5 minute read
Payment Fraud
from Cyber Security 2022
by 3S Media
Payment fraud can
kill your business
Advertisement
A specific type of cybercrime, payment fraud is when criminals masquerade as suppliers or senior members of a company, and convince finance staff to make a payment they should not.
Payment fraud is a subcategory of cybercrime, which, as the name suggests, will impact your company’s bottom line – potentially drastically. According to Ryan Mer, CEO at eftsure Africa, this type of crime is, in the majority, related to what would be called a ‘push’ payment. In essence, the defrauded party is the one who actively makes a payment (as opposed to having, say, their credit card details stolen).
“Essentially, this type of crime is about coercing the business into making an unwitting payment to the bad guys, usually by pretending to be a genuine supplier or leveraging other means to convince your finance department to pay them,” he explains.
“There are multiple dangers of falling victim to this: remember that not only will your business reputation potentially be damaged, you will obviously be out of pocket, while there will be conflict with the supplier the criminal impersonated – since they won’t have received the payment they were due, and there may be questions over who is responsible for the wrong payment (them or you). “The simple financial damage is potentially catastrophic on its own, and it of course costs additional funds and time to figure out what happened, how it happened and prevent it from happening again.”
It’s a lot like dropping a pebble in pond, notes Mer – you feel the big splash, but the real impact is caused by the multitude of ripples.
A threat to all He notes that this is an concern across the board, and that SMEs are often attacked as well. The criminal may steal a smaller amount from an SME, but such a business can be hit much harder even by a smaller sum, simply because the money may mean the difference between failure and survival.
“Payment fraud is essentially one of the largest addressable markets globally and, in local terms, virtually every organisation in SA may be a potential target. And the reason the criminals have so much success with it is because – despite adopting a lot of fancy technology – even large corporates sometimes rely on very manual processes for their payments. And anything reliant on human actions, decisions and processes is vulnerable to phishing and social engineering.” Mer outlines that there remain many manual processes in businesses, even possibly when capturing data into an advanced enterprise resource planning (ERP) system. And the longer the manual chain (the larger the organisation, the more likely this is to be quite lengthy), the more chance of a link breaking. The one comfort for SMEs is that there are fewer links
to break – if you receive a message from a ‘supplier’ noting that they wish to update their bank details, you are more likely to call them to check, because you have a personal relationship with them. “So, the key weakness lies in the manual processes, and these tend to be compromised through manipulation – commonly achieved via hacking company emails and compromising these, and from there having access to the network in order to compromise supporting documents and information.
“The bad guys also manipulate people through social engineering, using this to convince the finance person to make payments via the impersonation of a senior staff member like the CEO. It’s actually not difficult at all,
when you consider how much publicly available data can be sourced from sites like Facebook and LinkedIn. With a bit of effort, it is relatively easy to work out who is who in a business, and target them by understanding who in the organisation would send these types of mails, and to whom.”
Often, the messages sent contain the kind of personal details that one would expect only someone you know to have access to, but one is often capable of accessing such details far more easily than we would like to think, thanks to social media, he adds.
“There is obviously plenty of overlap between standard cybercrime attacks with malware or ransomware and payment fraud. Logically, if they can introduce malware into your system, particularly if you are unaware of it, it can simply sit there for months on end, gathering data. That’s something else about these criminals – they can be incredibly patient,” he states. “A further complication is that there are also internal risks – either employees who accidentally let them in, ones who are acting with the criminals, or those with their own criminal intent, manipulating the processes within the business by themselves.”
Responsibility and training The first order of business from a protection perspective is to determine who is responsible for ensuring payment fraud does not occur. While cybersecurity is generally the ambit of the IT department, in this instance, says Mer, it simply has to be the chief financial officer (CFO).
“Remember that your most important data resides with the finance team, and it is they too who control the process around making payments. Thus, it falls to the CFO to ensure that the appropriate controls and processes are adopted. This is broadly a combination of technology – which may require liaison with the CIO – and sound processes and controls,” he adds.
“Security must be driven from the top, and it is critical to focus on establishing the right culture and mindset. This means effective and ongoing training, as well as better controls and processes. These could be as simple as better segregation
of duties in the process, thereby ensuring authorisation (and, thus, an extra set of eyes) is required to change or update any banking details on the system, or better verification processes to ensure no one falls victim to business email compromise. All of this should then be supported by the relevant security technologies.”
He points out that technology can also be beneficial in automating a lot more of these processes, thereby eliminating human intervention from the chain completely.
“While payment fraud can hit you hard, it is something that can be overcome by reasonably applying your mind to it. Most of the defences are fairly logical and, if you think about it carefully, it is easy to put reasonable processes in place. Of course, don’t forget to regularly review these, in order to be able to improve them and ultimately automate as much of the chain as possible, thereby reducing the threat of error, incompetence or criminal intent from your people within the business,” he concludes.
