Eftsure Logo
Request a Demo
Supplier Verification
Resources/

Cybersecurity Guide for CFOs: 2025, 8th Edition

Cybersecurity Guide for CFOs: 2025, 8th Edition

Cyber threats are evolving, and finance leaders need to stay ahead. Our latest cybersecurity guide dives into cutting-edge tactics like red teaming and penetration testing, equipping CFOs with actionable strategies to safeguard their organisations against modern scams.

Foreword

A note from Jon Soldan, Chief Executive Officer, Eftsure

As a finance leader, you probably know exactly how much your organization invests in risk management. You know how much time and effort you put into recruiting trustworthy, capable people. You know how hard your organization has worked to build efficient processes, to fortify security mechanisms that keep people and payments safe from malicious actors.

But how often do you see it from the other side? What does your organization look like to someone who wants to exploit those processes, rather than improve them? How robust are those fraud controls, really, when they’re exposed to criminally creative thinking and sophisticated new artificial intelligence (AI) capabilities?

It’s no longer safe for finance leaders to depend on fraud controls designed within and for a mostly analogue, pre-AI world. Designing and maintaining controls for a new world of cybercrime requires a new way of thinking.

To protect against today’s wave of scams, finance leaders will need to think like a scammer. This year’s Cybersecurity Guide for CFOs will show finance leaders how to apply cybersecurity concepts like red teaming and introduce adversarial thinking into their strategies—and why doing so has become an existential necessity for organizations everywhere.

I. The current threat landscape

  • Some estimates see cybercrime costing the world $10.5T USD by 2025.
  • Other estimates found $485.6B (USD) in global losses to scams and schemes in 2024.

 

[Cybercrime] is highly organized and that’s why it’s so successful. We’ve been inside many of these operations… Everything is run like an industrialized corporation. It has the HR department, the accounting, the finance department, the sales, the onboarding and the client onboarding. They bring the best possible people with university degrees in accounting and even cybersecurity teams.

– Ken Gamble, Investigator and Executive Chairman of IFW Global (On The Defense)

While countries like Australia have made cross-sector strides in combatting scam losses, the numbers make it clear: cybercrime remains one of the costliest risks for finance leaders.

More specifically, business email compromise (BEC) attacks continue to be one of the biggest threats to financial functions and their organizations.

Because these attacks depend on human error and social engineering, AI capabilities are further democratizing cybercrime and helping scammers tailor their tactics at scale. Meanwhile, data breaches and dark web marketplaces act as the fuel to the engine of these attacks and technologies, gifting cybercriminals with the type of targeting information that would make a digital marketer blush.

Business email comprimise

What is business email compromise (BEC)?

This fraud tactic—also called payment redirection—targets individuals or groups who perform legitimate fund transfers (that is, your employees and those of your vendors). It begins with a malicious actor compromising an email system, then deceiving staff into making illegitimate payments or giving up information that makes it easier to secure an illegitimate payment.

These tactics can be highly sophisticated and span lengthy periods. Within Eftsure’s client base, analysts have seen malicious actors increasingly compromise both the vendor organization and target organization, orchestrating intricate communication trails and incorporating persuasive counterfeit documents.

Artificial intelligence as fraud enabler

A previous edition of this guide explored emerging AI capabilities and the many ways they can be applied both legitimately and maliciously. It detailed how cybercriminals were already creating unmoderated versions of AI tools like ChatGPT, leveraging deepfakes and voice conversion capabilities, and using LLMs to break into new markets previously insulated by language and cultural barriers.

As predicted, 2024 saw an uptick in AI-enabled scams and cyber threats, with Deloitte’s Center for Financial Services predicting that AI could cost the US $40 billion by 2027. In a survey of US and UK finance professionals, 53% of respondents said they’ve experienced a deepfake scam attempt.

Those attempts showed up in headlines throughout 2024. From password manager LastPass to global ad agency WPP to up-and-coming cybersecurity firm Wiz, companies across the world were targeted in scams that used generative AI to impersonate executives and other staff.

And, sometimes, these attempts paid off in a big way.

