PAYMENT FRAUD
Payment fraud can kill your business A specific type of cybercrime, payment fraud is when criminals masquerade as suppliers or senior members of a company, and convince finance staff to make a payment they should not.
P
ayment fraud is a subcategory of cybercrime, which, as the name suggests, will impact your company’s bottom line – potentially drastically. According to Ryan Mer, CEO at eftsure Africa, this type of crime is, in the majority, related to what would be called a ‘push’ payment. In essence, the defrauded party is the one who actively makes a payment (as opposed to having, say, their credit card details stolen). “Essentially, this type of crime is about coercing the business into making an unwitting payment to the bad guys, usually by pretending to be a genuine supplier or leveraging other means to convince your finance department to pay them,” he explains. “There are multiple dangers of falling victim to this: remember that not only will your business reputation potentially be damaged, you will obviously be out of pocket, while there will be conflict with the supplier the criminal impersonated – since they won’t have received the payment they were due, and there may be questions over who is responsible for the
16
C YB E R S E C U R I T Y 2 0 2 2
wrong payment (them or you). “The simple financial damage is potentially catastrophic on its own, and it of course costs additional funds and time to figure out what happened, how it happened and prevent it from happening again.” It’s a lot like dropping a pebble in pond, notes Mer – you feel the big splash, but the real impact is caused by the multitude of ripples.
A threat to all He notes that this is an concern across the board, and that SMEs are often attacked as well. The criminal may steal a smaller amount from an SME, but such a business can be hit much harder even by a smaller sum, simply because the money may mean the difference between failure and survival. “Payment fraud is essentially one of the largest addressable markets globally and, in local terms, virtually every organisation in SA may be a potential target. And the reason the criminals have so much success with it is because – despite adopting a lot of fancy technology – even large corporates sometimes rely on very manual processes for their payments. And anything reliant on human actions, decisions and processes is vulnerable to phishing and social engineering.”
Mer outlines that there remain many manual processes in businesses, even possibly when capturing data into an advanced enterprise resource planning (ERP) system. And the longer the manual chain (the larger the organisation, the more likely this is to be quite lengthy), the more chance of a link breaking. The one comfort for SMEs is that there are fewer links
Essentially, this type of crime is about coercing the business into making an unwitting payment to the bad guys, usually by pretending to be a genuine supplier or leveraging other means to convince your finance department to pay them.” to break – if you receive a message from a ‘supplier’ noting that they wish to update their bank details, you are more likely to call them to check, because you have a personal relationship with them. “So, the key weakness lies in the manual processes, and these tend to be compromised through manipulation – commonly achieved via hacking company emails and compromising these, and from there having access to the network in order to compromise supporting documents and information. “The bad guys also manipulate people through social engineering, using this to convince the finance person to make payments via the impersonation of a senior staff member like the CEO. It’s actually not difficult at all,
