Payment Security 101
Learn about payment fraud and how to prevent it
Cyber threats are evolving, and finance leaders need to stay ahead. Our latest cybersecurity guide dives into cutting-edge tactics like red teaming and penetration testing, equipping CFOs with actionable strategies to safeguard their organisations against modern scams.
As a finance leader, you probably know exactly how much your organization invests in risk management. You know how much time and effort you put into recruiting trustworthy, capable people. You know how hard your organization has worked to build efficient processes, to fortify security mechanisms that keep people and payments safe from malicious actors.
But how often do you see it from the other side? What does your organization look like to someone who wants to exploit those processes, rather than improve them? How robust are those fraud controls, really, when they’re exposed to criminally creative thinking and sophisticated new artificial intelligence (AI) capabilities?
It’s no longer safe for finance leaders to depend on fraud controls designed within and for a mostly analogue, pre-AI world. Designing and maintaining controls for a new world of cybercrime requires a new way of thinking.
To protect against today’s wave of scams, finance leaders will need to think like a scammer. This year’s Cybersecurity Guide for CFOs will show finance leaders how to apply cybersecurity concepts like red teaming and introduce adversarial thinking into their strategies—and why doing so has become an existential necessity for organizations everywhere.
[Cybercrime] is highly organized and that’s why it’s so successful. We’ve been inside many of these operations… Everything is run like an industrialized corporation. It has the HR department, the accounting, the finance department, the sales, the onboarding and the client onboarding. They bring the best possible people with university degrees in accounting and even cybersecurity teams.
– Ken Gamble, Investigator and Executive Chairman of IFW Global (On The Defense)
While countries like Australia have made cross-sector strides in combatting scam losses, the numbers make it clear: cybercrime remains one of the costliest risks for finance leaders.
More specifically, business email compromise (BEC) attacks continue to be one of the biggest threats to financial functions and their organizations.
Because these attacks depend on human error and social engineering, AI capabilities are further democratizing cybercrime and helping scammers tailor their tactics at scale. Meanwhile, data breaches and dark web marketplaces act as the fuel to the engine of these attacks and technologies, gifting cybercriminals with the type of targeting information that would make a digital marketer blush.
This fraud tactic—also called payment redirection—targets individuals or groups who perform legitimate fund transfers (that is, your employees and those of your vendors). It begins with a malicious actor compromising an email system, then deceiving staff into making illegitimate payments or giving up information that makes it easier to secure an illegitimate payment.
These tactics can be highly sophisticated and span lengthy periods. Within Eftsure’s client base, analysts have seen malicious actors increasingly compromise both the vendor organization and target organization, orchestrating intricate communication trails and incorporating persuasive counterfeit documents.
A previous edition of this guide explored emerging AI capabilities and the many ways they can be applied both legitimately and maliciously. It detailed how cybercriminals were already creating unmoderated versions of AI tools like ChatGPT, leveraging deepfakes and voice conversion capabilities, and using LLMs to break into new markets previously insulated by language and cultural barriers.
As predicted, 2024 saw an uptick in AI-enabled scams and cyber threats, with Deloitte’s Center for Financial Services predicting that AI could cost the US $40 billion by 2027. In a survey of US and UK finance professionals, 53% of respondents said they’ve experienced a deepfake scam attempt.
Those attempts showed up in headlines throughout 2024. From password manager LastPass to global ad agency WPP to up-and-coming cybersecurity firm Wiz, companies across the world were targeted in scams that used generative AI to impersonate executives and other staff.
And, sometimes, these attempts paid off in a big way.
Generative AI is a subset of AI that uses machine learning to generate new content. Where it’s distinct from other forms of AI is that it generates content like text, images or sound—information that is entirely new and not part of the original dataset used for training. It enables capabilities like:
Chatbots such as OpenAI’s ChatGPT or Google Gemini.
Synthetic video, audio or images, in which simulations replace the appearance of both real people and those who’ve never existed.
Finance leaders need to learn AI and the best way to do that is by building an AI system. It is critical that these leaders know how LLMs work, not just to help them amplify the work of their organizations but also to understand how the security and privacy landscape has changed.