What is generative AI?

Generative AI is a subset of AI that uses machine learning to generate new content. Where it’s distinct from other forms of AI is that it generates content like text, images or sound—information that is entirely new and not part of the original dataset used for training. It enables capabilities like:

LLMs (Large Language Models)

Chatbots such as OpenAI’s ChatGPT or Google Gemini.

Deepfakes

Synthetic video, audio or images, in which simulations replace the appearance of both real people and those who’ve never existed.

Finance leaders need to learn AI and the best way to do that is by building an AI system. It is critical that these leaders know how LLMs work, not just to help them amplify the work of their organizations but also to understand how the security and privacy landscape has changed.

– Noelle Russell, Chief AI Officer, AI Leadership Institute

Data theft as fraud enabler

Cyber threats and fraud risks are increasingly connected—sometimes they’re even one and the same. Cyber threats in a single organization or function can create indirect threats in others.

This is perhaps clearest when examining the role of data breaches. Whether the result of a malicious intrusion or simply a lapse in data security practices (or a combination of both), data theft is a growing issue.

From financial details to sensitive personal information, vast amounts of stolen data are regularly traded on dark web forums and are a frequent starting point for scammers. This data helps cybercriminals identify targets, compromise systems, enhance social engineering tactics, and improve impersonation attempts.

Don’t assume the overwhelming amounts of data will obscure your business and lower the odds of being targeted, either. AI tools and other advanced technologies allow threat actors to instantly pull useful data and apply it in automated, scalable ways.

Unsurprisingly, this has resulted in a significant correlation between a company’s exposure on dark web forums and an increased likelihood of cyberattack.

CFOs on the frontline of cyber fraud

Fraud risks are increasingly digital, which also means they’re increasingly multi-faceted and interconnected. For instance, a third-party organization’s data security practices might expose your business to data theft, while a vendor’s cybersecurity incident might allow malicious actors to gain access to your business’s sensitive communications or platforms.

All of this increases your business’s fraud risks, despite much of it happening independently from your organization’s security controls. It’s no wonder cyber readiness has become a top concern for CFOs.

However, to fully mitigate current and next-generation risks, finance leaders will need to embrace their unique role in leading anti-cybercrime strategies, as well as understand the overlap between cybersecurity and anti-fraud controls. Without this awareness, organizations can be exposed by siloed approaches or gaps between finance professionals and technologists.

Some of the risk factors explored here are longstanding, while others are newer—but, together, they form a threat landscape that demands creative, adversarial thinking. For more insights, check out the PYMNTS Intelligence 2024 Certainty Project.

II. Cybersecurity practices and their relation to risk mitigation

As lines between cybersecurity and broader risk mitigation continue to blur, digital threats are no longer just the responsibility of IT departments—they are a critical priority for CFOs. Tasked with safeguarding organizational resilience and mitigating financial risks, CFOs must address modern scam threats enabled by AI and emerging technologies like quantum computing. These threats demand proactive, strategic action.

This section examines three key practices and their role in protecting organizations from cyber threats:

  1. Adopting an attacker mindset: Understand how threat actors think and operate to anticipate and counter their tactics.
  2. Red teaming: Conduct simulated attacks to test organizational defenses and identify vulnerabilities before they can be exploited.
  3. Penetration testing: Evaluate the effectiveness of your security measures by attempting to breach them in a controlled environment.

Adopting an attacker mindset: thinking like a hacker

To combat sophisticated threats, CFOs need to understand how attackers exploit vulnerabilities. By adopting an adversarial mindset, finance leaders can strengthen their organization’s defenses and ensure that investments—in both fraud mitigation and cybersecurity—address the most pressing risks.

There’s a defender mindset—defenders just see the strengths. Attackers ignore the strengths, attackers see all the opportunities.

– Richard Buckland, Cybercrime Professor, UNSW and Director of SECedu Australian Cybersecurity Education Network (SXSW Sydney, 2024)

Tackling AI-driven threats

AI is reshaping the cyber threat landscape, enabling attackers to bypass traditional defenses through highly convincing scams. As highlighted in the broader threat landscape analysis, generative AI now allows cybercriminals to craft tailored phishing messages, clone voices, and create fraudulent vendor communications with remarkable accuracy. These developments have made business email compromise (BEC) scams more prevalent and harder to detect.

