In our latest conversation, we sat down with Royston Da Costa, Global Treasurer at Ferguson, to delve into the evolving challenges surrounding financial fraud. Building on Trustpair’s recent study with UK finance professionals, Royston shares his expertise on the increasing threat of cyber fraud, AI-driven attacks, and the impact on businesses.
He also discusses critical steps companies should take to bolster their defenses and safeguard their financial and reputational assets. Read on for key insights and actionable advice to stay ahead of the latest fraud trends.
Get expert insights and practical advice from our latest UK Fraud Report. Gain a deeper understanding of emerging fraud trends and learn how to better protect your organization. Download the full report now to stay ahead of the curve and enhance your fraud prevention strategies!
1. 93% of UK companies were targeted at least once in 2024, with 87% of companies targeted multiple times. A staggering 26% of companies targeted more than four times. Do these numbers surprise you? Do you have an explanation or thoughts about how high these figures are?
So there are two ways of looking at this from my perspective because frankly, this discussion about payment fraud from my perspective, it’s almost kind of bizarre and I’ll tell you why. It’s like thinking around does any sort of crime exist in this world? It’s like being philosophical about it because, for treasury in particular, this is a relatively new area. Maybe not so much now but if we go back around eight years ago, cyber fraud was happening but companies were very shy and reluctant to talk about it.
There was a stigma attached to cyber fraud that you couldn’t afford to, or rather you would not admit to being a victim because that was potentially damaging to your company’s reputation. I think we’ve all kind of grown up from that thinking and realized that actually, we’re either all victims, or if we’re not aware of victims, then that doesn’t mean that we’ve not been hacked.
But I think in terms of where I’m sitting, the awareness has definitely increased and that’s a good thing. What I’m a bit disappointed about is perhaps the speed and potentially the traction the whole community has had with this topic. And I can understand there are elements where regulation possibly could help because it’s open to every company, whether they choose to invest in cybersecurity or not. No one is forcing companies to take up cyber insurance.
No one’s forcing companies to be more cyber secure. In terms of looking at solutions like yours [Trustpair], for example, I know the banks are beginning to develop their in-house type of higher level, but never be comprehensive for each company. So the reason I’m saying all that is because the statistics you mentioned here don’t surprise me at all. In respect that cyber fraud is a fact in life today, unfortunately. It’s just like any other crime in my view.
No one questions about, pickpocketing or cars being broken into. And unfortunate as they are, they happen and people accept them. So I think we have to recognize the fact that cyber fraud is here to stay because it’s so lucrative as well for the criminals. But it’s the action or lack of action that companies are not taking that concerns me in a sense. I think perhaps it’s one of those areas where there is regulation out there for sure, but there’s not the right regulation. I would like to see where potentially companies would be required to take out a level of cyber insurance, to meet certain criteria, so that they are cybersecure.
2. 92% of companies take between a week to six months to realize they’ve been targeted or successfully attacked by fraud. Why do you think detection takes so long? Despite concerns about operational disruptions and reputational damage, there’s still a gap between awareness and timely fraud detection. What key factors do you think prevent companies from identifying fraud sooner?
This is just my perspective, but tackling cyber fraud can feel like trying to boil the ocean. The landscape differs significantly between large corporations which tend to have more sophisticated defenses and greater financial investment in cybersecurity and smaller companies, which are often the most vulnerable.
Many smaller businesses lack the resources or don’t prioritize cybersecurity, sometimes believing they’re too small to be targeted. But that’s a dangerous misconception. In fact, based on your findings 26% of companies were targeted more than four times last year.
Cybercriminals don’t operate like traditional burglars. They don’t just break in and steal immediately; instead, they infiltrate systems quietly, often staying undetected for months, waiting for the right moment to strike. Many companies expect an obvious breach when, in reality, cybercriminals work discreetly, exploiting vulnerabilities over time.
The bigger issue is that many organizations still don’t see cybersecurity as a necessity, despite rising threats. Even tech giants like Microsoft and Amazon are now investing billions in security because they know no company is invincible. The reality is that every business regardless of size must take cyber threats seriously, invest in proper defenses, and foster a culture of vigilance.