– Noelle Russell, Chief AI Officer, AI Leadership Institute
Cyber threats and fraud risks are increasingly connected—sometimes they’re even one and the same. Cyber threats in a single organization or function can create indirect threats in others.
This is perhaps clearest when examining the role of data breaches. Whether the result of a malicious intrusion or simply a lapse in data security practices (or a combination of both), data theft is a growing issue.
From financial details to sensitive personal information, vast amounts of stolen data are regularly traded on dark web forums and are a frequent starting point for scammers. This data helps cybercriminals identify targets, compromise systems, enhance social engineering tactics, and improve impersonation attempts.
Don’t assume the overwhelming amounts of data will obscure your business and lower the odds of being targeted, either. AI tools and other advanced technologies allow threat actors to instantly pull useful data and apply it in automated, scalable ways.
Unsurprisingly, this has resulted in a significant correlation between a company’s exposure on dark web forums and an increased likelihood of cyberattack.
Fraud risks are increasingly digital, which also means they’re increasingly multi-faceted and interconnected. For instance, a third-party organization’s data security practices might expose your business to data theft, while a vendor’s cybersecurity incident might allow malicious actors to gain access to your business’s sensitive communications or platforms.
All of this increases your business’s fraud risks, despite much of it happening independently from your organization’s security controls. It’s no wonder cyber readiness has become a top concern for CFOs.
However, to fully mitigate current and next-generation risks, finance leaders will need to embrace their unique role in leading anti-cybercrime strategies, as well as understand the overlap between cybersecurity and anti-fraud controls. Without this awareness, organizations can be exposed by siloed approaches or gaps between finance professionals and technologists.
Some of the risk factors explored here are longstanding, while others are newer—but, together, they form a threat landscape that demands creative, adversarial thinking. For more insights, check out the PYMNTS Intelligence 2024 Certainty Project.
As lines between cybersecurity and broader risk mitigation continue to blur, digital threats are no longer just the responsibility of IT departments—they are a critical priority for CFOs. Tasked with safeguarding organizational resilience and mitigating financial risks, CFOs must address modern scam threats enabled by AI and emerging technologies like quantum computing. These threats demand proactive, strategic action.
This section examines three key practices and their role in protecting organizations from cyber threats:
To combat sophisticated threats, CFOs need to understand how attackers exploit vulnerabilities. By adopting an adversarial mindset, finance leaders can strengthen their organization’s defenses and ensure that investments—in both fraud mitigation and cybersecurity—address the most pressing risks.
There’s a defender mindset—defenders just see the strengths. Attackers ignore the strengths, attackers see all the opportunities.
– Richard Buckland, Cybercrime Professor, UNSW and Director of SECedu Australian Cybersecurity Education Network (SXSW Sydney, 2024)
AI is reshaping the cyber threat landscape, enabling attackers to bypass traditional defenses through highly convincing scams. As highlighted in the broader threat landscape analysis, generative AI now allows cybercriminals to craft tailored phishing messages, clone voices, and create fraudulent vendor communications with remarkable accuracy. These developments have made business email compromise (BEC) scams more prevalent and harder to detect.
For example, attackers used deepfake videos and voice cloning to impersonate a CEO and multiple other staff members, convincing a finance employee to transfer $39 million into a fraudulent account. This incident exploited gaps in authentication processes, underscoring the urgent need for robust multi-factor authentication.
To address these challenges, CFOs should:
With the rise of synthesized media like deepfakes, organizations face increasing fraud risks. Expanding multifactor authentication and engaging AI red teams to continually monitor vulnerabilities are critical to secure and responsible AI use at scale.
– Noelle Russell, Chief AI Officer, AI Leadership Institute
Quantum computing represents a transformational leap forward in computing power, but it also poses a significant threat to existing cybersecurity measures. Its ability to solve complex problems at unprecedented speeds could render current encryption methods obsolete, exposing financial data and transactions to interception and manipulation.
While efforts to develop quantum-resistant encryption standards, such as those led by the National Institute of Standards and Technology (NIST), are underway, organizations cannot afford to delay preparation.
CFOs should collaborate with IT leaders to:
These actions will help organizations mitigate future risks and ensure operational continuity as quantum technologies mature.
