Fraud is still a persistent and ubiquitous threat, as evidenced by a recent study which found that 79% of organizations surveyed experienced attempted or actual payments fraud over the past year.
The study by the Association for Financial Professionals (AFP) found that while this figure was down one basis point from the previous year, it was not a significant drop considering the time and resources many companies have invested in strengthening their fraud defenses. Additionally, organizations that lost funds due to payments fraud were much less likely to recover more than three-quarters of the stolen amount—down from 41% to 22% year-over-year.
Corporate emails continue to be the most popular target for cyberattacks, with business email compromise (BEC) cited as the most common tactic.
“Socially engineered attacks, like business email compromise attacks—which are nothing more than targeted phishing attacks—are common points of entry for all cyber-attacks, including those that result in fraud,” said Tracy Goldberg, Director of Fraud & Security at Javelin Strategy & Research. “Stronger domain name system (DNS) controls that block malicious domains not only trap or block phishing emails but also prevent employees from accessing malicious websites, which also can be used by cybercriminals to exploit network vulnerabilities and deploy malware, once they’ve lured an unwitting user to engage. DNS controls also can be used to protect network devices and routers, to ensure the entire attack surface is secured.”
Cybercriminal Tactics Shift
A single BEC event can have dramatic consequences, as evidenced by the recent breach at the U.S. Office of the Comptroller of the Currency. In this instance, hackers accessed thousands of emails containing highly sensitive information for over a year—all because they compromised an administrator’s account.
According to the AFP study, most email attacks originate from spoofed emails that appear to come from reputable sources. In many of the early BEC attacks, cybercriminals impersonated senior executives within the organization to deceive employees.
As more companies strengthen their defenses against such tactics, bad actors have shifted their focus. Increasingly, they are exploiting the trusted partnerships many organizations rely upon. Emails in which criminals impersonated vendors or third parties saw a substantial uptick last year.
Targeting Payment Mechanisms
In the reported BEC incidents, the AFP found that wire transfers were the most popular targets for criminals. With wire transfers, users can send large amounts in a single payment, and it is often difficult for customers to retrieve their funds once they’ve been manipulated into making the transfer.
Outside of BEC, the payment mechanism most frequently targeted by criminals is still paper checks. Despite the many payment innovations available to organizations, many have been reluctant to move away from checks. However, continued reliance on checks substantially increases an organization’s vulnerability. The AFP study found that 63% of respondents had experienced fraud attempts or attacks involving checks.