For example, attackers used deepfake videos and voice cloning to impersonate a CEO and multiple other staff members, convincing a finance employee to transfer $39 million into a fraudulent account. This incident exploited gaps in authentication processes, underscoring the urgent need for robust multi-factor authentication.

To address these challenges, CFOs should:

  • Advocate for advanced authentication protocols: Implement measures like multi-factor authentication to close security gaps.
  • Support AI-focused risk assessments: Evaluate how AI tools can both help and harm organizational security efforts.
  • Invest in ongoing staff training: Raise awareness of emerging threats and equip employees to recognize sophisticated scams.

 

With the rise of synthesized media like deepfakes, organizations face increasing fraud risks. Expanding multifactor authentication and engaging AI red teams to continually monitor vulnerabilities are critical to secure and responsible AI use at scale.

– Noelle Russell, Chief AI Officer, AI Leadership Institute

Preparing for quantum computing risks

Quantum computing represents a transformational leap forward in computing power, but it also poses a significant threat to existing cybersecurity measures. Its ability to solve complex problems at unprecedented speeds could render current encryption methods obsolete, exposing financial data and transactions to interception and manipulation.

While efforts to develop quantum-resistant encryption standards, such as those led by the National Institute of Standards and Technology (NIST), are underway, organizations cannot afford to delay preparation.

CFOs should collaborate with IT leaders to:

  1. Identify critical systems reliant on vulnerable encryption protocols: Determine which systems are most at risk from advancements in quantum computing.
  2. Develop a roadmap for adopting quantum-safe encryption: Plan for a gradual transition to quantum-resistant cryptographic algorithms.
  3. Monitor advancements in quantum technology and security standards: Stay informed about the progress of quantum computing and its implications for cybersecurity.

These actions will help organizations mitigate future risks and ensure operational continuity as quantum technologies mature.

Red teaming: stress-testing organizational defenses

Red teaming involves simulating real-world cyberattacks to identify vulnerabilities across systems, processes, and people. Unlike penetration testing, which focuses on specific weaknesses, red teaming takes a holistic view, evaluating the organization’s overall resilience.

Enhancing organizational resilience through red teaming

Red teaming is particularly effective in uncovering vulnerabilities that attackers might exploit. For example, exercises often reveal gaps in multi-factor authentication or weaknesses in financial approval workflows. By addressing these risks, organizations can fortify their defenses and reduce exposure to cyber threats.

Aligning red teaming practices with regulatory requirements is increasingly important. A compliance-focused approach not only helps organizations meet evolving standards but also enhances operational resilience. For further insights, check out The Role of Red Teaming in Regulatory Compliance and Risk Management by John Nathan (2024).

CFOs should adopt red teaming by:

  1. Partnering with IT and security teams: Identify high-risk areas, such as vendor payment systems.
  2. Using insights from red teaming: Allocate resources effectively to address identified vulnerabilities.
  3. Scheduling regular exercises: Adapt to emerging threats and compliance demands with periodic testing.

Penetration testing: focused vulnerability analysis

Penetration testing, or pentesting, complements red teaming by focusing on specific systems or applications. This targeted approach is particularly useful for identifying exploitable vulnerabilities in critical areas such as payment platforms and accounting software.

Addressing vulnerabilities in financial systems

Pentesting provides actionable insights into weaknesses that could lead to fraud or data breaches. For CFOs, this means prioritizing systems that handle sensitive data and ensuring identified vulnerabilities are remediated promptly.

Incorporating effective pentesting methodologies into cybersecurity strategies helps organizations identify risks while fostering collaboration between IT and finance teams. This cross-department effort ensures vulnerabilities are addressed efficiently, promoting a unified approach to cybersecurity.