Red teaming involves simulating real-world cyberattacks to identify vulnerabilities across systems, processes, and people. Unlike penetration testing, which focuses on specific weaknesses, red teaming takes a holistic view, evaluating the organization’s overall resilience.
Red teaming is particularly effective in uncovering vulnerabilities that attackers might exploit. For example, exercises often reveal gaps in multi-factor authentication or weaknesses in financial approval workflows. By addressing these risks, organizations can fortify their defenses and reduce exposure to cyber threats.
Aligning red teaming practices with regulatory requirements is increasingly important. A compliance-focused approach not only helps organizations meet evolving standards but also enhances operational resilience. For further insights, check out The Role of Red Teaming in Regulatory Compliance and Risk Management by John Nathan (2024).
CFOs should adopt red teaming by:
Penetration testing, or pentesting, complements red teaming by focusing on specific systems or applications. This targeted approach is particularly useful for identifying exploitable vulnerabilities in critical areas such as payment platforms and accounting software.
Pentesting provides actionable insights into weaknesses that could lead to fraud or data breaches. For CFOs, this means prioritizing systems that handle sensitive data and ensuring identified vulnerabilities are remediated promptly.
Incorporating effective pentesting methodologies into cybersecurity strategies helps organizations identify risks while fostering collaboration between IT and finance teams. This cross-department effort ensures vulnerabilities are addressed efficiently, promoting a unified approach to cybersecurity.
CFOs can:
To ensure their businesses invest in the right priorities and practices for their circumstances, there’s a growing urgency for finance leaders to understand cybersecurity, including and especially security hygiene. However, cyber readiness and resilience aren’t the only imperatives.
Familiarity with the broad strokes of common cybersecurity practices can empower finance leaders to modify and refashion those practices for their own functions.
By adopting red teaming concepts, finance leaders can:
Security and risk mitigation aren’t the domain of any single leader or department. Embedding best practices throughout your organization—especially with the goal of mitigating fraud risks—will require a cross-functional approach.
This includes working with IT or security professionals to assess overall cyber risks while also applying pressure tests to finance and AP functions. These cumulative efforts form an important pillar of an anticybercrime strategy, which CFOs are often best positioned to own within their organizations.
In finance and accounting, many leaders are already familiar with the concept of pressure testing. This approach is one of the best ways to think like a scammer and bring fraud opportunities into focus. By collaborating with your company’s technologists, you can incorporate common cyber tactics and account for potential technical vulnerabilities—both within your organization and with third-party organizations.
Effective pressure testing requires a two-fold consideration:
Pressure testing is a process that evaluates the effectiveness of internal controls. It involves subjecting financial procedures and processes to simulated scenarios, testing their ability to withstand intentional or unintentional deviations from processes.
The goal of pressure testing is to identify weaknesses in controls and processes, and then address them before an actual risk event occurs. Pressure testing can happen in a variety of ways, performed by internal or external auditors. It can be as structured as a formal audit or as casual as a CFO sending test emails from their own email account.
Pressure testing allows organizations to simulate potential fraud scenarios and identify weaknesses in their processes. Below are some examples of common fraud scenarios CFOs and finance leaders should consider:
The possibilities for testing your internal controls and payment processes are endless. However, few organizations have the time or resources to simulate every possible fraud vector. So, how can leaders narrow down the most critical areas of focus?
It might be tempting to choose pressure tests based on ease of implementation or areas that have been exposed to risk in the past. While these are important considerations, it’s crucial to take a more adversarial view.
Adopting a scammer’s perspective can help identify the most critical vulnerabilities in your organization’s processes. Ask yourself:
Begin by identifying your organization’s “crown jewels”—the assets most likely to attract threat actors, such as financial resources or sensitive data.
Next, determine who will conduct the testing within your function. Consult with IT, risk mitigation, and legal teams to obtain authority for testing. These consultations can help you understand relevant compliance or regulatory obligations and consider past incidents that may influence the testing scope.
While many organizations already know which staff have access to critical assets—often within finance and AP functions—it’s important to map out your actual landscape. This includes identifying exact user permissions and determining how many procedures are subject to anti-fraud controls.
Once you have a clear picture of the assets and employees most at risk, define the scope of your testing. This should include processes, policies, and procedures to ensure comprehensive coverage.
