable at that point in time because you got the notification, you didn't make the transaction and now your bank's here to help.

Unfortunately, it's not the bank. That bad actor has spoofed the bank's telephone number that's showing up on your caller ID, and they're here to help in nefarious ways, obviously. And they're going to ask you, "Did you make this transaction? Did you, can we get some additional information from you in order to stop what's happening?"

And again, you got the trust factor, then you got the sense of urgency that comes. "We need to act quickly, and I just need a little bit of information to help you." So that's the way this plays out.

And again, we're all very busy. It's very natural to respond and react to something that looks like it's going to cost you financially. But again, if we just pause and remember the bank is never going to ask you for those sensitive types of data elements, one-time passcodes, user IDs, your bank card number.

Just hang up, call that trusted number, go to the website, look it up. Go on the back of your debit, credit card, call that number versus what's presented to you. You need to do that independent verification through that pausing activity and just make sure it's the real deal.

Kristen: That's really helpful. And we thought we'd also move a little bit into check fraud, and we mentioned in a couple of different scenarios how while the biggest dollars may move electronically at the speed of light, the volume of fraud that occurs is still happening through the most vulnerable instrument, which is a check.

And so, we've mentioned the words positive pay a few times. I'm not sure if people understand what positive pay is, and so forgive me for just taking a little journey here to tell you a little bit about one of the ways in which you can protect your checks.

In order to ring-fence your account from check fraud as best as possible, positive pay is a tool. But how does check fraud even happen in the first place? Think about the vulnerability of your checking account information. People can order check stock on that information anytime. If you've sent a check anywhere, that copy of that check, that check itself, can be mimicked by anybody that gets ahold of it.

So your check and your bank account information is extremely vulnerable. You've sent a check to pay a vendor. Maybe the vendor doesn't protect that information. Maybe they take that check and they deposit it through mobile, but then in order to prove that you've paid, they staple that check to your invoice and they put it in an unlocked file.

Anybody that has access to that check has now your routing number and your check account number. They know what your signature line looks like. They know what your address is. They know what check number you're on. They have all that information on a very vulnerable instrument to then go write checks on your account, because they can order check stock almost anywhere.

And so positive pay is a way to validate, as best as possible, those paper instruments that are coming to debit your account. And so the way that it works is we work with companies to upload a file every time they do a check run of their checks that they've written. That file will tell us the check number, the dollar amount, even who that they've sent it to.

Every time a check comes in for payment at the bank, we validate those checks that are going to be debited from your business's account against that file to see if all three of those things match. Is it the right check number for the right amount to the right person if it's payee positive pay? If any one of those things don't match, the company will receive an alert of that information of what didn't match.

You then as the company and the authorized people that you allow are able to review the image of that check that's being presented against the information that we saw that didn't match. Maybe it was a check that you forgot to put on the file. You can have that approved. If it is not a check you wrote, you can have that returned. Funds do not leave your account.

That is the beauty of an insurance policy like positive pay, that can ring-fence your account from check fraud. So that's just one of the ways in which you can protect yourselves. But check fraud is rampant because it's such an easy vehicle because you send checks all over the place. That is your calling card of the information about your account that could be seen by anyone.

So why don't we move to the next slide and talk a little bit about the stages of fraud because while the vehicles through which people gain access and the speed with which they may move money may change as the industry evolves. Essentially the same things happen in order to get to the point of ultimate loss to your company.

And so Dave, why don't you tell us a little bit about what these stages look like?

David: Yeah, the data breaches, I think we've all received the notices. All of us probably have been part of a data breach at some point in time, and it really does start with an element of data. But even if the data doesn't exist and there's no starting point, the bad actors move in the direction of, "How do we communicate? How do we create urgency and action? How do we engage?"

And it's the phishing, the smishing, the vishing. So that's the email, the text messaging and the voice calls that occur. So in some way, somehow, they're going to engage. They're going to build the trust, create the urgency and they're going to get the information they need to act.

And that may be layered in with additional information. Maybe some additional identification, fake documents, fake driver's license, the deepfakes, synthetics. Once they have their complete package, then it's time to execute against their scheme. So it can take the form of account takeover, other mechanisms.

