Division of labor in criminal enterprises leads to high-volume, low-cost attacks
Understanding the alarming shift toward specialized cybercriminal roles is crucial for businesses to understand
Disaster strikes. One of your employees was tricked into changing the payment account for your business’s largest vendor, sending a series of payments to a fraudulent account. The vendor has now cut off your business until you pay the outstanding balance of hundreds of thousands of dollars. Or, perhaps your largest customer was duped in the same way, and is now refusing to pay, claiming that your business caused the loss because your email system was hacked.
The scams get even more catastrophic. For example, maybe you (or your real estate title agent, accountant or attorney) was tricked into sending to a fraudulent account the funds that your business intended to use to purchase real estate, a large piece of equipment or another company, and the sellers are now refusing to proceed with the transaction without payment.
These and many other types of electronic funds transfer (EFT) fraud are prolific. Yet most business leaders think this could not happen to them — until it does. Businesses need to adopt the following safeguards to prevent EFT fraud or reduce the risk of it.
Sometimes payment information is altered directly by hackers, such as in payroll systems and financial accounts used to make automated clearinghouse (ACH) transactions, wire transfers and benefits distributions. Businesses should configure these systems to prevent such changes from becoming effective without an authorized and knowledgeable accounting or human resources person verifying that the payment change or transaction is legitimate.
Portals are online financial systems that maintain separate accounts for each party (and sometimes their service providers, such as bookkeepers, real estate agents, attorneys, etc.). Each party maintains its own access credentials, and authentication to the portal is controlled by multifactor authentication (MFA) or conditional access. Payment information is input and maintained in the portal by the party receiving payment, and the financial transaction is executed through the portal. Venmo is an example of a consumer financial transaction portal, and Zelle is an example of a portal used more commonly by businesses. Prominent financial institutions also maintain their own portals for large transactions, such as corporate deals.
Variants of such portals are systems operated by AP providers. Payees maintain their own access credentials to the portal (which should require MFA or conditional access), and submit invoices to the AP provider (preferably directly into the portal). The business then reviews the invoices and authorizes payment using the portal, which can be paid from and synchronized with the business’s bank accounts and accounting application.
Sophisticated hackers are constantly searching for targets for cyber financial crime. Business leaders should implement measures to prevent or mitigate these risks before they or one of their customers becomes a victim of EFT fraud.
Cam Shilling founded and chairs McLane Middleton’s Cybersecurity and Privacy Practice Group. The group of five attorneys and one technology paralegal assist businesses and private clients to improve their cybersecurity and privacy safeguards, and address any security incidents, breaches, and financial losses that may occur.