Tougher controls may have reduced payment-card fraud for the first time in over a decade, but cybercriminals are turning to softer targets as a perfect storm of regulation and technology changes puts unwitting back-office employees in the firing line.

Those changes, such as the introduction of the New Payments Platform (NPP) to facilitate faster direct payments, have left businesses exposed to business email compromise (BEC) attacks that rely on nothing more than tricking finance staff into paying fake invoices with incorrect account details.

With reports of losses frequently in the six figures, the toll is adding up quickly – with the US FBI recently pegging the cost of BEC at $2.5 billion ($US1.7b) last year alone.

Recent ACCC and Australian Cybercrime Online Reporting Network (ACORN) figures suggested Australian businesses reported over $60m in losses to BEC fraud during 2018 alone.

Canterbury Olympic Ice Rink, in Sydney’s south-west, was among the latest victims after it received new emailed payment instructions for a $77,216.58 invoice related to the purchase of a new ice resurfacer.

That payment – which redirected the money to a bank account in Hungary – was initiated by a now-dismissed company director.

It’s a people thing

Inaccurate and potentially fraudulent payments are raising flags to the tune of around $2.5b worth of payments every month just within the several hundred customers of Australia-based fintech Eftsure, co-founder and CEO Mike Kontorovich told Information Age.

“When we started the company, we had an issue convincing people that there was a problem,” he says, “but now quite a lot of them are having issues with losing money and not being able to recover it.”

Customers of the company – whose Internet-banking tool cross-checks payee account details before the transactions are completed – include the likes of Freedom, Nick Scali, the Brisbane Convention & Exhibition Centre, Tyndale Christian School, and Penrith and Parramatta councils.

Many of Eftsure’s current customers had approached the company after sustaining similar or even larger losses to payments fraud.

“It’s growing on a daily basis – and for a small company, a $50K loss can be a closing-doors type of loss,” Kontorovich said, noting that many CFOs and financial controllers still didn’t fully appreciate the nature of the risks they face.

“Even though most CFOs understand technology better than they used to, they really don’t understand psychology yet – and this is all about psychology, not about technology.”

Email-filtering firm Mimecast – among several companies embracing AI-based tools to ferret out tell-tale signs of BEC fraud in emails – warns customers to be on the lookout for any requests to transfer money; an urgent or threatening tone; requests from executives who say they will be unavailable for a period of time; requests for secrecy or confidentiality; unusual account numbers; and mismatches between the sender’s email address or URLs within the mail.

One recent Barracuda Networks analysis found that 91 per cent of BEC attacks take place on weekdays during business hours, with most targeting six or fewer employees and 3 in 10 emails being clicked on.

Getting the CFO’s attention

Growth in BEC fraud coincides with a decline in payment card-related fraud – which, Australian Payments Network figures suggested, dropped 6.9 per cent during fiscal 2018-19.

That was the first time since 2004 that fraud had declined, suggesting that cybercriminals were being foiled by new controls on card-not-present (CNP) transactions, EMV 3-D Secure, tokenisation and adoption of technologies like machine learning for fraud detection.

Those same criminals may well be shifting their attention to easier-to-compromise business employees – which means that business leaders must also improve their attention around financial controls that have long been designed to identify and stop fraudulent activity.

Financial leaders are already well aware of the need for such controls – a recent Protiviti CFO survey found 73 per cent saw internal controls as their highest priority this year, compared with 62 per cent of non-CFOs – but keeping them current hasn’t always been easy.

That’s because many staff have a pervasive trust in the authority of email that may affect their decision-making when dealing with payment instructions.

Finance staff “are not trained to ferret out cyber fraud, and the kinds of psychological tricks that cybercriminals play on them are very complicated and sophisticated,” Kontorovich said.

“They are continuing real email conversations that staff have had with executives, and they can be spread across thousands of customers – so if even one reacts, you’ll have a happy payday.”

“The whole risk is just on steroids,” he added, “and their financial controls just aren’t there to deal with the digitally connected world.”

Finance executives need to understand the perfect storm that businesses now face and engage with employees to help adapt the whole company mindframe accordingly, he added.

That had come from the risk of digitally-connected supply chains, augmented by the ease with which cybercriminals are conducting identity theft, and a direct-payments banking system that doesn’t verify payment instructions against the name of the account holder.