The remote work era brought on by the COVID-19 pandemic has made it even easier for criminals to execute payment fraud attacks. For most companies, it's become a matter of when they’ll face a fraud attack—not if.
New defenses are needed, because the nature of cybercrime is changing. For many years, bad actors focused on software-based attacks such as ransomware. Vendors hadn't quite caught up to developing code secure enough to operate in the hostile environment that we know is the internet today.
Sophisticated AttacksAny effective security effort relies on technology, process, and people. Technical security efforts such as securing hardware, software, and laptops is still important. The ability to gain unfettered access at the hardware or software level allows a bad actor to do literally anything. Organizations need to double down on educating and training people throughout the organization to recognize, report, and respond to suspicious activity.
The problem is that many organizations are still focusing on technology as the mainline of defense. Criminals are capitalizing on the fact that they aren’t addressing the whole picture. Add the chaos and confusion of the pandemic, and over the past 24 months we’ve begun to see some pretty sophisticated cyberattacks emerge.
We saw a lot of phishing around work from home, and again around returning to the office. There was so much uncertainty, and people were so hungry for information, they’d click on anything that appeared to offer it. The bad actors were quick to capitalize, and they’ve been very nimble in customizing their attacks.
Deep ReconnaissanceBad actors have also become very good at business email compromise (BEC), a key method of payment fraud. BECs are often very well designed and thought out. The bad actor will research an organization, their vendors, and their processes. It's actually a very deep reconnaissance effort.
They use the intelligence they’ve gathered to pose as a vendor sending an email request to change bank account information to one of their own accounts. These emails might be constructed as long threads that contain names and information simulating the documentation of the real process. Sometimes they actually compromise the organization and take control of the email of someone in AP or finance and launch the attack from there. Or, they just spoof it from another mail server.
Continuous Threat BriefingsCorpay handles this with continuous operational threat briefings. We take real-world attempted attacks that have been detected and blocked, by our organization or other organizations, and dissect them with our entire company. That helps people understand how attacks are happening and what they look like.
Beyond “Castle and Moat”IT has historically built what we call a “castle and moat,” or “eggshell,” defense. With this defense strategy, there’s a well-developed, hardened exterior. Enterprises are realizing the shortcomings of that type of architecture in this day and age. Data breaches are still a constant threat, but criminals now rely more on people-centered tactics like weaponizing email. If they can use that to make it past the hard shell, things get kind of squishy.
The most effective way to protect against what's coming is to address the human element. Security is always dynamic because criminals are endlessly creative. They attack, and we defend. They study our defenses and find new ways to attack.
The ultimate defense is creating an organization-wide security mindset. It's a culture. It's a way of thinking that has to be fostered. It’s easier to do than you might think.
You need to develop a programmatic approach, but it’s not that hard to get people to engage. What we find is that people are very interested in learning because they or someone they know has experienced a cyberattack in their personal lives. It’s not something that’s abstract, or exclusively work-related. Unfortunately, it’s all too relevant.