Battling Payments Fraud: Know Your Enemy

Almost 80% of organizations have been the victim of payments fraud, according to one survey. Depending on the size of the organization, thousands—sometimes millions—of customers are affected. In fact, if we combine the top 21 breaches in 2018 alone, ACI found that more than 2.5 billion customers worldwide were impacted, which is almost a third of the world’s population. That’s a lot of data at stake!

It’s not just the customers who are affected; organizations must recover losses and cover costs as a result of these breaches. A Ponemon Institute report on the cost of data breaches showed that the average cost of a data breach in 2018 was $3.86 million, up 6.4% over 2017. The average per-record cost was $148, up 4.8% from $141 in 2017. According to Cybersecurity Ventures research, it is estimated that by 2020, ransomware attacks will quadruple, with cybercrime damage costs rising to $6 trillion in 2021. They further estimate that in 2022, the human attack surface will reach 6 billion people as more are incorporated into the digital world.

This growth is accompanied by greater sophistication from hackers and cyber thieves. In 1998, the top threats were borne of things such as uncontrolled modems, no security verification or monitoring and poor password practices. Today, those seemingly basic practices have become table stakes and have been replaced by threats that include targeted phishing scams, poor patching, internet of things (IoT) attacks and sophisticated malware.

Information security threats have also gotten faster and more complex. Whereas in the past attacks may have been slow to occur, today they are in real-time, specifically targeted and from a complex marketplace of sophisticated specialists. The information hackers obtain is readily monetized and the techniques used are generally designed to continuously attack a system to create and detect vulnerabilities.

Unfortunately, when it comes to security online, humans can be their own worst enemy. Phishing attacks related to payments fraud have risen in popularity over the past few years and take advantage of the unsuspecting in a few different ways. Business email compromise (BEC) is a targeted phishing (spear-phishing) attack that focuses on exploiting business relationships within an organization. For instance, a malicious email may appear to come from a co-worker or vendor and will either ask for sensitive information or request invoices be paid to a different account that the scammer owns.

Since December 2016, there has been a 136% increase in identified exposed losses, now totaling more than $12 billion in losses associated with BEC scams.

Best Practices for Beating Phishing Scams

There are several ways for people to protect themselves from phishing scams both at work and at home.

  1. Check the email address: Email addresses with misspellings or incorrect addresses (, etc.) are a clear sign that something is wrong. Never open anything within or reply to an email from an address such as this.
  2. Are you expecting the message? Your bank emailing you out of the blue to ask for your password is a sure sign that something is wrong. Unless you have reason to expect an email asking for sensitive information, be very cautious. Even if you are expecting an email, check with the source to make sure it’s legit.
  3. Is this normal behavior? If your boss or a trusted vendor suddenly emails asking for information beyond what is standard or suggests sending payments to new locations, be sure to contact them in a different manner before proceeding. Most processes are highly regulated or standardized, so any deviation should be seen as suspicious.

By staying vigilant and notifying the right people when a suspicious email is received or when someone reaches out about something out of the ordinary, employees can avoid potential financial or reputational damage to their organization.

Phishing represents just one of the biggest methods of payments fraud. Don’t be caught off-guard.

Avatar photo

Gene Scriven

As chief information security officer (CISO) at ACI, Gene Scriven is dedicated to protecting customer and company information around the world. With almost four decades of information security and data protection experience across a wide spectrum of industries, he has driven security for the U.S. Government, the U.S. Intelligence community and multiple global companies. He is also an advisory board member for the University of Phoenix Cybersecurity and Security Operations (CSO) Institute.

gene-scriven has 1 posts and counting.See all posts by gene-scriven

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)