Ok, so it’s no secret – 2020 will go down in the books as one of the worst years ever. The global pandemic was at the heart of many people losing income, even losing their jobs altogether, and not to mention the astounding impact on health and tragic loss of life.
Everything we do had to be recalibrated – how people work (with millions being sent to work from home), how organizations operate – undergoing massive decentralization, as well as how we communicate, consume content, learn, and yes . . . of course . . . how we fight cyberfraud.
Because, when it comes to 2020, there is one group on the scene that – unfortunately – didn’t just not have a bad year, they actually had a great year. I’m talking about cyberfraudsters, and specifically (and especially) cyberfraudsters who targeted payments.
The headlines say it all
Just take a look at key reports that were published by the FBI, AFP, SEC, PwC, and many more. The headlines are rough:
- Cybercrime reports quadrupled during Covid-19 pandemic (FBI)
- More than 80% of organizations reported being targeted by payments fraud (AFP)
- Corporate fraud warnings were issued as BEC scams had skyrocketed (SEC)
- Fighting cyberfraud is a “never ending battle” (PwC)
And when payments-focused cyberattacks are successful, they cause millions of dollars in damages and a huge blow to brand equity, regardless of how big or small the company is.
In 2020 it was even reported that global losses from payments fraud came in at a whopping $32.4 billion!
And it’s only going to keep getting worse.
No one is safe
So, it’s no surprise that in my discussions with many finance and information-security executives around the world – one of their biggest concerns going into 2021 is the rise of payments-related cyberfraud.
And, while – believe it or not – there are still leaders out there who feel that their organization is not going to get hit, there is way too much data that points to the fact that – unfortunately – no one is safe.
In fact, the victims of cyberfraud are companies of all sizes in every industry. It’s just become too easy for cyberfraudsters to target payments and divert funds to their own accounts.
And losses, as we can see, are huge – both in terms of the bottom line and damage to reputation .
My 2020 ‘hit list’
To give you a taste of how fraudsters work (and later on how they can be stopped) – I put together my 2020 cyberfraud ‘hit list’ (pun intended). These are not necessarily the largest reported but are indeed the ones that can be very instructive for anyone seeking to reduce the risk of a cyberfraud attack.
Here it is . . .
#1 Taking a bite out of a Shark Tank star
Real-estate mogul and star of the reality show ‘Shark Tank,’ Barbara Corcoran was scammed this year out of $380K dollars.
How did it work? The fraudsters sent a pretty convincing email to Barbara’s accountant, assuming the identity of her personal assistant. In the email there was a request for a wire transfer to pay for an apartment Barbara wanted to buy.
And while the fraud was discovered the next day, the money was already gone.
Unfortunately for Barbara, this was a classic case of ‘email compromise’ fraud and shows that anyone, even a ‘shark,’ can fall for payment fraud.
#2 How one museum lost over $3M
Here’s a ‘hit’ that shows how cybercriminals are happy to attack any organization, not just enterprises. This time around it was a national museum in the Netherlands.
And it’s a special case because it shows how good fraudsters can be when it comes to learning about their targets and timing their activities to achieve their criminal goals.
What happened here is that hackers studied the workings of an art sale that was going to take place at the Dutch Rijksmuseum Twenthe museum, and used the opportunity to send fraudulent bank details to the buyers at just the right time. This brought them to send $3.1M to the criminals’ account, instead of the museum’s.
#3 The (almost never ending) case of the bad insider
This case is a great example of fraud involving a bad insider – the main reason for 50% of the cases that mark losses at over $100 million, on top of so many other ‘smaller’ incidents.
It is interesting not only because it involved the very person the organizations trusted with its money, but also because it went unnoticed for years.
In August of this year, it was uncovered that Julie Brown, the former finance director of Durango, Colorado, was likely behind the stealing of $700,000 over the course of 17 years!
The fraud examiner on the case noted that the city council should enhance internal controls. For example, document manipulation such as irregular numbers and repeated issues in billing should be identified early enough so that the fraud won’t take place at all, and definitely not for as long as this one did.
#4 The $10 million loan payment that didn’t make it
In mid-2020, Norfund, a wealth fund based in Norway, was fooled by cyberfraudsters into transferring a $10 million loan intended for a Cambodian microfinance organization, to their own fraudulent account.
The hackers apparently gained access to email communications between company stakeholders and became familiar with how they correspond. Leveraging an approach that combined manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution.
This way they were able to cause payments to be forwarded to the wrong account without having to deviate too much from ordinary processes, making the crime very difficult to detect.
#5 The Sydney hedge fund that closed up shop
When one of the founders of Australia’s Levitas Capital opened a fake Zoom invite, little did he know the scope of damage that would ensue.
This email was sent by cybercriminals who succeeded at planting malicious software on the Levitas network, which enabled them to take control of the fund’s email systems.
Having gained such access meant that they could send fraudulent invoices to companies with whom the fund didn’t actually have previous dealings, enabling them to have payments transferred to fraudulent accounts.
Ultimately, not only did Levitas lose $8 million, but in November of 2020, three months after the initial hit, it was even forced to completely shut down the business.
So, what can be done about it?
Well, as the saying goes – to beat them you gotta join them. .
That’s not say that I’m suggesting that all good citizens suddenly become cybercriminals.
But . . . what this means for us at nsKnox – is that we know that the best way to beat a fraudster is to think like one.
It’s riveting, fascinating, and – I have to admit – sometimes even a little scary. But it’s a job that has to be done, and one that we do here every day at nsKnox.
This is how we’ve come to understand which links in the payments chain are the weakest and most vulnerable to fraud. And these are the very ones we have made stronger, enabling organizations all over the world to significantly reduce the risk of fraud, regardless of attack vector or method.
And we do this with PaymentKnox our end-to-end offering that prevents unauthorized payments by detecting and preventing social engineering attempts, insider fraud, and multiple other types of cyberfraud attacks.
PaymentKnox includes a set of services for validating payee bank account details during onboarding or when making changes to the bank account on record. This highly secured, yet quick and easy process overcomes the weaknesses of today’s means for validating account details, which are commonly and easily exploited by cybercriminals – and are at the heart of payments fraud.
It also offers protection of the master data as well as payment check capabilities, detecting and alerting to cyberfraud attempts as related to the payment or master data file.
This powerful combination of capabilities helps organizations ensure that every payment is transferred only to the intended payee and account, every time.
And I would love to tell you all about it. So, reach out to me and let’s work together on making 2021 a really bad year for cyberfraudsters.
On that note and in closing, I want to wish everyone a happy, healthy, and much better 2021!
