COVID-19 has created a new normal in more ways than one. Fraudsters have been quick to exploit the opportunities presented by changes to working processes including application fraud attacks, where stolen identities are used to apply for financial products, along with a plethora of phishing and mule recruitment efforts.
The pandemic has led to extraordinary working conditions for all financial institutions. Staff have had to stay away from their secure office environments and work remotely, mostly from their own homes. And organisations have had to adapt front and back office processes to ensure business continuity, potentially accepting additional security risks.
It’s imperative in this climate to prepare for fraud attacks on a variety of fronts. In May 2020, FATF released “COVID-19 Money Laundering and Terrorist Fraudsters” to alert the industry of the changing threat landscape.
This is in addition to statements from the Monetary Authority of Singapore (MAS), the United States Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC) warning that cybercriminal and advanced persistent threat groups (APT) were targeting individuals and organisations of various sizes in COVID19-related scams.
These scams included email phishing and the creation of fake websites selling personal protective equipment (PPE). The agencies further warned that an increase in remote working and use of virtual private networks (VPNs) could amplify the risks of cyber-attack.
Here are three pillars you can implement to better protect your core payment systems:
1. Continue to build a cyber-aware culture across your organisation
The first line of defence against any attack is your people, and so a strong culture of cybersecurity is key. Make sure you are spreading awareness across your organisation, issuing specific and relevant communications to staff where emerging threats are identified.
Research from MIT shows that during times of unrest or crisis, traditional ways to communicate and train staff on how to stay secure have not kept pace with the many nefarious techniques of malicious actors. Investigate whether extra training is appropriate for staff who work from home and consider issuing guidance on how to be extra vigilant when dealing with requests for personal or financial information.
2. Review your processes in light of evolving threats
While culture is key, there are some simple principles that, when employed as rigorous processes, can keep you and your institution safe from fraud.
a. Use physical tokens for multi-factor authentication.
Physical tokens support the principles of multi-factor authentication processes, where a user must input several pieces of information in order to access a secure system within their institution.
b. Check your payment activity against external records.
While many banks rigorously check end of-day confirmations and statements to confirm that all of their transactions are legitimate, others are unaware these practices can mitigate the risk of fraudulent attacks on their back offices, and are further unaware of how to respond when they do happen.
3. Automatically identify and stop uncharacteristic payments by implementing payment security controls
No matter how strong the culture of cybersecurity within your organisation might be, or how rigorous your antifraud processes, you still need to employ effective technology to control your payment activities and act as a primary line of defence against fraudulent payments. This includes:
a. Adding control mechanisms that ensure key actions cannot be performed by one single user, eliminating the possibility that any individual becomes the single point of failure for their institution.
b. Taking a risk based approach to allow you to associate a risk score to each of your business/payments and take action on this based on your risk appetite. The data behind a risk-scoring tool should come from inside as well as outside the organisation, combining the institution’s own payments traffic history data with industry information on trends and tactics in cybercriminal’s modus operandi.