3. In our survey of UK and US businesses, we found an interesting paradox. Decision-makers are aware of fraud risks and are investing in prevention—97% are confident their teams can spot scams like deepfake emails, and 90% provide formal training. However, despite this confidence, fraud incidents remain high. This suggests a gap between perception and reality – perhaps overconfidence or a misunderstanding of how sophisticated modern fraud tactics have become. What do you think causes this disconnect between confidence in detection and the continued success of fraud attempts?
That’s a great point, and I completely agree with your findings. In my experience, cyber fraud was initially seen as just an IT issue, especially in treasury. The mindset used to be, “That’s IT’s problem, not ours.” But that’s completely false. Cybersecurity is everyone’s responsibility.
Every individual in a company should be cyber-aware, understanding common attack methods. But even with strong awareness and training, there are still gaps. For example, in my company, over 80% of spam emails are blocked by IT, yet a small percentage still make it through.
That’s where human vigilance comes in. However, the reality is that cybercriminals aren’t just relying on emails anymore. They are constantly evolving, finding new ways in. And AI is a game-changer. While we focus on its benefits, criminals are leveraging AI to make their attacks even more sophisticated. That’s why we can never assume we’re fully protected.
So, while I understand why 97% of leaders are confident in their teams’ ability to spot fraud, the truth is that security requires a multi-layered approach. It’s not just about training employees—it’s about working with IT, internal audit teams, and key stakeholders to build strong processes. Fraud prevention isn’t a one-time effort; it’s an ongoing necessity. And this is particularly crucial for treasury because we handle payments. That’s exactly why cybercriminals target us—because payments are where they can inflict the most damage.
Unfortunately, fraudsters have been able to steal large sums of money from companies far too easily. I think treasury has woken up to this threat, but the fight isn’t over. This is a long-term challenge, and companies need to continuously strengthen their defenses. Cyber fraud isn’t going away—it’s only getting more advanced.
4. There seems to be ongoing uncertainty about who is responsible for preventing payment fraud—whether it falls under procurement, accounts payable, finance, or treasury. Our study found that 68% of companies rely on collaboration across these teams, 55% implement fraud awareness training, and 49% use fraud prevention software. Yet, 34% worry about internal trust breaking down. Given the increasing sophistication of fraud, how can organizations move beyond a siloed approach and establish a strong, shared responsibility model for fraud prevention?
I often use this analogy because I think it’s so important, yet frustrating when companies especially startups and smaller businesses don’t see it the same way. If you open a physical store, one of the first things you do is take out insurance. You prepare for the possibility of a fire or break-in. To me, cybercrime is no different, but many businesses don’t treat it with the same urgency.
Startups and small businesses often view cybersecurity as an unnecessary cost, but that’s exactly why cybercriminals target them. These criminals aren’t lone hackers—they operate like organized businesses with the resources to attack thousands of smaller companies at once.
Even if the ransom demand is small, businesses often feel they have no choice but to pay, especially when payments are demanded in cryptocurrency to maintain anonymity. Ideally, I’d love to see governments play a bigger role. While they can’t force companies to invest in cybersecurity, they could do more to encourage businesses to take the necessary precautions to protect themselves and ensure uninterrupted operations in today’s digital world.
5. In the study, when we asked about new fraud channels that are emerging, the numbers here, there is still 48% are being targeted by payment platforms, 36% by business email compromise, and 35% by fake websites. But we see a rise. We see 15% are reporting video conferencing tools as a channel and 25% with Gen AI schemes. So that can mean deep fake, deep voice, so many different ways that you can use AI in this day and age now. And it’s only going to get bigger, which, as we said, I think companies are aware of. What do you think about this rise? What are your thoughts about the rise of these new channels?
Unfortunately like any new technology, AI has both positive and negative impacts. Right now, most people focus on the positives because AI has huge potential. But as you pointed out, cybercriminals are also leveraging it, creating a paradox.
The same technology that is helping businesses grow is also being used to cause destruction. That is why the basics of cybersecurity are still critical. Awareness, training, and vigilance remain key. But I also believe the solution lies in technology itself. We already see some banks adopting biometric authentication, and I expect security measures to advance within companies too.
