june2022 - 16

FEATURE
How Businesses Can Defend
Against Payment Fraud
THE REMOTE WORK era brought on by the COVID-19 pandemic
has made it even easier for criminals to execute
payment fraud attacks. For most companies, it's become
a matter of when they'll face a fraud attack--not if.
New defenses are needed,
because the nature of cybercrime
is changing. For many years,
cybercriminals focused on softwarebased
attacks such as ransomware.
Vendors hadn't quite caught up to
developing code secure enough to
operate in the hostile environment
that we know is the internet today.
Now vendors have hardened
their systems to the point where
it's inefficient for a bad actor to
carry out an attack using technology
alone. In the last year or two,
we've seen a shift to schemes that
use technology but ultimately rely
on strategies that exploit human
weakness. This is the new frontier
in the battle against payment fraud.
SOPHISTICATED ATTACKS
Any effective security effort relies
on technology, process and people.
Technical security efforts such as
securing hardware, software and
laptops is still important. The ability
to gain unfettered access at the
hardware or software level allows a
bad actor to do literally anything.
Organizations need to double down
on educating and training people
throughout
over the past 24 months we've begun
to see some pretty sophisticated
cyberattacks emerge.
We saw a lot of phishing around
work from home, and again around
returning to the office. There was so
much uncertainty, and people were
so hungry for information, they'd
click on anything that appeared to
offer it. The cybercriminals were
quick to capitalize, and they've
been very nimble in customizing
their attacks.
Here's a great example: For a long
time, Microsoft was the most commonly
spoofed email used in phishing
attacks. A typical attack might be
a fake email from a cybercriminal
saying you needed to update your
password, or act now because you're
running out of mailbox or drive
space. Now, DHL Delivery Service
has surpassed Microsoft as the most
commonly spoofed email because
deliveries have become much more
prominent in our personal and
professional lives.
the organization to
recognize, report and respond to
suspicious activity.
The problem is that many
organizations are still focusing
on technology as the main line of
defense. Criminals are capitalizing
on the fact that they aren't addressing
the whole picture. Add the chaos
and confusion of the pandemic, and
DEEP RECONNAISSANCE
Cybercriminals have also become
very good at business email compromise
(BEC), a key method of
payment fraud. BECs are often very
well designed and thought out. The
cybercriminal will research an
organization, their vendors, and
their processes. It's actually a very
deep reconnaissance effort.
They use the intelligence they've
gathered to pose as a vendor sending
an email request to change bank
16 JUNE 2022 ■ www.CPAPracticeAdvisor.com
By Tony Carothers
account information to one of their
own accounts. These emails might
be constructed as long threads that
contain names and information
simulating the documentation of
the real process. Sometimes they
actually compromise the organization
and take control of the email of
someone in AP or finance and launch
the attack from there. Or, they just
spoof it from another mail server.
In either case, there's no technology
that's going to effectively stop
that attack. That's why information
security today is a counterintelligence
function. You have to be
aware of information that's out
there, and all the ways in which bad
actors might use it. And you have
to communicate that to the entire
organization.
CONTINUOUS THREAT
BRIEFINGS
Software companies try to handle
this with continuous operational
threat briefings. They take real-world
attempted attacks that have been
detected and blocked, and dissect
them. That helps people understand
how attacks are happening and what
they look like.
Software
companies
also
typically work very closely with
business leaders to understand
their processes and where there
might be vulnerabilities. Working
together, the software provider and
business leaders can come up with
very effective and secure processes.
BEYOND " CASTLE
AND MOAT "
IT has historically built what is
called a " castle and moat " , or " eggshell " ,
defense. With this defense
strategy, there's a well-developed,
hardened exterior. Enterprises are
now realizing the shortcomings
of that type of architecture. Data
breaches are still a constant threat,
but criminals now rely more on
people-centered tactics like weaponizing
email. If they can use that to
make it past the hard shell, things
get kind of squishy.
The most effective way to
protect against what's coming is
to address the human element.
Security is always dynamic because
criminals are endlessly creative.
They attack, and we defend. They
study our defenses and find new
ways to attack.
The ultimate defense is creating
an organization-wide security
mindset. It's a culture. It's a way of
thinking that has to be fostered. It's
easier to do than you might think.
You need to develop a programmatic
approach, but it's not that hard
to get people to engage. What we find
is that people are very interested in
learning because they or someone
they know has experienced a cyberattack
in their personal lives. It's not
something that's abstract, or exclusively
work-related. Unfortunately,
it's all too relevant. ■
Tony Carothers is the Security Systems
Engineer at Corpay, a FLEETCOR company.
He has over thirty years of experience
in information security, working in
both the public and private sectors.
http://www.CPAPracticeAdvisor.com
june2022

Table of Contents for the Digital Edition of june2022
