Digital Transactions Authoritative, insightful and timely information for payments professionals
As criminals shift to strategies that rely on psychology as much as technology, a whole new approach is necessary.
Tony Carothers is the security systems engineer at Corpay, a FLEETCOR company.
The remote-work era brought on by the Covid-19 pandemic has made it even easier for criminals to execute payment-fraud attacks. For most companies, it’s become a matter of when they’ll face a fraud attack—not if.
New defenses are needed, because the nature of cybercrime is changing. For many years, bad actors focused on software-based attacks, such as ransomware. Vendors hadn’t quite caught up to developing code secure enough to operate in the hostile environment that we know is the Internet today.
Now, vendors have hardened their systems to the point where it’s inefficient for a bad actor to carry out an attack using technology alone. So, in the last year or two, we’ve seen a shift to schemes that use technology but ultimately rely on strategies that exploit human weakness. This is the new frontier in the battle against payment fraud.
Sophisticated Attacks
Any effective security effort relies on technology, process, and people. Technical security efforts such as securing hardware, software, and laptops are still important. The ability to gain unfettered access at the hardware or software level allows a bad actor to do literally anything. Organizations need to double down on educating and training people throughout the organization to recognize, report, and respond to suspicious activity.
The problem is that many organizations are still focusing on technology as the main line of defense. That’s a big help to criminals, who are capitalizing on the fact that their intended victims aren’t addressing the whole picture. Add to this the chaos and confusion of the pandemic, and over the past 24 months we’ve begun to see some pretty sophisticated cyberattacks emerge.
We saw a lot of phishing around work from home, and again around returning to the office. There was so much uncertainty, and people were so hungry for information. So they’d click on anything that appeared to offer it. The bad actors were quick to capitalize on this tendency, and so far they’ve been very nimble in customizing their attacks.
Here’s a great example of what I’m talking about. For a long time, Microsoft was the most commonly spoofed email address used in phishing attacks. A typical attack using this address might be a fake email from a bad actor saying you needed to update your password, or act now because you’re running out of mailbox or drive space.
No longer. Now, the DHL delivery service has surpassed Microsoft as the most commonly spoofed email address because deliveries have become much more
prominent in our personal and
professional lives.
Deep Reconnaissance
Bad actors have also become very good at business email compromise (BEC), a key method of payment fraud. BECs are often very well designed and thought out. In these attacks, the bad actor will research an organization, their vendors, and their processes. It’s actually a very deep reconnaissance effort.
Then, the criminal will use the intelligence he has gathered to pose as a vendor sending an email request to change bank accounts to one controlled by the fraudster. These emails might be constructed as long threads that contain names and information simulating the documentation you’d expect to see if the process were genuine.
Sometimes the fraudster actually compromises the target’s organization and takes control of the email of someone in accounts payable or finance to launch the attack from there. Or, the fraudster just spoofs it from another mail server.
In either case, there’s no technology that’s going to effectively stop that attack. That’s why information security today is a counterintelligence function. You have to be aware of the information that’s out there and all the ways in which bad actors might use it. And you have to communicate that to the entire organization.
Threat Briefings
Corpay handles this function with continuous operational threat briefings. We take real-world attempted attacks that have been detected and blocked, by our organization or other organizations, and dissect them, working with the entire company. That helps people understand how attacks are happening and what they look like.
We also work very closely with business leaders to understand their processes and where there might be vulnerabilities. Working together, we can come up with very effective and secure processes.
Beyond “Castle and Moat”
IT has historically built what we call a “castle and moat,” or “eggshell,” defense. With this defense strategy, there’s a well-developed, hardened exterior. But now enterprises are realizing the shortcomings of that type of architecture as attacks grow more sophisticated. Data breaches are still a constant threat, but criminals now rely more on people-centered tactics, like weaponizing email. If they can use these tactics to make it past the hard shell, things get kind of squishy.
The most effective way to protect against what’s coming is to address the human element. Security is always dynamic because criminals are endlessly creative. They attack, and we defend. They study our defenses and find new ways to attack.
The ultimate defense is to create an organization-wide security mindset. It’s a culture. It’s a way of thinking that has to be fostered. And it’s easier to do than you might think.
You do need to develop a programmatic approach, but it’s really not that hard to get people to engage. What we find is that people are very interested in learning about this because they or someone they know has experienced a cyberattack in their personal lives. It’s not something that’s abstract or exclusively work-related. Unfortunately, it’s all too relevant.
—Tony Carothers is the security systems engineer at Corpay, a FLEETCOR company.
