Digital Transactions Authoritative, insightful and timely information for payments professionals
With the Securities and Exchange Commission mandating public companies victimized by a cyberbreach publicly disclose the breach, businesses need to be more diligent in keeping out cybercriminals, as disclosure of such information can subject them to greater scrutiny and potential liability. The rule, which the SEC passed in July, requires public companies to publicly disclose details of a cyberattack within four days of identifying a material impact on their finances.
A key reason why businesses need to be more diligent in the wake the new SEC rule is that criminals are finding it easier to breach a company’s cyber defenses through increased use of artificial intelligence, deepfakes that manipulate or modify digital content within a businesses back-office apps, and phishing emails.
“There is a greater risk than ever when it comes to cyberattacks because of the increase in high-tech attacks which are making it harder for businesses to keep pace from a cyber defense standpoint,” says Baptiste Collot, chief executive and co-founder of fraud prevention platform provider TrustPair USA Inc. “Attacks can come from anywhere, anytime. And criminals launch attacks for financial gain, which includes payment fraud.”
One example of how criminals are leveraging high-tech cyberattacks for payment fraud is by infiltrating a supplier’s systems through a phishing attack. Once inside the supplier’s system, criminals can use artificial intelligence to manipulate files, such as the supplier’s accounts receivable app, to create a new account they control to receive payments from the supplier’s customers. The manipulation is so flawless that the supplier’s customers are unable to detect the change using manual account validation processes. Next, the criminal hijacks a legitimate invoice from the supplier and sends it to the supplier’s customers. When the customer pays the bill, the money flows into the criminally controlled account.
Such vulnerabilities are often the result of companies using manual processes used to initiate payments. Instead, Collot says businesses should be using automated fraud detection tools to validate all payment requests and the accounts into which payments are flowing.
“Companies need to be able validate a vendor account prior to payment, and automated tools can remove the weaknesses of manual controls,” Collot says. “When a company is paying a vendor, they expect to pay the right vendor. Manual processes make it easy from criminals to exploit the system.”
Even if a company detects a cyber breach, ejects the invader, and takes steps to strengthen its cyber defenses, Collot recommends it scrutinizes its entire platform to be sure there are no undetected land mines.
“Even after a breach has been detected and corrected, businesses need to make sure data in the system has not been manipulated. It could be something as simple as an email address that has been manipulated,” says Collot. “The email address may be legitimate, but the content sent out through that address may not be.”
Although automated Fraud detection solutions can help businesses keep pace with the new wave of high-tech data breaches, Collot recommends businesses create a multi-layered approach that uses automation and manual processes when it comes to cybersecurity.
“The new SEC rule is intended to push public companies to be more communicative when it comes breaches, which can help victimize companies from not disclosing enough information around a cyberbreach,” Collot says. “That means companies victimized by a breach need to be sure their data is accurate and multiple processes are in place to protect that data and its accuracy.”
