It’s not only police that use the mantra ‘follow the money’; it’s their criminal counterparts too. Now, with money moving via digital payment rails more than ever before, security experts are warning businesses that their systems are becoming increasingly vulnerable to payments fraud, particularly because of remote working practices.
In Europe, the European Union cybersecurity agency reported detection of 230,000 new malware infections every day, with many more going undetected. In the US, the FBI now ranks cybercrime as their third highest priority below combating terrorism and counter espionage, and they received 792,000 victim reports in 2020 – an almost 70% increase on the previous year.
We sat down with Alex Clements, a world-leading expert in cybercrime and Global Head of FinCrime, Investigations & Monitoring at TransferMate, to discuss the biggest threats businesses will face in 2022. With 17 years’ experience with the Metropolitan Police, Alex is well placed to advise businesses on how they should protect their vulnerable systems in this new era of remote working.
Q. From the outside looking in, COVID seems to have given criminals the impetus to move more into cybercrime than ever before. Does that sound right to you? And why is it happening?
It’s 100% right. There are displaced workforces, with the vast majority of people working from home, and this has increased the vulnerabilities in systems, and that very much includes those people that interact with those systems. A study by IBM reported that 95% of successful attacks where due to lapses in manual controls, or reliance on people to detect “red flags”.
Fraudsters know this, and they know where the vulnerabilities are to attack.
Q. Let’s look at that digital money flow, and payments in particular. What are the common schemes criminals are using right now to defraud businesses, especially when it comes to their payment processes?
Really, we see two basic schemes.
The lower-tech version is business email compromise. Typically, this is the fraudster using an email address that is very similar to the actual address – the ‘0’ instead of ‘O’ etc. – of a supplier or payees, and is intended to catch people unawares. Often, they’ll be targeted early in the morning or late at night where people are more likely to be caught out. We also see a spike in activity late on a Friday when people are trying to get out the door.
Global losses from payment fraud has tripled from $9.84 Billion in 2011 to $32.39 in 2020.
The other type is account business takeover, which is what we’d describe as a ‘hack’. So, someone hacking into your email and sending a communication from your account while changing the bank account details. The best way to combat this when any supplier or any company that you’re working with wants to change their bank details, the thing to do is pick up the phone and speak to your contact directly.
Q. And what are the routes they use to infiltrate a system, and what are the system weaknesses business leaders should look out for?
A big vulnerability right now is remote VPN access and connection. Why? Because this is where security updates can be updated across a network of devices.
Some companies don’t have the ability for their people to connect through VPN, whereas others – and this includes all the biggest companies in the world – aren’t necessarily able to get their staff to connect to the VPN regularly to receive security updates. And it’s these security updates that are the real weaknesses that cyber criminals can attack.
The longer a system hasn’t been updated with both internal security updates, and those updates our computers ask us to do when a patch comes through from the operating system, the weaker it is.
There is also a risk when staff bring their laptop to the local coffee store and access the “hotspot”. Beyond that, we all know about clicking suspicious links and weak passwords through targeted phishing attacks – these are still common routes in for fraudsters.
Q. Can you give me an example of a typical attack of this type?
The Colonial Pipeline Company story this year is an excellent example of how these attacks can not only affect the company but have serious knock-on ramifications.
It’s reported that the Hackers accessed the company’s system using a single compromised password that was sold on the dark web and accessed the company’s VPN remotely. Very early one morning – I think it was 5am - an employee received a ransom demand via email. Within an hour or two, the largest fuel pipeline in the U.S. was shut down as a precaution.
During the Colonial Pipeline attack, the average price per gallon hit over $3 - the highest level seen since October 2014.
The closure saw supplies of diesel, petrol and jet fuel tighten across the US, with prices rising and a number of states declaring an emergency. There were news stories where people were filling up plastic bags full of gas.
We later learned that the Company paid around $5m dollars in ransom via Bitcoin. Nearly half of it was recovered by the FBI within a month, but the cost of the hack had gone well beyond what they paid in ransom.
Q. And can a hacker penetrate the digital payment systems themselves?
Yes, there is potential for a hacker to get into a system and change the details and, in that case, the internal person sending the payments may not notice anything wrong when sending the payment.