CFOs can:

  1. Advocate for regular testing of high-risk systems: Ensure ongoing assessment of critical platforms, such as payment and accounting systems.
  2. Allocate resources to resolve identified vulnerabilities: Provide the necessary funding and support for remediation efforts.
  3. Promote cross-department initiatives: Encourage collaboration between IT and finance teams to maintain ongoing vigilance.

III. How to build red teaming into your finance function

To ensure their businesses invest in the right priorities and practices for their circumstances, there’s a growing urgency for finance leaders to understand cybersecurity, including and especially security hygiene. However, cyber readiness and resilience aren’t the only imperatives.

What are the benefits?

Familiarity with the broad strokes of common cybersecurity practices can empower finance leaders to modify and refashion those practices for their own functions.

Adopting “red teaming” concepts

By adopting red teaming concepts, finance leaders can:

  • Improve strategic decision-making: Gain a clearer understanding of potential risks and prioritize actions accordingly.
  • Systematically incorporate adversarial analysis: Introduce skeptical evaluation and adversarial thinking into planning frameworks to uncover hidden vulnerabilities.
  • Challenge assumptions proactively: Identify potential vulnerabilities and address them before they can be exploited.

What does it mean to apply red teaming concepts?

Security and risk mitigation aren’t the domain of any single leader or department. Embedding best practices throughout your organization—especially with the goal of mitigating fraud risks—will require a cross-functional approach.

This includes working with IT or security professionals to assess overall cyber risks while also applying pressure tests to finance and AP functions. These cumulative efforts form an important pillar of an anticybercrime strategy, which CFOs are often best positioned to own within their organizations.

The role of pressure testing

In finance and accounting, many leaders are already familiar with the concept of pressure testing. This approach is one of the best ways to think like a scammer and bring fraud opportunities into focus. By collaborating with your company’s technologists, you can incorporate common cyber tactics and account for potential technical vulnerabilities—both within your organization and with third-party organizations.

Effective pressure testing requires a two-fold consideration:

  • How can we increase and formalize pressure testing within finance and AP processes?
  • How can we identify and prioritize the types of pressure tests that can uncover our most serious vulnerabilities?

What is pressure testing?

Pressure testing is a process that evaluates the effectiveness of internal controls. It involves subjecting financial procedures and processes to simulated scenarios, testing their ability to withstand intentional or unintentional deviations from processes.

The goal of pressure testing is to identify weaknesses in controls and processes, and then address them before an actual risk event occurs. Pressure testing can happen in a variety of ways, performed by internal or external auditors. It can be as structured as a formal audit or as casual as a CFO sending test emails from their own email account.

Examples of pressure testing

Common fraud scenarios to pressure test

Pressure testing allows organizations to simulate potential fraud scenarios and identify weaknesses in their processes. Below are some examples of common fraud scenarios CFOs and finance leaders should consider:

  • Impersonated authority: Pose as the CEO or another executive using their email account—or initiate a call or video chat with an employee. Urge the employee to send an urgent international wire transfer to see if other controls or approval processes can be sidestepped.
  • Undelivered goods: Send fake invoices for goods that were never ordered or delivered. This tests your AP team’s adherence to three-way matching processes.
  • False vendor: Use a spoofed vendor email account or have a tester call the AP team, asking to update the “vendor’s” banking details.
  • Duplicate invoices: Submit multiple fake invoices to determine whether duplicate invoice checking processes are in place and effective.
  • Payment threshold bypass: Submit multiple smaller invoices just below automatic approval thresholds to see if the organization detects and prevents systematic circumvention of higher-level review processes.
  • Assume credential theft: Pretend staff credentials have been stolen. Test which user permissions and processes can be accessed and whether they are actually necessary for staff roles.
  • Compromised vendor: Create a fake vendor profile with fabricated documentation and a spoofed domain to test the depth of vendor verification processes.
  • Segregation of duties probe: Attempt to have the same individual initiate, approve, and reconcile transactions across different systems. This reveals potential breakdowns in the separation of financial responsibilities.
  • Retroactive approval manipulation: Submit transactions with deliberately misaligned dates or backdated approvals to test the robustness of audit trails and determine if post-transaction approval mechanisms can be exploited.