But if we kind of take this account-takeover theme, once they have the credentials, once they have access to your account, it's off to the races, and it's a game of speed. How quickly can they move the money out of your account into their account and then move the money from that account out to 10 different accounts to break it up?

Kristen: It doesn’t stay there.

David: It does not stay there, no. It's going to be broken up to make it very, very difficult for anybody to recover. So it is a game of speed, and this is going to go back to the security provisions, making sure you've got the notifications. Did we just send money? How much money did we send? Do we have demographic changes, telephone number changes, email changes?

Those are all things that you want to be aware of because telephone numbers and emails really revolve around notifications back to you in terms of something has happened. So if those things are changing, that's a high-risk event. But once they've got the access and money is gone, obviously then they're moving it very quickly, and could go in the form of cryptocurrency or other vehicles at the end of the day.

But to round this out, you need to make sure you understand the steps that you need to take. So once you get that notification, once there's a realization that there's a problem, you have to triage. Stop the bleeding, block the accounts and contact your financial institutions to do your wire recalls or just make sure it's known that you've got a problem and you need help to recall the information.

But again, it's steady in the storm, have your plan, make sure you understand what you need to do, who you need to reach out to. And if you don't have that plan in place, it could be very chaotic and stressful.

It's already a stressful situation. So that's the mechanism by which they're going to start. And, again, when it does happen, you just need to make sure you've got your plan to be able to respond timely because it is a game of time. The clock is ticking, and the faster you react, respond and engage with your financial institution to potentially do that wire recall, the better luck you will have in getting the money back.

And again, it's never a 100% guarantee. It's very rarely a guarantee at the end of the day that the money's going to get back, but the bank always does their best to look out for the clients.

Kristen: Speed, you've mentioned that several times, and I thought I'd just double down a little bit on that as well. A lot of the presubmitted questions talked about what is the difference between the speed with which a business needs to act versus a consumer.

As an example, as a consumer, if you see something that you did not authorize on your credit card bill, they think that we may not act as quickly as businesses, and so they give consumers 60 days to dispute a transaction.

And what does a credit card company do? They will put the money back on your card or, frankly, make you not liable for that payment as they investigate it. And if it truly is not your transaction, you don't have to think about it again.

Businesses don't have 60 days. Typically, with electronic transactions with businesses, you have 2 business days. But think about 2 business days. Two business days mean by the time you see it on your online banking list of transactions, those transactions are typically as of close of business yesterday. You have that day to act. And so time is of the essence.

And as you said, Dave, they may or may not even be able to recover the funds because at the end of the day, 2 business days are light years for somebody who has moved the money, and it's moved on to next accounts, next accounts in three, four, 10 different places, maybe in different countries. And so, the way in which to recover becomes more and more difficult as time passes.

I think, too, the other thing to be thinking about is we're going to talk about that disaster-recovery plan in a moment, but having your plan in place so that you know how to act, when to act, what to do, we're going to talk a little bit about.

If we go to the next slide, though, I think one of the things that we have not spent much time yet talking about, we've been talking about external actors, these businesses of fraud that occur at scale in order to defraud companies of their funds, or individuals, but we're talking about businesses.

What we haven't spoken too much about yet is the internal fraud that could be happening. Many of you have potentially heard about the fraud triangle. If you have not, let me talk a little bit about that.

There could just be bad actors among us. There could be bad actors within your company. But often, internal fraud happens because of some sort of pressure, and an otherwise great employee of yours is feeling a pressure. The pressure could be something as simple as, "I think this company just owes me," or the pressure could be something like, I don't know, medical debt, gambling, other sort of issues that are causing a financial burden on that individual. So they're feeling stressed monetarily.

But they have to have an opportunity for it ever to take place. The opportunity means a window. There has to be some place where your system, your checks and balances are vulnerable, and they can prey upon that vulnerability. But it also comes with rationalization. "Oh, I'm going to pay it back. Oh, they'll never know it's gone. They already have enough money in this company anyway." All these other things that make it okay for that employee to act on that vulnerability.