To prevent this, you need to have a system that can flag when something unusual is happening.
At TransferMate, we invested heavily into our compliance monitoring systems and we’ve built controls to detect all kinds of risk scenarios. We are also ISO 27001 compliant, and our system includes customer authentication controls and dual-authorization controls. That said, we also find that one of the most effective actions is through education and awareness; cyber criminals look for any and every opportunity, so the more vigilant we are the greater success we can achieve.
Q. And presumably speed in that sort of case is important?
Definitely. The CIA’s figures show us that within 72 hours is the key timeframe; and that’s from the moment of the fraud. If you can detect it and take action within that timeframe, the chances of recovering the money is higher.
After that 72 hours, the chances of recovering the money drops to 9%.
Q. To go back to the fundamentals, what are the best methods of protection for businesses? Let’s look at it from the people angle first…
From the people angle, first step for any leader in a company is to ensure all staff are trained in identifying and preventing fraud. Anyone can be the victim here, and fraudsters will target all levels of a company. If your catering staff or cleaning staff have company emails that receive payroll details, for example, they are equally at risk as the Chief Financial Officer, and often overlooked.
And, of course, fraudsters know this, so they’ll target accordingly.
With social engineering techniques – like adding urgency to a message, impersonating the CEO or department head to target people within the company – it’s important for people to recognize the tactic. Sometimes, it’s the novelty of it to the victim that makes it more likely to succeed.
In 2020, 74% of organizations in the United States experienced a successful phishing attack.
The company also needs to provide a psychological safety net for employees to raise something they feel is suspicious. People should be praised even if they raise a flag and it turns out to be non-fraudulent.
Finally, procedures should be put in place that when account details are changed on a system, they are confirmed by a human being. This ‘double-blind’ human checks and balances are key.
Q. And then when we look at the technological and systems angle, what should businesses be putting in place there?
As we’ve said before, but it is worth reiterating, businesses need to keep the IT security software updated across all the devices people use. Many older operating systems will not be able to accommodate the latest software in terms of VPN, firewall and anti-virus protection.
This also means that the hardware you use needs to be current and able to handle the most up-to-date operating systems. That, of course, may mean an expense for the company to update that hardware, but the long-term thinking here is that the cost of that will outweigh any potential future fraud.
"Cyber-security is more than a matter of IT" - Stéphane Nappo, Global Chief Information Security Officer, Groupe SEB
Q. You’ve been at the forefront of preventing fraud right around the world for nearly two decades. Any trends you see emerging next? What worries you?
There will be a transition period over the next while when people are returning to work, while others continue working remotely for the long term, and that transition period could leave companies vulnerable.
The habits we’ve built up over the last two years – processing payments from home etc. – will mean that people will be more inclined to carry them out again in unsecure environments. It might be as simple as being in a public place and potentially letting a fraudster read directly from the screen or using public WiFi systems that are more open to attack.
It doesn’t mean we have to revert back to what we did before, it just means we have to take steps (like issuing laptop security screens to staff) and having security policies in place to mitigate against these new threats.
Q. And what has TransferMate put in place to protect your customers? What are the protections your systems provide?
We come at this from several angles. Firstly, all our staff are trained and trained on a regular basis. The people are always the most vulnerable part of any system, so strong policies in place there is essential.
We also have a strong law-enforcement outreach program and we plug-in regularly with police services across the world, from the FBI, the Met Police, to Interpol. This is how we ensure that we are on top of the latest risk scenarios and track what tactics fraudsters use. We use our outreach program to fine-tune our compliance monitoring systems in real-time.
Q. You’re obviously taking a very holistic approach to all this, building layer upon layer of security protections but, if you had one piece of advice for businesses looking to avoid being the victim of a scam, what would it be?
If you’re ever suspicious, pick up the phone and contact the client directly. If you are using TransferMate, reach out to our Customer Service if you have a doubt about a potential payment before you make the booking, our Compliance Experts are always available to deal with such queries.
Alex, thanks for your time.
If you’d like to learn more about TransferMate’s security systems and how they help protect your business against payments fraud, click here or contact us direct