We talked with Alan Greenblatt, Co-Founder and CTO at PaymentWorks, about social engineering attacks and payment fraud prevention.
1. How would you describe the importance of fraud awareness and fraud risk management?
When people think of cybersecurity, they generally think about protecting the perimeter (device security, network security), but your security perimeter extends beyond hardware. It’s all about the people; it comes to you, people you work with, the people across your whole business, the suppliers, and the people with whom the suppliers are interacting with.
You can have all the security in the world and have everything locked out tight, and someone gets tricked into changing payment information for one of your suppliers. And suddenly, there’s money going off to the wrong people, and you’re going to lose a lot of money. You’re going to be in the press; the chances are that person who made that mistake is going to be out of a job. So, it’s hugely important and a lot of people don’t take it seriously enough until they’re hit with fraud. And then they take it very seriously.
There’s an AFP (American Association for Financial Professionals from 2021) report saying that 74% of organizations report that they were the target of an actual or attempted payments fraud. You could argue that three-quarters of the people reading this would have experienced this! About 82% of those were directed at Accounts Payable and finance departments, and 61% resulted from social engineering fraud.
These are usually the result of human errors or people weren’t following the proper controls. You set up some controls, but people are overloaded with the things that they have to do. You also have to make sure that they follow all the regulations and controls and the compliance. Our customers get requests from people all across the organization to onboard vendors, and the last thing they need to do is making sure that the person who’s getting paid is who they say they are.
It’s critical, and only getting worse as more information flows and people’s lives are getting faster, and fraudsters take advantage of that chaos. You can’t just say: ’be more vigilant!’ That’s not good enough.
2. How would you say the online payments frauds landscape looks today?
When we think of fraud and payments fraud, we think of business payments fraud. It’s kind of wild west in a lot of ways. There are people who put in controls, but usually, the fraud controls are around the payment time, and they’re looking at the payments, detecting patterns. I like to think of this process like a chess game, where, by the time you notice that you’re in trouble, you had already lost ten moves ago.
So, it’s all about eliminating the fraud at the source, which is when people are making the changes, and you have to ask yourself: ‘how did that payment information get there in the first place?’
3. Does your compliance program/process cover detection of activities associated with money laundering or terrorist financing?
Not directly. However, we are a tool in that arsenal. Any supplier, individual, or company supplier that registers on our system is screened against more than 800 different sanctions lists (global or domestic sanctions lists, at both the state, local, or state department lists). Then, the customers who use our system can customize those lists and then they are continuously monitored.
So, you might onboard your supplier, and then, they suddenly show up on a list after you’ve already been doing business with them. That’s a really critical part: this continuous monitoring. A lot of our customers receive federal funds, so this is an issue for them.
4. What are some potential future challenges with social engineering?
Fraudsters are getting smarter, they have more and more tools, and they get more sophisticated. Life is getting faster, and right now, you have a lot of people working from home and no longer working together. People have more systems to interact with, more decisions are thrown at them, and everything is just sped up. Fraudsters just take advantage of that.
The number one way for someone to social engineer you is to call you on a Friday afternoon and get you to expose some information while they have a baby crying in the background. It’s a tug on your emotions, you’re rushed, with that someone who says: ’can you just give me this information?’
Often, the tools are not there for people who are essentially the firewall of the outer perimeter. Like I said before, beyond your hardware network, there are people out there managing all this flow of information; they don’t necessarily have the tools to prevent this social engineering.
The general message is: ’be more vigilant’! Here’s our process, follow this, do this…’ But people make mistakes.
So, we have to make it so that the tools to prevent social engineering are just embedded in their workflows, and it’s easier for people to use them.
At a corporate level, who’s the person whose responsibility is to make sure you always know when fraudsters are attempting to attack you? You’ll have a Chief Risk Officer at a company, but ultimately, it comes to the people on the line.
People follow the controls, detect what’s going on, etc., but in the meantime, they need to get the rest of their job tasks done. The tools need to be easier and be there in their daily workflows for both personal and business. Currently, they don’t have these easy tools. People are human, and they will make mistakes even if they’re trained to follow company policies.
Our customers used to be worried because they were constantly onboarding suppliers, hoping that they did everything properly. That’s a terrible way to spend your day, fearing that you might make a mistake. So many people are losing sleep over this.
When they used to onboard a supplier, our customers would call up and make sure they ask the right questions if they want to change bank account information.
Now, they just say: ‘come in through PaymentWorks’, and they don’t have to worry about it. They just pass it on to us. We’ll do it, and we’ll do it securely. So, there’s no one accidentally making changes; no one goes to the backend of the ERP (enterprise resource planning) and makes a change of banking information and no risk of losing money to a fraudster- we take care of it.
5. On a personal level, how do you see the future of cryptocurrencies? If they were regulated, would they be in a traditional form, like banks?
Without a doubt, there will be attempts to regulate cryptocurrencies across the globe for years to come. Especially as we see the web3 grows, the Metaverse, people going more and more online, e-commerce, etc. In some areas, people say it’s the future, for instance, Facebook that’s being renamed into Meta. Some say this is a joke, but there’s a big reality happening there.
There’s no question, people are going to try to regulate cryptocurrencies. I think for a long while, actual regulations are going to be difficult. The decentralization in cryptocurrencies just makes regulations a very tricky endeavor. You can’t just say: ’this is how we do in traditional banking; we can map the same rules.’ How do you do that in these distributed currencies and get different countries to cooperate on how we’ll make these regulations?’ I think it’s safe to say they’ll be localized forms of regulations but aiming a non-traditional form.
I don’t see it in a traditional way, how we make banking regulations.
In some people’s lives, they use cryptocurrencies all the time, but the average person isn’t. And it’s a pinpoint where it just becomes a part of everybody’s life, it’s not just crypto as an investment, but actually, people using it. It will be a while before it’s just commonplace, but that would force some form of regulation.
Attempts are going to be problematic for a long time. It’s like the safety of internet itself. In some places, the internet is controlled to different degrees. Still, I think people are going to be tripping over themselves for a while on how to regulate cryptocurrencies effectively.
6. Name 3 cybersecurity habits anyone should enforce to prevent social engineering attacks.
There are a few obvious ones: MFA, having a second form of authentication, not just your standard password, and that’s getting more and more advanced.
And regarding password managers…I see everybody: ’what’s my password for this?’ And they start using the same password everywhere. I don’t know any of my passwords. I just use a password manager, and it knows what my passwords are. And they are long, long passwords.
The third, and really the most important one would be: stop relying on humans to stop these frauds.
These social engineering attacks rely on the fact that people make mistakes. You can have tools, and partners that can help and take things off your plate, PaymentWorks being one of them. That’s got to be embodied in how you can prevent social engineering attacks against your business.
People will try their best to do the right thing, but they are going to make mistakes. So, don’t rely on people being perfect.