All three of those things need to have happen in order for internal fraud to take place.

I'll tell a little story because I think this makes something like that come to life. Years and years ago, there was a company that I was familiar with that had all the checks and balances. They had positive pay. They monitored their accounts. They had dual control in every account except for the payroll account. The payroll account, the owner of the company, it was a closely held, large but closely held company, they felt like that was sensitive information to know other people's salaries.

And so they only allowed the controller access to the payroll account. Every other account was well-protected. Well, the controller saw that opportunity. They rationalized it. They were feeling pressure, and they decided they'll start small. Often with fraud, if somebody sees a vulnerability, they test the waters, so it was just a little bit, and then it became a little bit plus.

Then it was a little more, and then there were multiple fake employees in the payroll, and it got bigger and bigger till the point of 18 months later, $2.1 million had been stolen by this controller, but they had layered it. They had all these different ways in which they had protected themselves from it.

The owner of the company started wondering about the payroll, asking questions, but every time they asked the controller about it, never fearing that the controller had gone bad or gone rogue, there was always a reason that they couldn't give the owner the information.

"The payroll company had just gone through an upgrade, so I don't know my ID and password off the top of my head." "Oh, I'll get you these reports after my next meeting." Other things like that.

And then the owner of the company would move on and not think about it again until that controller went on vacation. That nagging question just occurred to the owner of the company again, and so instead of going to the controller, who was on vacation, he went directly to the payroll company.

He had authority, so the payroll company sent all the reports, and the whole thing was exposed. That person had been defrauding the company for 18 months. Again, starting small but ramping it to the point of this.

We're going to talk a little bit about ways in which you can protect yourself against those things, ask the right questions. Are you having any sort of place of vulnerability? Have a fraud line inside of your company so somebody can anonymously report things that they might be seeing that don't seem right.

If something is also taking too long within your company, AR/AP is denied, if a vendor says that they haven't been paid, these are all just things that you could be mindful of, but it's just one of those things that you should be thinking about the fact that even good people can go rogue, and so making sure that you have protections everywhere.

So we want to hear from you again in the audience, so we're going to ask you yet another question. So in this poll, we want to understand how prepared or unprepared do you think you feel as your company right now.

Do you feel not at all prepared, very-well prepared or somewhere in the middle? So let's give you a second to answer the poll.

All right, so let's see how we responded.

Okay, so moderately prepared, but some of you are feeling not prepared at all. There's a few of you that feel well-prepared. That's fantastic. But certainly the vast majority of you think that you could use some updates in your preparation, and that's what we're here to talk about next. So if we go to the next slide.

One of the ideas that we're proffering here is that you need to treat fraud as an inevitability, just like you would a system breakdown, just like you would a snowstorm or a fire in a building. You want to have a plan for your business recovery, and fraud should be one of those things that you test for.

But certainly today we're talking about it through our own personal lenses between cybersecurity and banking. But there are all sorts of trusted advisors to your company that should come to the table for establishing a plan like this. But we're going to start with some of the basics.

Before we get into what a plan could look like, Dave, why don't we start with you, and then Ed, we'll move to you. What are some of the things, the controls that you think people can put in place in order to make sure that they're really protecting their company?

David: Yeah, before we kind of go down the path of talking about what controls to put in place, I think the question really is what controls are in place today.

So you have to have your baseline, your starting point, and in order to do that, we've got a list of individuals that your attorney, accountant, your bank relationship manager, things of that nature. Bring the right people to the table, and have a conversation about what does current state look like.

You can even play out some scenarios in a tabletop exercise to help get the creative juices flowing in terms of, “This is what could happen, have we checked all the boxes?” So it's the starting point that's extremely important to understand so that you can start filling the void and the gaps along the way.

And I'll kind of go back to the other component again, it's just the employee awareness and the training. That's got to be a component of your plan. That's got to be ingrained, and you have to build that culture, that security-minded culture within your organization.

So if people aren't thinking about it, they're not going to react and respond to maybe red flags in front of them. So those are the two components I would start with is just understanding your current state, understanding what gaps you have and then additionally moving in the direction of making sure there's some element of building that culture, that security-minded culture through employee training and awareness so that your individuals who are sitting in the front line every single day can be an extension of that security practice.

