Payment fraud is among the growing risks companies of every size face in today’s digital payment age. A mobile workforce armed with portable data-bearing devices and cyber criminal syndicates intent on stealing confidential corporate information, such as credit card data and employees’ Social Security numbers, pose greater security threats than ever.
As businesses write fewer checks and the U.S. payment system slowly morphs from paper to electronic form, this convenience also opens up new security holes and opportunities for theft. More banks are processing checks by scanning them and sending images instead of paper checks through their system – an outgrowth of a 2004 federal law called Check 21 that allows banks to return electronic check images to issuers rather than the original hard-copy check in clearing payments. One of the top security threats businesses and financial institutions now face is ACH fraud in which cyber criminals trick employees into releasing corporate bank account login information and banks into approving and transferring company funds.
Rising incidents of corporate account takeovers related to ACH fraud recently prompted the Federal Financial Institutions Examination Council (FFIEC) to issue updated guidance for banks in implementing online authentication best practices for commercial accounts.
Criminals online today are clever, patient, organized and global. They’re masters of social engineering, skilled in targeting the most vulnerable businesses, governments and individuals with the highest potential for gain. Often, they and their networks are located in rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute. Their “phishing” attacks are becoming more sophisticated, luring unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises employee computers or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.
Cyber threats also present themselves in the form of malware that embeds itself in a browser application that can then divert, modify or manipulate information that a user submits on an online log-in page. For example, this type of attack, often referred to as a “man-in-the browser” or “man-in-the-middle” attack, looks for data that can be used by cyber criminals as secondary authentication for logging into a user’s bank account.
Protecting against payment fraud continues to be a significant and growing cost for organizations of all sizes. Consider these sobering statistics.
In its Internet Security Threat report, antivirus software vendor Symantec found that customer-related information was the most exposed type of data during breaches in 2010. Criminals find customer data alluring because it typically contains financial information such as credit card and bank account numbers that can be used for lucrative fraud schemes and large financial payouts. According to the study, Trojans continue to be a prominent malicious code threat because the majority of fraud activity is now financially motivated. Many Trojans are designed to steal information and are a primary means for attackers to harvest credit card information or banking credentials.
The Ponemon Institute reported in its Second Annual Cost of Cyber Crime Study that online crime cost the 50 U.S. multinational enterprises participating in its study an average of $5.9 million per year, up 56 percent over last year’s annualized average of $36.5 million per company. These corporations also experienced 72 successful attacks per week and more than one successful attack per company per week, an increase of 44 percent from a year ago. According to Ponemon’s research, the most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and web-based attacks.
A 2011 Data Breach Investigations report issued by Verizon Business found that 76 percent of all compromised data came from corporate servers, 96 percent of all breaches were avoidable through simple or intermediate controls, 86 percent were discovered by a third party, and 89 percent of victims subject to PCI-DSS rules for protecting credit card data were not in compliance.