Employees are simultaneously a company’s first line of defense and their weakest link.
That is because as today’s quick-moving, instant-everything modern world offers more hyperconnected vulnerabilities for bad actors to exploit, behavioral-driven fraud tactics are becoming an increasingly popular approach for breaching a firm’s defenses.
Michael Jabbara, global head of fraud services at Visa, said to PYMNTS last week (March 28) that the onus of defense is moving more and more to individuals as businesses establish increasingly secure, “hacker-proof’” protocols.
The most vulnerable hack point in a secure system, he emphasizes, has become the individual themselves.
This, as the Federal Trade Commission (FTC) issued a recent consumer alert warning that scammers are increasingly using artificial intelligence (AI) to replicate voices as part of high-tech phone scams, and new PYMNTS research finds that unintentional internal threats arising from human vulnerability — including poor security habits and susceptibility to social engineering tactics — form one of the most common causes of data breaches.
Read more: Remote Work Forces Small Businesses to Level Up Their Fraud Game
Remote work only exacerbates this situation, giving bad actors isolated on-ramps into organizations via employees working at home alone, whose sensitivity to fraud has been dulled by near-constant notifications, pings and requests throughout the day — many with the expectation of near-instantaneous response.
Initial compromise in a remote work environment generally comes from employees clicking on malicious links or unwittingly providing credentials to bad actors. More than 8 in 10 businesses (86%) say that remote work has negatively affected fraud prevention at their organizations, according to research in the PYMNTS report, “How SMBs Can Fight the Fraud Threats of Remote Work.”
“People are already using ChatGPT and generative AI to write phishing emails, to create fake personas and synthetic IDs,” Gerhard Oosthuizen, chief technology officer of Entersekt, told PYMNTS in an earlier conversation.
Managing the escalated threats endemic to today’s digital environment can be a particular challenge for small to midsized businesses (SMBs), which often have budget constraints and sparse security teams, making employee upskilling around scam identification and prevention critical.
“Your employees are your first line of defense, your risk management and compliance are your second. … Leaders of companies must continue to champion security awareness and diligence of their employees, as well as walk the walk from the top,” Elly Aiala, chief compliance officer at Boost Payment Solutions, told PYMNTS last month.
See also: Rise of SVB-Driven Fraud Shows How Fast Criminals Move
Digital-first social engineering attacks are growing, and Entersekt’s Oosthuizen said, “It’s a technique that’s been sharpened over years and years of phishing detection defenses, but now it is direct, and it is fear-based. … Organizations have to deal now with more of the psychology of how to protect their customers than just providing a pure tech solution.”
Highlighting the rise of psychologically driven scam strategies, PYMNTS recently reported on how the collapses of Silicon Valley Bank (SVB) and Signature Bank offered cybercriminals a perfect cocktail of urgency, uncertainty and money movement.
The aftermath of the banking crisis created an irresistible, golden opportunity for scammers and fraudsters to exploit by capitalizing on the fear-driven climate of the present moment with traditional behavioral-driven fraud tactics.
Many of the C-suite leaders PYMNTS spoke with highlighted the shocking flurry of skimming, phishing, and business email compromise (BEC) attacks increase from bad actors impersonating both SVB customers and SVB officials.
That’s why, as Boost Payment’s Aiala noted earlier, just taking an extra second to verify the context and source of a request is critical — and startlingly effective at helping reduce enterprise vulnerability to some of the most common, behaviorally driven fraud tactics.
The FTC agrees, underscoring in its recent consumer alert around voice AI scams the importance of calling the person who “supposedly contacted you” to verify the story.
Behind the importance of taking an extra minute or two to double-check the validity of any incoming request is the ever-present fact that complacency is the enemy of effective fraud-fighting.
Just because an organization is enjoying a period of smooth sailing without encountering problems does not mean that it will not encounter problems in the future, nor that they have adequate controls in place.
Technological advances are often slow and complex, but the new types of frauds and scams that come with those technological advances is often the opposite of that — fast and simple.