Take deepfake scams, like the $25 million case in Hong Kong last year. How do we verify that the person we are speaking with is real? The technology exists to address this, but it is not yet widely implemented. Platforms like Zoom and Microsoft Teams will likely integrate these solutions in the future. AI-driven scams will only get more sophisticated. I see them in my personal inbox and, thankfully, not often at work.
We need to stay vigilant and leverage available technologies, including trusted service providers. One area that is often overlooked is cyber insurance. It plays a powerful role, not just in covering losses but in training staff, running disaster recovery scenarios, and providing essential guidance to businesses.
6. In the US, we still see a reliance on manual fraud prevention methods—62% of companies use double-check procedures, and 39% rely on human callbacks for account validation. In the UK, do you think businesses hesitate to automate due to a “don’t fix what isn’t broken” mindset? Or is there still a strong preference for traditional fraud prevention methods?
You’ve hit on something crucial, and I appreciate that. The “don’t fix it if it ain’t broke” mentality was a big issue I found in my research on technology adoption in US Treasury, especially five years ago. But things are shifting. Now, there’s a new generation coming in—millennials and Gen Z—who are pushing for change. These younger decision-makers are driving the shift toward embracing technology and recognizing the need for cybersecurity.
The situation with checks in the US is unique. While checks are old-fashioned by many standards, especially here in the UK, the US has a highly sophisticated clearing system. So, even though checks seem outdated, they’re still widely used, particularly by the younger generation who are familiar with the process. Finally, collaboration is key. Even the biggest banks, with their vast security investments, collaborate with each other to share information, especially when it comes to threats in the dark web.
A few years ago, I was even informed by a bank that our company might be at risk. So, working together by sharing knowledge and resources is essential. These surveys and studies provide a great opportunity to facilitate that collaboration.
7. Yes, collaboration is key to detecting fraud. Before we wrap up, I wanted to ask about the Confirmation of Payee (CoP) system. We know that 77% of companies use it, and 96% believe it helps prevent fraud. This seems like an important tool, especially in the UK market. What are your thoughts on its effectiveness and how it’s being adopted in the UK compared to other markets?
It’s a step in the right direction. Personally, I’m a strong believer in digital currency—not necessarily cryptocurrency, but digital currencies in general—because of the security it offers. Knowing exactly who you’re paying and being certain the recipient is validated is a huge benefit.
The Confirmation of Payee system is an important step toward that, though I’m not sure it will be the final solution. Ultimately, companies need stringent processes in place to ensure every payment is sent to the right beneficiary, and the tools available today are crucial in making that happen securely.
8. As we look ahead to 2025, what key advice would you offer to companies, particularly regarding investments or areas to focus on? With payment fraud expected to rise, especially with 73% anticipating an increase and 65% viewing it as a top concern, are there any particular areas you would suggest they prioritize, whether it’s in terms of technology, cybersecurity, or processes to stay ahead?
Absolutely, this isn’t rocket science, but it’s crucial to get it right. First off, review your processes regularly—this isn’t a one-time task. Identifying gaps or weaknesses early on can save you a lot of headaches later. Make sure your treasury policies are always up-to-date, and ensure everyone in the company knows and understands them.
Your cybercrime response plan is another key component; make sure it’s clearly defined, and that everyone understands their role. In smaller companies, it might just be one IT person handling it, but in larger organizations, you’ll need a dedicated team to handle these matters effectively. Cybercrime insurance is an area I strongly advocate for. Right now, it’s optional, but I truly believe it should be standard, like house insurance. Whether you’re a small business or a large corporation, everyone needs a level of protection. The coverage might differ in scale, but it’s still necessary for both.
Another important piece is staff training. This can’t just be a box-checking exercise done once and forgotten. Training should be a continuous process, happening at least once a year, if not more often. And think outside the box for your training methods—webinars are great, but consider surprise tests to see how employees react to phishing attempts or other common threats. If someone falls for a test phishing email, at least you can address the issue before an external attacker exploits it.
In the end, there’s no magic bullet for preventing fraud, but these steps, simple as they may seem, are critical to building a solid defense.
To conclude
In summary, Trustpair equips finance leaders with the tools they need to fight fraud through automated bank account validation, seamless integrations, and comprehensive security measures. Learn how we can help fortify your organization’s defenses and improve financial resilience – reach out to an expert today!