A strategic approach to pressure testing

The possibilities for testing your internal controls and payment processes are endless. However, few organizations have the time or resources to simulate every possible fraud vector. So, how can leaders narrow down the most critical areas of focus?

It might be tempting to choose pressure tests based on ease of implementation or areas that have been exposed to risk in the past. While these are important considerations, it’s crucial to take a more adversarial view.

Thinking like a scammer

Adopting a scammer’s perspective can help identify the most critical vulnerabilities in your organization’s processes. Ask yourself:

  • What do we have that is most valuable?
  • Which processes are most vulnerable?
  • Are there any processes that are particularly risky in the event of human error?
  • Which staff are most likely to be targeted?

Steps for pressure testing

1. Assessment and planning

Begin by identifying your organization’s “crown jewels”—the assets most likely to attract threat actors, such as financial resources or sensitive data.

Next, determine who will conduct the testing within your function. Consult with IT, risk mitigation, and legal teams to obtain authority for testing. These consultations can help you understand relevant compliance or regulatory obligations and consider past incidents that may influence the testing scope.

While many organizations already know which staff have access to critical assets—often within finance and AP functions—it’s important to map out your actual landscape. This includes identifying exact user permissions and determining how many procedures are subject to anti-fraud controls.

Once you have a clear picture of the assets and employees most at risk, define the scope of your testing. This should include processespolicies, and procedures to ensure comprehensive coverage.

Policies

Think of policies as the laws that direct how individual employees, departments, and the entire organisation should operate. These are usually aimed at improving compliance, security, efficiency, and visibility in dayto- day operations.

Processes

These build upon the organization’s policies by providing a high-level overview of what, who, and when. Processes are often developed by management (e.g. the AP manager) and detail what specific tasks need to be executed, who has responsibility for executing each specific task, and when each task needs to be executed.

Procedures

Whereas processes are higher-level overviews, procedures are often more granular and outline the ‘how’ of different processes. These tasks tend to have the most direct impact on how employees carry out their responsibilities.

2. Testing and documenting

Once you’ve identified the priorities and scope of pressure testing, you can set a timeline for testing, especially if the testing will be a routine occurrence. While factoring in your most critical processes or vulnerabilities is important, it’s also reasonable to start with smaller tests and ramp up to more complex testing over time.

This approach lays the groundwork for simulating the attacks or fraud tactics you’ve chosen. During this phase, it’s essential to characterize each vulnerability and document the outcomes of every simulated tactic.

Documentation will be particularly important as you look for weaknesses such as:

  • A lack of awareness: Among staff, contractors, and suppliers regarding fraud tactics or common cyberattacks like phishing or vishing.
  • Incomplete checks or verification: Missing or inadequate verification of information.
  • Inadequate detection processes: Ineffective measures to identify fraud or cyber threats.
  • Inefficient segregation of duties: Poorly implemented separation of financial responsibilities.
  • Weak technology or system controls: Insufficient safeguards within IT infrastructure.
  • A lack of oversight or documentation: Missing processes for tracking actions or maintaining accountability.
  • Unnecessarily manual tasks: Tasks with few or no guardrails for human error.

3. Reporting and remediation

Analyze documented outcomes by:

  • Identifying the most critical risks or vulnerabilities: Focus on areas that pose the greatest threat to your organization.
  • Suggesting steps for addressing vulnerabilities: Provide actionable recommendations, including timelines and dependencies for resolution.
  • Determining owners: Assign responsibility for addressing vulnerabilities and identify other functions that need to be engaged.
  • Recommending other areas for improvement: Highlight additional opportunities to strengthen processes and systems.

Anti-cybercrime strategy

Pressure testing is just one cornerstone of a comprehensive anti-cybercrime strategy. However, it can inform all other elements of your strategy, including how and where you focus resources.

Let’s take a look at how adversarial thinking and simulated fraud attempts can enhance decision-making across each of these elements.

People

Staff training is crucial for any risk mitigation strategy, and modules should be developed in collaboration with IT or security specialists. Many organizations already run cybersecurity and fraud awareness training programs.

