How to Defend Your Credit Union on the New Frontier of Payment Fraud

Today’s schemes use technology but ultimately rely on strategies that exploit human weakness.

Image: Shutterstock

The remote work era brought on by the COVID-19 pandemic has made it even easier for criminals to execute payment fraud attacks. For most organizations, it’s become a matter of when they’ll face a fraud attack – not if.

New defenses are needed, because the nature of cybercrime is changing. For many years, bad actors focused on software-based attacks such as ransomware. Vendors hadn’t quite caught up to developing code secure enough to operate in the hostile environment that we know the internet is today.

Now vendors have hardened their systems to the point where it’s inefficient for a bad actor to carry out an attack using technology alone. In the last year or two, we’ve seen a shift to schemes that use technology but ultimately rely on strategies that exploit human weakness. This is the new frontier in the battle against payment fraud.

Sophisticated Attacks

Any effective security effort relies on technology, process and people. Technical security efforts such as securing hardware, software and laptops is still important. The ability to gain unfettered access at the hardware or software level allows a bad actor to do literally anything. Organizations need to double down on educating and training people throughout the organization to recognize, report and respond to suspicious activity.

The problem is that many organizations are still focusing on technology as the main line of defense. Criminals are capitalizing on the fact that they aren’t addressing the whole picture. Add the chaos and confusion of the pandemic, and over the past 24 months we’ve begun to see some pretty sophisticated cyberattacks emerge.

We saw a lot of phishing around work from home, and again around returning to the office. There was so much uncertainty and people were so hungry for information that they’d click on anything that appeared to offer it. The bad actors were quick to capitalize, and they’ve been very nimble in customizing their attacks.

Here’s a great example: For a long time, Microsoft was the most commonly spoofed email used in phishing attacks. A typical attack might be a fake email from a bad actor saying you needed to update your password, or act now because you’re running out of mailbox or drive space. Now, DHL Delivery Service has surpassed Microsoft as the most commonly spoofed email because deliveries have become much more prominent in our personal and professional lives.

Deep Reconnaissance

Bad actors have also become very good at business email compromise (BEC), a key method of payment fraud. BECs are often very well designed and thought out. The bad actor will research an organization, their vendors and their processes. It’s actually a very deep reconnaissance effort.

They use the intelligence they’ve gathered to pose as a vendor sending an email request to change bank account information to one of their own accounts. These emails might be constructed as long threads that contain names and information simulating the documentation of the real process. Sometimes they actually compromise the organization and take control of the email of someone in AP or finance and launch the attack from there. Or, they just spoof it from another mail server.

In either case, there’s no technology that’s going to effectively stop that attack. That’s why information security today is a counterintelligence function. You have to be aware of information that’s out there, and all the ways in which bad actors might use it. And you have to communicate that to the entire organization.

Continuous Threat Briefings

One way to handle this is with continuous operational threat briefings. With continuous operational threat briefings, a vendor takes real-world attempted attacks that have been detected and blocked, either by its own organization or other organizations, and dissected with the entire company. That helps people understand how attacks are happening and what they look like.

Vendors are also advised to work very closely with business leaders to understand their processes and where there might be vulnerabilities. Working together, they can come up with very effective and secure processes.

Beyond ‘Castle and Moat’

IT has historically built what we call a “castle and moat,” or “eggshell,” defense. With this defense strategy, there’s a well-developed, hardened exterior. Enterprises are realizing the shortcomings of that type of architecture in this day and age. Data breaches are still a constant threat, but criminals now rely more on people-centered tactics like weaponizing email. If they can use that to make it past the hard shell, things get kind of squishy.

The most effective way to protect against what’s coming is to address the human element. Security is always dynamic because criminals are endlessly creative. They attack and we defend. They study our defenses and find new ways to attack.

The ultimate defense is creating an organization-wide security mindset. It’s a culture. It’s a way of thinking that has to be fostered. It’s easier to do than you might think.

You need to develop a programmatic approach, but it’s not that hard to get people to engage. What we find is that people are very interested in learning because they or someone they know has experienced a cyberattack in their personal lives. It’s not something that’s abstract, or exclusively work-related. Unfortunately, it’s all too relevant.

Tony Carothers

Tony Carothers is the Security Systems Engineer at Corpay, a FLEETCOR company, an online business payment solutions provider based in Atlanta.