As is common with most types of cyber attacks and fraudulent activity, payment fraud is constantly evolving because those who perpetrate it change or enhance their tactics. It's also becoming more common and more elaborate — a trend that was catalyzed by COVID — which means organizations need to be aware and alert to present threats. To effectively prevent payment fraud in all its forms, your organization must first understand what it is and how it can impact you.
What is payment fraud?
Payment fraud is any type of false or illegal transaction completed by a cybercriminal, in which the criminal deprives the victim of funds, personal property, interest, or sensitive information via the internet. The most common tactics used to gain access to organizations’ internal IT systems and facilitate payment fraud include:
- Phishing: sending emails purporting to be from a reputable source to induce victims to act on something
- Pharming: directing victims to a bogus website that mimics the appearance of a legitimate one
- Spear phishing: sending emails purporting to be from a reputable source to targeted victims to induce them to act on something
- Spoofing: a hoax or trick, generally meaning the source of an item is falsified in cybersecurity context
- Identity theft: illegal acquisition of personal information with subsequent use of it for identity fraud
- Social engineering: psychological manipulation of people into performing actions or divulging confidential information
To put in context the damage payment fraud can have on your organization and on society, consider the following statistics:
- At the height of the COVID pandemic we saw a 14,000 percent increase in spam and phishing attacks.
- 79 percent of respondents to a study from the Association of Certified Fraud Examiners observed an increase in fraud
- By 2031, ransomware is predicted to cost its victims more than $265 Billion USD annually.
- The average cost of a data breach was $5.64 million USD in 2022, up from $5.40 million in 2021.
Most organizations understand the need for cyber vigilance and procedures to mitigate losses. But cyber fraud preys on unsuspecting or naïve employees, and not all organizations invest sufficient time and resources in training their people to deter attackers.
Best practices for mitigating payment fraud
To be the target of a fraudster at some point is almost inevitable. Countless organizations become victims of payment fraud; our firm has observed some consistent practices in organizations that are proficient at managing and mitigating it.
The first is to have a robust risk assessment strategy. It’s important to understand where your risks lie, what you are willing to accept in risk and what the inherent risks are. Understanding your vulnerabilities will assist you in making wise risk management decisions.
Secondly, you may never be able to keep on top of all changes and trends in the world of payments fraud, so remaining consistent in training your people on the cyber awareness is your first, and perhaps most important, line of defense. For example, in the case of phishing, your employees are the area that cyber criminals will attempt to compromise — we recommend holding fraud or cyber awareness training more often than once a year.
Next, be diligent in maintaining your internal controls and engaging in continuous testing of your cyber risks. Penetration testing, vulnerability scanning, and breach exercises will put you ahead of the curve. If your business has a remote or hybrid work model, factor in what security and visibility controls you have that may or may not be applied to each working model. Do your employees understand how to properly use VPNs, secure browsing, and the risks of downloading work materials onto personal devices? Do your security solutions actually track asset behaviour while they are off the network?
Finally, the most prudent organizations know how to respond if and when they’re a victim of payment fraud. Time is critical in the aftermath of a breach — you should have an incident response plan in writing so you know exactly who to call for help, the steps to take internally, and in what order.
Underpinning these best practices is a mentality: keep it simple and be alert. Often you don't need the most complex processes or expensive software to manage risk effectively.
Unfortunately, many organizations don't take fraud detection seriously until they themselves are breached, or they experience financial exposure. We've seen organizations brush off payment fraud as just a "cost of doing business" during economic booms. The most successful organizations are proactive, not reactive.
Thinking like a fraudster
Those who dedicate their careers to fraud detection and prevention observe how fraudsters think and behave. But not all decision-makers and managers in your organization can be expected to have this level or skepticism or depth of knowledge.
On a high level, it's important to note that those who commit payment frauds are opportunistic — they search for low-hanging fruit. This means they observe macro-economic trends and industry factors as they look for the easiest avenues to defraud your organization.
For example, when COVID struck in 2020, its implications were all over the news: more people working from home, organizations changing vendors, dramatic increases in online shopping, supply chain disruptions. All of these increase the likelihood that fraudulent activity may occur. During the pandemic phishing and other types of fraud became more pervasive as cyber criminals took advantage of these opportunities.
Taking the first step
If you’re an owner or manager, especially at a small or mid-sized company, preventing payment fraud may seem to be a daunting task. You can start small and prioritize your most important areas based on your identified risks. The most important fraud mitigation technique is to be consistent in applying your risk assessment program, following industry best practices and ensuring your entire team understands their role in preventing fraud and cybercrime. Creating a strong cyber protection program may discourage cyber criminals from targeting your business.
No organization needs to face this challenge alone. Our team offers qualified advisors in cyber security, forensics, enterprise risk, and internal controls who can give you an unbiased assessment of where to invest your time and resources.
Contact us
To learn more, contact:
Michael McCormack, CFI
Director, Investigative and Forensic Services
780.733.8673
[email protected]
Sam Smagala
Senior Manager, Cyber Incident Management and Cybersecurity
905.247.3287
[email protected]