Cybercriminals and fraudsters are taking advantage of the COVID-19 pandemic to attempt increasingly sophisticated phishing attacks, payment frauds and scams. In late March, IT security company Barracuda Networks reported a 667 percent increase in phishing emails in less than a month.
Sadly, cybercriminals and fraudsters are preying on the general environment of fear and uncertainty to distribute malware, steal credentials, and trick people and organisations into parting with their money. With a large proportion of the workforce now based at home, people are vulnerable to distractions, especially if they are trying to juggle work with home-schooling their children. Criminals also see opportunities to exploit disruptions in workflow and processes as people switch to remote working.
This surge in cyberattacks, combined with the other operational pressures posed by COVID-19, underlines the critical importance of payment security for organisations.
What Does Fraud Look Like?
Fraud presents itself in a number of different forms. Particularly common are phishing activities – where cybercriminals use emails and text messages to try to pass themselves off as trusted individuals or entities with the aim of stealing sensitive information such as usernames, passwords and financial data. For example, they may pose as the CEO or CFO of an organisation to convince the recipient of their communications to remit or redirect funds. “Typically, they use urgency or fear in their messaging,” said Sarah Vidmar, director in risk advisory with Clearsulting, a management consultancy specialising in finance effectiveness.
Cybercriminals are also targeting employees who are working on their own laptops or cell phones to perform their work, or who are accessing personal or unsecured networks while working remotely. Where devices and networks are out of an organisation’s control, it is impossible for IT teams to ensure that they meet baseline security standards.
Payment fraud has historically been a focus area for criminals. According to the 2020 AFP Payments Fraud and Control Survey, 81 percent of organisations were targeted for an attempted or actual payment fraud attack in 2019. For example, a global financial services firm lost $18 million in payment fraud in less than a week last year – after it fell victim to a phishing scheme. In another case, a tech firm released a $1.2 million wire payment after it was fooled by a ‘deep-fake’ impersonation of its CFO. Payment fraud will undoubtedly accelerate further as a result of COVID-19, which is why organisations should be alert and willing to share information and best practices.
You need to be aware of where the exposures are, and where the risk is. If you don’t have that awareness, you can get blindsided pretty quickly.
How to Mitigate the Risk of Fraud
To defend their organisation against payment fraud, finance and treasury teams should pursue three main strategies:
- Payment Technologies – Finance and treasury teams should not confine themselves to reacting to breaches. Neither should they pass their security responsibilities on to another business unit. Instead, they should use their powerful technologies as a proactive weapon in the fight against payment fraud.
- Workforce Education – Training and awareness are key to reducing the risk of a fraud taking place. By partnering with the IT function, finance and treasury can educate the organisation’s workforce about the risk of payment fraud. Employees should learn how to recognise, respond to and prevent COVID-19 cyber threats, such as phishing emails. They should also understand what kind of requests their CEO, CFO or IT team might reasonably make by email – and which are likely to be fraudulent.
- Collaboration and Responsibility – The finance function should assume cybersecurity responsibility for the entire payments function and its technology. This means working with IT to develop best-in-class solutions and risk mitigation plans. Furthermore, payment security must be aligned with the organisation’s broader information security policy. Organisations should not presume that their banking partners will protect them from fraud since different banks have different policies and attitudes toward liability. Also, there is only so much a bank can do to mitigate an organisation’s own technological risk.
Information Security Best Practices
Finance and treasury teams can apply three fundamental information security best practices when countering payment fraud. These are:
- Embrace the Cloud – Payment data and connectivity can be safer when it is hosted externally than when it is hosted internally within the organisation. IT functions recognise this – which is why they are already moving enterprise resource planning systems to the cloud and using the cloud to support data. Nevertheless, not all ‘clouds’ are alike when it comes to information security. So, finance teams should make sure they are involving their IT functions in any discussions about moving payment systems onto the cloud.
- Application Security – The combination of a user ID and password should not be sufficient to grant a user access to a payment system. In 2017, research by Verizon found that 81 percent of hacking-related breaches were facilitated by either stolen or weak passwords. Given the extent to which finance and treasury personnel are working from home today, it is especially important that systems have a combination of password controls and encryption, including strong password policy controls, multi-factor authentication (using hard or soft tokens), IP filtering, single-sign-on processes and data encryption – at rest and in transit.
- Vendor Security – This is not an area that finance and treasury teams have necessarily dwelt on in the past, but now is a good time to start paying closer attention. They can find out more about the security of their systems by asking their vendors to provide detailed security questionnaires (for example, in the format provided by the Cloud Security Alliance). They can also ask their vendor to supply information on their governance and risk programs (for example, does the vendor follow an established standard such as ISO 27001?). Other avenues to explore include how the vendor assesses its own third-party vendor risk and what kind of security incident event management tools it uses.
Alongside information security best practices, three particular workflow controls are crucial to enforcing payment security. These are:
- Elimination of Exceptions – Fraudsters will take advantage of exceptions to standardised payment processes – for example, the bypassing of certain controls to get a payment made urgently.
- Standardisation – Controls should be standardised across all payments, in all geographies, by all people, within all payment systems. No exceptions should be made – not even for the CEO.
- Centralised Payments – A centralised payment hub enables consistency of controls because it acts as the single source of record. It also enables automated confirmation, encrypted transfer and real-time visibility of payments.
Even where strong workflow controls are in place, payment screening plays an important role as a final line of defence against fraud. It also helps to ensure that the organisation is complying with its own internal policies. The three main areas where it is useful to apply payment screening are:
- Sanction Lists – Payments can be screened against the sanction lists of the Office of Foreign Assets Control, the European Union and the United Nations. This will help to prevent the organisation from inadvertently breaching any sanctions when making payments.
- Enforcement of Payment Policy – Screening rules can be applied to ensure that the organisation’s payment policy has been properly applied. For example, screening can verify whether multiple sets of eyes have checked the data.
- Detection of Payment Anomalies – Certain anomalies can be highlighted by screening. These might include payments being made to a new bank account, or one that has recently been modified.
Today, many organisations are experiencing considerable pressure on their cashflow and liquidity due to the COVID-19 crisis. At the same time, their perceived resources make them very attractive targets to cybercriminals looking to commit payment fraud and COVID-19 potentially presents fraudsters with a “significant, seven-figure payday”.
Organisations do not want to lose large sums of money right now. So, it is more important than ever that they invest in improving their payment security. Not only will this help them to withstand the current pandemic, it will bolster their resilience so that they can successfully navigate further crises in the future.
To learn how the payments landscape is changing, why payment and statement hubs add value, and the different types of benefits that can be realised, register for our upcoming webinar, “Driving Payments Security and Efficiency during Time of Crisis.“