It may seem that the pandemic has spurred new waves of fraudulent activity and more creative ways to lure unwitting victims into parting with sensitive data and money.
But nsKnox Chief Operating Officer Nithai Barzam said that business-to-business (B2B) enterprises and accounts were in the crosshairs long before the pandemic moved much of our lives online, and finance professionals and security teams can work together to combat looming threats.
Now, more than ever, businesses must verify credentials at onboarding, protect data at rest and protect payment transactions.
A Natural Evolution
The evolution has been a natural one for would-be criminals interested in stealing money who have historically physically attacked banks — even now, robbers steal millions of dollars in conventional heists every year.
However, more sophisticated criminals have long realized that the money in the bank actually belongs to the bank’s customers — and that businesses often have bigger accounts than individuals. As such, attacking the companies as they transfer large sums of money between them can offer ripe opportunities for fraud.
“Fraud was a frequent occurrence before the pandemic and is a more frequent occurrence now,” Barzam said.
Enter business email compromise (BEC) and phishing fraud. The criminals are targeting the weakest links in supply chains and money flows between buyers and suppliers. When done successfully, the payoffs can be huge.
“These are very organized criminals, and they operate like top performing businesses — they invest in technology, research and analysis,” he said.
The firms being targeted have become increasingly aware that they are being targeted, and are now embracing measures to bolster their defenses. There’s no longer a need to convince finance professionals that they need to take action — as recently as three years ago, four in five organizations were a target of payments fraud.
A Need for Automation
More advanced and larger organizations are using a broad range of practices and processes to protect payments against external and internal fraud, he said.
Some firms are deploying the unsolicited call back, where the enterprise will call the account owners and confirm transactions, but Barzam cautioned that manual processes such as these are only as secure as the employee tackling the task.
“They’re time-consuming, they’re error prone, and unfortunately, they’re susceptible to fraud,” he said.
Automated validation solutions can prevent this, confirming banking details globally regardless of where the account is, he said. Along the way, the enterprise can also confirm that the data and details it uses for that vendor’s ID is correct.
Those efforts are among the initial defenses against social engineering, deepfakes and voice cloning.
“Once you’ve entered and confirmed the correct data in your [enterprise resource planning (ERP)] system, you must make sure that the data remains correct and accurate over time,” he said.
All organizations must endeavor to scan their master vendor files on an ongoing basis, and to cross reference any changes with account validation status — in an automatic fashion, given that the changes can number in the hundreds or thousands as relationships shift, he said.
Companies must also strive to scan their payment transactions and ensure that those payments are only made to valid accounts before being sent to banks or clearing houses for processing.
Although most companies invest time and effort into reviewing invoices and making sure that data matches the purchase order (PO), goods delivered or service performed, they rarely verify that the bank account to which they’re actually about to pay is correct, he said.
Wariness in a WFH World
The shift to working from home has complicated things, as firms must be able to monitor their employees’ activities, data access and vulnerabilities, he said. It has made it harder to maintain existing processes, and it’s no longer sufficient to call a vendor to confirm a transaction.
“You need to start adjusting your processes and think about how you can communicate with your vendors in a secure way,” he said.
When employees are working from home, they’re often physically far from their managers, which provides an increased opportunity for insider fraud. Using personal devices for work can also present security vulnerabilities, he said.
Ideally, companies need to ensure that remote connectivity is secured and that they use multifactor authentication (MFA) for logins.
“It’s amazing how many organizations are still just using passwords and the sheer volume of stolen credentials that are available on the dark web,” he said.
Looking ahead, it’s a given that cybercrime will continue to grow, perhaps at double-digit percentage growth rates over the longer term. The fraudsters are going to become more sophisticated — which Barzam said means that “all organizations should factor risk assessment into their work plans and examine how they invest in people and automation to make sure that payments are secured.”