Think of policies as the laws that direct how individual employees, departments, and the entire organisation should operate. These are usually aimed at improving compliance, security, efficiency, and visibility in dayto- day operations.
These build upon the organization’s policies by providing a high-level overview of what, who, and when. Processes are often developed by management (e.g. the AP manager) and detail what specific tasks need to be executed, who has responsibility for executing each specific task, and when each task needs to be executed.
Whereas processes are higher-level overviews, procedures are often more granular and outline the ‘how’ of different processes. These tasks tend to have the most direct impact on how employees carry out their responsibilities.
Once you’ve identified the priorities and scope of pressure testing, you can set a timeline for testing, especially if the testing will be a routine occurrence. While factoring in your most critical processes or vulnerabilities is important, it’s also reasonable to start with smaller tests and ramp up to more complex testing over time.
This approach lays the groundwork for simulating the attacks or fraud tactics you’ve chosen. During this phase, it’s essential to characterize each vulnerability and document the outcomes of every simulated tactic.
Documentation will be particularly important as you look for weaknesses such as:
Analyze documented outcomes by:
Pressure testing is just one cornerstone of a comprehensive anti-cybercrime strategy. However, it can inform all other elements of your strategy, including how and where you focus resources.
Let’s take a look at how adversarial thinking and simulated fraud attempts can enhance decision-making across each of these elements.
Staff training is crucial for any risk mitigation strategy, and modules should be developed in collaboration with IT or security specialists. Many organizations already run cybersecurity and fraud awareness training programs.
But dedicated training may be necessary—pressure testing can help you tailor these programs for different employees, especially those who are more likely to be targeted or have access to more sensitive processes and data.
Alongside general security hygiene, training for finance and AP staff should aim to improve understanding of:
Regardless of training specifics, ensure that it’s both regular and relevant. Digital boundaries tend to blur between professional and personal, too, so consider training that helps employees understand how to protect themselves—both at home and at work.
We pivoted to training that shows staff how to protect themselves and their family. By doing that, we had a 100% uptake. Yes, we want you to be vigilant in the organization, but, by osmosis, [staff] brought that same level of awareness and vigilance into the business naturally.
– Damian Seaton, Founder and Managing Director, Cyber Audit Team (On The Defense)
Mitigating fraud risks also requires a culture that aligns everyone in your organization around efforts to prevent cybercrime. That includes:
Often, this requires cultivating a deeper understanding of cybersecurity and risk mitigation: sophisticated fraudsters are looking to capitalize on human error, and no employee is immune or infallible.
With scam tactics and fraud incidents becoming increasingly sophisticated—and increasingly digital—your controls will need to be just as sophisticated. A robust anti-cybercrime strategy, validated by pressure testing and formed in collaboration with other functions, is crucial for assessing, implementing, and remediating these sorts of controls.
This guide has explored many ways in which cybercriminals are leveraging technology to work more efficiently and at scale, so don’t cede technology-enabled advantages. The right systems and solutions can help you automate processes without sacrificing efficiency. It’s not about automating everything, though—some solutions simply arm your employees with clearer insights and better information for decision-making, further minimizing risks of human error or social engineering.
Look for solutions that provide additional protection around your crown jewels and the people or processes most likely to face scammers’ tactics.
Lastly, no single solution can fully eliminate your fraud risks, so choose solutions that integrate with other necessary systems and processes. Employee experiences should still be as efficient and seamless as possible—after all, clunky, slow experiences tend to raise the risks of error, corner-cutting, and poor morale.
Protecting your organization isn’t about playing defense anymore—it’s about getting inside the mind of potential attackers. The old ways of managing risk are no longer sufficient in today’s world of ultra-organized cybercrime syndicates and technology-driven threats.
Practices like red teaming and penetration testing may be the domain of cybersecurity specialists, but they’re underpinned by important concepts that finance leaders can and should apply to their own functions.
Think of it like this: the best defense is a team that can spot vulnerabilities before the bad guys do. By constantly questioning how things work, imagining worst-case scenarios, and poking holes in your own processes, finance teams can act as their organizations’ final guardrails against cybercrime and close the intra-departmental gaps that cyber-fraudsters have long exploited.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.