Latest Flaw in Security Against Payments Fraud
How humans are becoming the weakest link
It seemed to be a completely harmless call which I answered one day, expecting a client with an inquiry. Instead, I was questioned by “tax collection services”, who asked to be redirected to the accounting department. Subsequently, I was probed for information about certain employees and about my company. At this point, it was apparent that this was some sort of scammer who was making a phishing attempt. Although it was deceptive, as the call was masked as a local number, and the caller already had certain details about my company. If methodically attempted on enough companies without an adequate framework of security against payments fraud, some would likely fall victim to it.
Payments fraud can be committed in various forms. But in general, is considered: fraudulent, or unauthorized transactions completed by a cybercriminal. Fraudulent payments, illegal payments, internal manipulation, data theft, and breach of embargos and sanctions are examples. The original sense of the term refers to stealing money from accounts. Perpetrators that gain possession of insider knowledge can cause extensive losses to organizations that are influenced into making illegitimate payments. Phishing attempts, such as the one I experienced firsthand, are one of many ways for offenders to gain access to sensitive information that they can exploit.
With the advent of new technologies to shield against payments fraud, humans are becoming the weakest link, falling to phishing scams, purchase scams, account takeovers etc.
82% of companies were targets of payments fraud last year. A staggering figure, but it should not come as any surprise. This figure from the 2019 AFP Payments Fraud Survey, confirms the fact that as technology evolves, so does payments fraud.
Other notable results of the 2019 AFP Payments Fraud Survey are:
The survey also revealed statistics on some factors surrounding payments:
What companies are being affected?
- 87% of businesses generating more than $1bn in revenue experienced payments fraud.
- 69% of businesses generating less than $1bn in revenue experienced payments fraud.
Who are the fraudsters?
- 65% percent of payments fraud is committed by individuals outside the organization.
Who discovered fraud activity?
- 67% of payments fraud is discovered by treasury staff.
How much did payments fraud cost the company?
- 92% of organizations report that payments fraud attacks collectively cost 0.5 percent of the organization’s annual revenue.
How long did it take to discover the fraud?
- 47% of organizations discovered fraud less than two weeks after the incident occurred.
These statistics do not tell the whole story though, as the business landscape continuously evolves, the methods of fraudulent activity will change.
Rising Payments Fraud
Although there are more protective measures available than ever before, payments fraud activity continues to rise. There are no signs of it declining any time soon.
The modern-day fraudster is craftier than ever, continuously seeking new weaknesses and devising different ways to manipulate payments. Scammers are persistent in their efforts to attack payment systems. When they face challenges on a particular payment method, they shift their focus to alternative payment vehicles.
Current business trends involve building trust electronically rather than in person. The use of text messaging, mobile apps, and other mobile payment methods are the new age of interaction. Scammers have responded to the trends by altering their tactics. Fraudulently text messaging, impersonating individuals, redirecting mobile payments, and breaching confidential information and credentials online are the contemporary methods of compromise. The scammers take advantage of fast-growing technology that does not have an advanced enough protection framework.
Although the growth of “fintech” has given a sense of perceived protection, the core of security remains to be the human factor. As mentioned earlier, humans are the weakest link in security, and lack of security awareness poses the largest risk. Absence of human innovation is also a large source of risk and some departments such as the treasury environment, have been slow to evolve. The 2019 AFP Risk Survey Report highlights that nearly two-thirds of treasury professionals report that their treasury departments have no plans to supplement banks and other vendors with non-traditional vendors in the immediate future. This displays a degree of risk aversion and a restricted capacity to identify, evaluate and build relationships with non-traditional vendors of treasury solutions. Non-traditional vendors bring innovations and outside-the-box thinking that disrupt existing solutions, combat the risks which face treasury departments, and are vital to deterring payments fraud.
Payments fraud damages organizations in more ways than one. Besides the obvious direct negative financial pressure that results from payments fraud (losses in the billions of dollars), there is impact on employees, lost resources directed towards fraud prevention and clean-up costs, and irreparable damage in reputation.
With these notable statistics in mind, in addition to evolving technology, it is obvious that cybercriminals are adapting their strategies, which creates new problems.
Effective payment fraud prevention strategies to combat them are:
An even further proactive prevention approach is the adoption of artificial intelligence to safeguard operations. Organizations can embrace machine learning to stop fraud loss, with software that can predict and prevent electronic payment losses before they occur. Machine learning is designed to automatically respond to variances in data, behaviors, and trends, which makes it the most flexible and progressive solution. This defense relies on the data source it is built upon. If given a large pool of transactional data, a machine learning platform can build predictive models that are able to adjust to fraud trends. It learns patterns of fraudulent and legitimate transactions, with every new transaction as a potential learning event. This makes it possible to fight back against fraud and ensure systems are optimized so that legitimate transactions are approved without delay.
Bear in mind however, that machine learning is not a silver bullet. Employing machine learning is not feasible for all organizations and it will not solve all problems. Artificial intelligence is not the whole strategy of defense, but it can be used as a part of an overall strategy. It can be seen as a tool for humans to use, because it still needs humans to point it in the right direction. What it can do, is reduce the tedious tasks and allow people to focus on what they do best, which is being creative an solving complex problems.
Humans are the latest flaw in security against payments fraud, but they are also the greatest solution. Financial crime requires collaboration to solve problems. The cooperation of financial institutions, treasurers, and regulators is imperative to forming solutions that aren’t just one-off solutions, but solutions that are flexible, and are operable and scalable in the future, i.e., can solve many problems going forward.
Overall, the best defense is to equip humans with the proper resources to be alert in detecting fraud, and knowledge of cybersecurity protocols. Being agile in anticipating trends in payment fraud and developing security against these trends is crucial. Committing time and resources into educating employees on security awareness and up-to-date payments fraud prevention practices is always a worthwhile investment.