Kristen: I think that's really important because while the plan is something to deal with after a fraud occurs, these same people that we're talking about on the screen, with the employees being brought into that trust circle of the awareness of things that can happen, you want to get to the point where everybody's looking at this from a preparation perspective before you have to do something to recover from.

Ed, what else are we missing? What are the other things that we should be adding to this dialog?

Ed: So I tend to think about things in terms of twos, as you might have noticed, and in this case, I tend to think in terms of the IT stack and then the personal stack or the employee stack. And I really, I can't stress enough how important the fundamental cybersecurity practices are.

So on the tech side, I'll start there. Back up your data. Back up your IT systems. It sounds so basic, but it breaks my heart to tell you how many companies that I've worked with that have suffered an attack or ransomware. They're completely down, they can't process any transactions and they don't have a backup.

And it is just heart-wrenching because it's an easy thing to do, especially these days with cloud backups. So back up your system, and then test those backups to make sure that they can be restored.

And then the second thing on the tech side is process the updates or the patches.

Kristen: That's right.

Ed: It's an important thing. A lot of organizations, especially small businesses, see it as an annoyance. "Oh, that's just reminding me to process that update. I don't have to do it."

Well, a lot of times, those updates include very important security updates that can be critical and exploited. Seventy percent of successful attacks today still exploit known vulnerabilities in IT systems. It's the easiest thing to look for.

Kristen: For which there are patches.

Ed: For which there are patches. Exactly. So patch your systems, back up your systems. And then on the personal side, on the employee side, for each role or for each key activity, I like to do for both, set up entitlements, account permissions, define what is allowed and not allowed, and then set some kind of security alert to monitor for whenever someone goes out of those bounds or there's a risky transaction.

And this is again where your banking and payment supply chain partners can help. But then also even more fundamental things, remove unnecessary administrator accounts from IT systems. Remove default passwords from your IT systems. It's still a common problem today, a very common problem. And if you have gone through and for each one of those roles and activities set up entitlements and account permissions, make sure to review those on a regular basis, maybe four times a year, each quarter.

As you're closing out your 13 weeks, your books, review your permission entitlements as well. And if you do practice something like the tabletop exercise that David alluded to, or your war-gaming simulations, and you can do this over lunch, a whiteboard, it really does help identify gaps in your business continuity and helps you develop some of these disaster-recovery plans, which are important.

They sound like fancy things, but they're really not. All you have to do is think, "Well, what happens if we are hit by a ransomware attack and all of our IT systems go black, go down, go dark? What do we do?"

Well, literally walk through that. Talk through it with your team members, and there's some great team members listed on the screen to start with. And it really does help identify not only gaps in those programs but also training needs for employees

Kristen: I agree with that wholeheartedly. And just like a fire drill is there so that when you are in the height of a situation where we mentioned in the beginning, it's emotional, you feel like a victim, you've been targeted and you're not necessarily thinking at your best because it's a very high-stress situation if you think that money has been gone, money has been taken from you, right?

And so why do you do fire drills? It's so that if a fire should ever happen, you always remember where the exit is, right? This tabletop exercise, getting people together, is so that when, God forbid, it should happen, everybody knows what role they play. Your attorney has a role. Who's calling the FBI? Who's calling the cops?

Like, who's on point to let the bank know? Who's on point to make sure that you're triggering your insurance that you have put in place? Insurance needs very specific things to take place. They need a police report. They need to be notified within X number of days of the suspected event. All these things. Who's on point to make sure that those things happen so that you do get the funds recovered, at least from the policy, if not from any sort of recovery method?

And just to pull that employee-bad-actor situation full circle, in that very specific situation where the payroll account had been used by a controller, while he may never work as a controller again, he did not serve time.

And the reason why is the defense was able to show that what did that company do when they suspected that he had become a rogue actor inside of their payroll account? They had their IT professional go and play around in the system to find the source of things. It changed the date stamps and the footprint of those transactions by playing around.