But dedicated training may be necessary—pressure testing can help you tailor these programs for different employees, especially those who are more likely to be targeted or have access to more sensitive processes and data.

Alongside general security hygiene, training for finance and AP staff should aim to improve understanding of:

  • The tactics scammers use to manipulate information or engineer certain responses, including new tactics enabled by generative AI and synthetic media
  • The risks your organisation could face when suppliers or other third-party organizations are breached
  • Common red flags of social engineering, phishing, invoice manipulation, or insider threats

Regardless of training specifics, ensure that it’s both regular and relevant. Digital boundaries tend to blur between professional and personal, too, so consider training that helps employees understand how to protect themselves—both at home and at work.

We pivoted to training that shows staff how to protect themselves and their family. By doing that, we had a 100% uptake. Yes, we want you to be vigilant in the organization, but, by osmosis, [staff] brought that same level of awareness and vigilance into the business naturally.

– Damian Seaton, Founder and Managing Director, Cyber Audit Team (On The Defense)

Culture

Mitigating fraud risks also requires a culture that aligns everyone in your organization around efforts to prevent cybercrime. That includes:

  • Forging an atmosphere of trust between management and employees: Trust starts with open, two-way communication, empowering both management and staff to contribute insights and ideas. Pressure testing doesn’t need to jeopardize this, either—staff should be aware of risk mitigation strategies and the role of pressure testing. Testing needs to be communicated as a routine way to uncover vulnerabilities, not to embarrass or blame any individual or team.
  • Fostering a safe environment: It’s essential that employees feel comfortable flagging suspicious activity, especially incidents that involve their own errors. The more comfortable an employee feels to report concerns, the more likely they are to speak up quickly if they open the wrong attachment or make the wrong payment.

Often, this requires cultivating a deeper understanding of cybersecurity and risk mitigation: sophisticated fraudsters are looking to capitalize on human error, and no employee is immune or infallible.

Processes

Controls and pressure testing

With scam tactics and fraud incidents becoming increasingly sophisticated—and increasingly digital—your controls will need to be just as sophisticated. A robust anti-cybercrime strategy, validated by pressure testing and formed in collaboration with other functions, is crucial for assessing, implementing, and remediating these sorts of controls.

Technology

This guide has explored many ways in which cybercriminals are leveraging technology to work more efficiently and at scale, so don’t cede technology-enabled advantages. The right systems and solutions can help you automate processes without sacrificing efficiency. It’s not about automating everything, though—some solutions simply arm your employees with clearer insights and better information for decision-making, further minimizing risks of human error or social engineering.

Look for solutions that provide additional protection around your crown jewels and the people or processes most likely to face scammers’ tactics.

Lastly, no single solution can fully eliminate your fraud risks, so choose solutions that integrate with other necessary systems and processes. Employee experiences should still be as efficient and seamless as possible—after all, clunky, slow experiences tend to raise the risks of error, corner-cutting, and poor morale.

IV. Closing remarks

Protecting your organization isn’t about playing defense anymore—it’s about getting inside the mind of potential attackers. The old ways of managing risk are no longer sufficient in today’s world of ultra-organized cybercrime syndicates and technology-driven threats.

Practices like red teaming and penetration testing may be the domain of cybersecurity specialists, but they’re underpinned by important concepts that finance leaders can and should apply to their own functions.

Think of it like this: the best defense is a team that can spot vulnerabilities before the bad guys do. By constantly questioning how things work, imagining worst-case scenarios, and poking holes in your own processes, finance teams can act as their organizations’ final guardrails against cybercrime and close the intra-departmental gaps that cyber-fraudsters have long exploited.

Additional resources

Author

Shanna Hall

Published

15 Jun 2025

Reading Time

23 minutes

More Insight Articles

Cybersecurity Guide for CFOs 2023: 6th Edition
Cyber crime

Cybersecurity Guide for CFOs 2023: 6th Edition

Insider Threat Guide
Cyber crime

Insider Threat Guide

security-image

The New Security Standard for Business Payments

Request a demo
security-image
security-image