Creating a human firewall: payment fraud in a digital era

In this hyper-digital age, businesses enjoy the benefits of online payments, but so do fraudsters. Here, two experts from Standard Chartered share how to protect your organisation.

Propelled by the pandemic, there has been a significant shift towards digital transactions and real-time payments. This ‘new normal’ has brought unprecedented efficiency and convenience, but also an increase in payment-related fraud.

Standard Chartered hosted a virtual session to discuss emerging trends in payment fraud, led by Frances Yong, Head of Fraud Risk Education and Awareness with expert panellists Terry Green, Head of Payments and Digital Banking, Corporate, Commercial & Institutional Banking (CCIB) and Sunday Domingo, Head of Digital Channels, Corporate, Commercial & Institutional Banking (CCIB). Here they share their key insights and advice on how organisations can defend themselves against scams and fraud.

The rise of payment fraud and emerging trends

In 2018, the Center for Strategic and International Studies (CSIS) reported that close to USD600 billion, nearly one per cent of global GDP, is lost to cyber crime each year1. Two years on, in a COVID-19, digital-first era, the vulnerability of organisations has increased. As pointed out by Frances Yong, with more employees working from home, the exposure to cyber vulnerability and email scams increases and defense against cyber risk is no longer the responsibility of the IT department.
Social engineering scams in particular have seen an uptick in recent times. “Fraudsters are leveraging the current pandemic and utilising it as an opportunity,” says Terry Green. “We’ve seen a surge in cyber crime due to the COVID-19 pandemic.” According to Google data analysed by Atlas VPN, phishing attacks spiked by 350 per cent during quarantine2.
Email is relied on more than ever, so the behaviour of fraudsters has shifted, Terry says. Clients are being targeted within their own business environment: their emails, invoices and business vendors. Cyber criminals are focusing their efforts on Authorised Push Payment (APP) scams, whereby victims are manipulated into making real-time payments to bank accounts controlled by fraudsters.

The most common form of APP for businesses is Business Email Compromise (BEC)3, which is a key threat across the industry. This is a sophisticated scam, as it is the clients themselves who initiate and authorise the payment. This makes it difficult to stop from a bank’s perspective, as the transaction has come from an authorised source using authenticated channels, thus circumventing the banks’ internal controls and detection capabilities.

The two most common types of BEC scams are invoice redirect, where a fraudster generates a settlement for goods and services and provides new payment instructions, and CEO fraud. In this case, the fraudster impersonates the company CEO, using this position of authority to demand urgent payment.

“Fraudsters are targeting corporates,” says Sunday Domingo. In one high-profile incident, French film company Pathé lost EU19 million to fraudsters who impersonated the company’s Paris CEO — duping the Dutch CEO and CFO into transferring the funds4. This case proved that anyone can fall victim, debunking the myth that only junior and operational staff are drawn into such scams. C-level executives are prime targets, as their details are more publicly available to use in a customised BEC attack. Once such a payment from an authorised source and channel has been made, it’s difficult to recover the funds.

Spyware, a form of malware, can infiltrate email chains, enabling fraudsters to gain useful information about payment patterns, behaviour and even the language used with suppliers. “It’s like the intel-gathering stage of a sophisticated scam, to eventually authorise a payment,” says Terry. “It is still the human making the money transfer — but the malware is being used to make the attack seem very genuine.”

“We have seen that cyber threats can affect connected payment systems such as SWIFT,” says Sunday Domingo. But the good news is that the financial sector is responding. Banks have invested significantly in strengthening banking platforms and network infrastructure and have processes in place to protect their information assets from threats such as distributed denial of service attacks, phishing and malware. However, there is an increasing vulnerability in the weakest link of the chain.

The weakest link: humans

Banks are leveraging different solutions to defend against fraud. Standard Chartered has implemented a cyber threat monitoring solution on Straight2Bank, which provides real-time detection for device anomalies and suspicious activities based on a risk-based scoring model.

But there is no silver bullet, and a multi-layered approach should be applied. Significantly, Sunday notes, “Banks have put in all these controls, but as we’ve seen, fraudsters aren’t targeting banks: they’re targeting corporates and it’s very easy for them to attack the vulnerabilities we’ve talked about.”

While technological defences are essential, staff may mistakenly download malware that can cause internet banking to be compromised, or employees may fall victim to increasingly sophisticated BEC scams. “Fraudsters are going after the weaknesses in human behaviour,” says Terry. Ultimately it comes down to the human being sitting in front of the computer to spot anomalies and assess the situation.

“When it comes to cyber security, employee education and awareness is critical,” adds Sunday. “Without this, technical controls are almost bound to fail.

Your employees should be trained so that they can become a human firewall,” she advises.

The red flags of payment fraud

Crucial first steps in best practice for corporates include encouraging employees to never disclose credentials or passwords, to implement two-factor authorisation, avoid opening emails from unknown senders, be aware not to click on links from spam emails, and to install anti-virus or anti-malware software.

It’s also important to practice segregation of duties between employees authorised to initiate instructions, approve payments and reconcile account balances.

Beyond tell-tale signs such as generic salutations and poor spelling or grammar that indicate a basic attempt to extract a money transfer, there are more subtle signals that an email is an attempt at fraud. Paying attention to the tone used in an unusual request for payment is key. “If the email has a more formal approach than your client would normally use, this is also a sign that something may not be right,” says Terry. BEC is increasingly sophisticated and can appear quite genuine — so it’s important to remain vigilant.

Look out for these potential red flags when you receive a request for payment:

  • Be alert to unusual requests for money transfers from your suppliers, for example adding new beneficiaries or asking for payment in a different currency — even if the request comes from your CEO.
  • Look out for emails that present as highly confidential or require urgent action. Particularly in the case of CEO fraud, the element of high pressure or confidentiality is applied in the hope that targets won’t consult another colleague. A genuine organisation will wait.
  • Check the URL to ensure it’s the correct domain that you usually interact with.
  • Fraudsters may add subtle differences such as an extra character or numeral after the email address of the person they’re impersonating. To check if this tactic is being used in a suspicious email, hover the mouse over the name of the sender to see if it’s the genuine email address of your client or supplier.

Find more tips for spotting red flags at the Fighting Fraud webpage on sc.com.

"Your employees should be trained so that they can become a human firewall."

When it comes to cyber security, employee education and awareness is critical. Without this, technical controls are almost bound to fail.

Stop before you act

If you suspect something suspicious, especially if you’ve been put under pressure to make a payment that doesn’t align with regular behaviour, give yourself time to process the situation and make a sound decision once you’ve been able to cross-check with the right people.

“Don’t be rushed. Listen to your instincts,” advises Terry. “If it doesn’t feel right, stop and think about what you’re doing before making that transaction.”

“Understand your role and your responsibility to your company, to protect its assets,” adds Sunday. “You don’t want to just protect the ability to transfer funds, you want to protect your sensitive information.”

Frances wrapped up with this three-step fraud prevention tip:

Spot the red flags and always verify requests independently.

Stop for a minute. Don’t act on a payment request immediately, especially if the request is urgent. Assess the situation to see if you’re being put under unnecessary pressure.

Report any suspicious activity. The earlier you report and escalate an incident, the better chance you have of recovering the funds.

Learn more about protecting yourself from fraud here.

Back to CCIB News and Views