If you talk to your accountant, with a forensic accountant, they would have an image made of your system, and they'll play around in the image, not in your actual system. Because the defense was able to show, “How do we know that the IT professional wasn't the one perpetrating the fraud?” And so knowing what the playbook is and what everybody's role is really huge.

So before we wrap up, any last things that, Dave, Ed, that you want to bring to the dialogue before we close out today?

Dave, I'll start with you.

David: Yeah, I'll just go back to your layers of defense. We've talked a lot about various activities that we can do within our organization to protect ourselves, and there is no single activity that is going to provide a magic protection across. It's really understanding again, what are those gaps and where do we need to layer in the additional controls, and leveraging your employees as part of that defense mechanism.

So that's what I want to leave this audience with is making sure that everyone's going back and really understanding those security components, all the various layers, and start taking actions to fill the gaps.

Kristen: I appreciate that. And Ed, how would you close us out?

Ed: I would strongly recommend everyone to go through one of these tabletop or war-gaming exercises and have fun with it. Do it with employees, do it over a lunch or a cocktail hour or something like that. And you can start so simply.

And we do these exercises every single day with our personal lives. When I walk out the door of my house, do I close the front door? Do I lock the front door? Do I have locks on my first-floor windows? Well, yes. Well, why? Because I'm trying to mitigate some bad event happening. Well, what is that bad event? A break-in, stealing my valuable goods, harming my family.

Go through the exact same thing for your business. And it doesn't matter what your business is. Is it a pet-grooming service? Is it a grocery chain? It doesn't matter. Is it a hospital? What is a bad thing that can happen, and now what can we do to prevent that bad thing from happening?

And you might have multiple branches on that tree. You would be amazed at some of the solutions that pop out of that, some of the creativity, but you'll also be amazed at how much you don't have in place. And once you identify all those things, now you can start to reach out to some of your supply chain partners. "Hey, is this something you could help with? Is this something you have in place? Is this part of the service that I'm paying for and I don't even realize it?"

That tabletop exercise, that war-gaming, threat modeling, whatever you want to call it, one of the most valuable things that I've ever learned as a cybersecurity professional and one of the first things I always consult on.

Kristen: I appreciate that. And I think one of the powers of those tabletop exercises is that your trusted advisors all know each other as well because we are all here to try and help a business recover, and so making sure that they know each other because they will all play a role in mitigation but also in the post-recovery issues as well.

Well, Ed and Dave, thank you so much for today's dialogue. If we move to the last slide, my last comment is just to say a huge thank you for everybody that participated today. We appreciate your feedback in the polls. We appreciate your interest, because I think the number one thing about this is education.

This is making sure that we are evangelists around fraud and make sure people understand it's there, it's real, it's growing, but there are really, really great tools and people that want to help you through this.

For those of you that are looking for recertification credits for CTP and CCM, there is a link to a quiz in the chat that will allow you for the 1.2 credit hours for going through today's discussion.

But otherwise, we just want to say a hearty thank you, and you will receive the email with the slides after the webinar. If you've put something in the Q&A with your email address, we will do our best to respond to those questions that we weren't able to get to today. But thank you, and enjoy the rest of your day.

Thank You

You'll receive an email with the slides after the webinar. Please share with anyone you feel would benefit.

To explore fraud solutions or to optimize your current strategies, reach out to your banker today.

Thanks to our panelists!

Kristen Saranteas
Kristen.Saranteas@FirstCitizens.com

David Myroup

David.Myroup@FirstCitizens.com

Ed Adams
ed@robinson-adams.com

Approved for up to 1.2 CTP/CCM recertification credits by the Association for Financial Professionals. You can access the link to the quiz in the chat and in the follow up email.

Disclosures

This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information and encourages you to consult a professional for advice applicable to your specific situation. Account openings and credit are subject to bank approval.

First Citizens Bank and its affiliates are not responsible for the products, services and content for third party vendors. Any and all third-party trademarks, logos, and service marks references herein remain the property of their respective owners.

©2026 First Citizens Bank. All rights reserved. First Citizens Bank is a registered trademark of First Citizens BancShares, Inc.

Member FDIC.

First Citizens Bank®