Payment Security 101
Learn about payment fraud and how to prevent it
Recognise an unknown email with a suspicious link or attachment. Do not open it.
Cyber criminals are producing new creative methods in trying to attain your accounts payable sensitive information to infiltrate your email accounts and company database. Phishing statistics demonstrate that organisations are targeted with countless phishing attacks in the form of emails, phishing sites, text messages and more.
They may target your organisation during a critical time when you least suspect an attack such as the end of the fiscal year period. A simple mistake can cost your business thousands or millions of dollars. By acting with caution and always double-checking, there is a strong chance you can avoid being defrauded.
The following phishing statistics highlight the types of phishing attacks you should be on the lookout for and how organisations are defending themselves.
Based on the statistic above, the most common contact method cyber criminals use against businesses was email. This is also known as business email compromise (BEC) which is a form of targeted phishing or spear phishing.
Phishing statistics in 2022 dictate that Australia is one of the most targeted countries in phishing. The Australian Competition and Consumer Commission (ACCC) shows that Australians lost a total of $95 million to all types of scams in March 2022. Phishing attacks are becoming more prevalent and show no signs of slowing down in the upcoming years.
Emails can be considered an easy phishing campaign for some scammers. These spoofed emails aim to deceive your accounts payable teams into revealing sensitive information such as usernames, passwords, online banking logins, credit card details and more.
Phishing attacks can come in various forms. For instance, scammers that send malicious email attachments typically use Microsoft Office formats to seem more genuine like Word documents, PowerPoint presentations or Excel spreadsheets.
It’s no surprise that most targeted attacks are some form of malicious software (malware). Through phishing emails, cybercriminals implement malware that may be located on email attachments or some form of a link. Once activated, criminals can steal passwords, delete files, hijack the organisation’s network and more.
Scammers are impersonating reputable organisations via email, text messages, phone or on social media. Though Q1 2022 demonstrates a trend of phishing attacks globally with criminals now using LinkedIn as the next distribution of choice. This is reinforced by a 2020 Atlas VPN study that revealed that emails impersonating LinkedIn were the most click-on social media phishing attacks.
One of the reasons why cybercriminals target customer data is that they can make a profit from stolen data by selling it on the dark web or to other organised groups. Not only do organisations have to prioritise their cybersecurity measures but also protect customer data.
Phishing scams can cost millions of dollars to an organisation and have long-lasting consequences. Other than the obvious financial consequence, enterprises may face backlash & loss of trust from customers, theft of intellectual property, business disruption and reputational damage. As cybercrime increases, businesses will have to stay one step ahead.
Businesses and individuals might be puzzled when receiving a phishing message impersonating a bank or government entity. Unfortunately, there is publicly available information on the web on various individuals that can include phone numbers, social media profiles, emails, etc. Scammers use this information along with social engineering tactics to call phone numbers and attempt phishing texts.
Phishing websites are a popular tactic scammers use if they fail to succeed with phishing text messages or calls. These websites may impersonate legitimate businesses or suppliers in hopes of organisations disclosing their sensitive information. Without knowing what to look out for and identify a phishing website, you may fall victim.
According to phishing statistics, financial leaders and finance departments are the most targeted in phishing attacks. Cybercriminals understand that there are millions of dollars invested in financial industries and typically the motivation behind the attack is financial gain.
Your employees may be your organisation’s weakest security link when it comes to detecting phishing emails. To combat this cyber-attack, CFOs & IT security teams must implement security practices such as increasing security awareness training and investing in security detection tools or a password manager.
In 2021 Tessian research found that Microsoft, ADP, Amazon, Adobe Sign and Zoom are the most impersonated brands when it comes to phishing attacks. These brands are most targeted because of the frequent email communications between these brands and their consumers. In addition, these brands are some of the most trusted, making phishing email impersonations more likely to succeed.
According to various reports and research, Brazil became the world leader in phishing attacks. On the other side of this statistic, Kaspersky noted there was an improvement in the level of awareness of security threats online. Favio Assolini, a senior security analyst at Kaspersky Brazil states “we need to improve our digital education.”
The COVID-19 pandemic was a great opportunity for cyber criminals to conduct various attacks that may involve viruses, worms, DDOS attacks, phishing attacks and more. As employees were transitioning into remote work, some organisations were not able to keep up with security training.
Identifying cyber threats does not necessarily equate to preventing them. As part of the cybersecurity training, organisations must conduct pressure testing, phishing attack simulations and more for employees to defend against cyber-attacks confidently. Safeguarding emails requires detailed clarity between types of email attack techniques as well as knowing the correct response in each situation.
Any data storage management requires every form of protection to minimise the risk of a data breach. For instance, implementing complex passwords, adding 2FA or MFA, encrypting files, security technology and more. This makes it much more difficult for scammers to penetrate your files, enhancing your cloud email security.
Statista and Kaspersky note that a quarter of all spam emails sent in 2021 originated from Russia. This research analysed close to 150 million malicious email attachments that involved topics like money and investment, and the pandemic.
Comparing the countries that are targeted over the past years, the targeted destination of cyber-attacks has changed in 2022. The number of malicious emails that were sent to the Netherlands was 68,908,098 (17.6777%) leading as the highest targeted countries. Russia coming in second place had received 53,211,482 emails totalling 13.6509%.
It is no surprise that the elderly are more targeted than the younger demographic in phishing attacks. Seniors are thought to have more money sitting in their bank accounts than younger consumers. Other factors are involved which include businesses, pensions, tax advantages and more.
The number of unique file attachments found in malicious emails varies from PDFs, text documents, images, binary files, HTML web applications (web links), etc. Cybercriminals that are impersonating suppliers often mimic business email communications that involve sending PDFs and binary files like invoices and important documents.
Business email compromise (BEC) and phishing go hand in hand when targeting large enterprises. In simple terms, BEC is a form of targeted phishing or spear phishing. Perpetrators who plan and target organisations use emails impersonating a third-party supplier to deceive your accounts payable team into revealing sensitive company information. If successful, this can result in payment fraud or identity theft.
Other than financial gain, there are various motivations and motives behind a cyber-attack. For instance, cybercriminals may attack to make a social or political point, they may collaborate with an insider threat, sense achievement or recognition, commit corporate espionage to gain competitive advantage and more.
Other than brands and businesses, CEOs can be targeted by cybercriminals through a tactic known as ‘whale phishing’ or ‘spear phishing. Hackers impersonate CEOs, COOs, or CFOs to invoke a sense of urgency and send fake emails to employees to hand over sensitive information or to give hackers access to certain platforms and accounts. For example, access to an ERP system, Microsoft account or banking portal.
According to Phoenixnap phishing statistics, the three main stages of CEO fraud are the research phase, planning phase and execution stage. Usually, CEO fraud is not successful if there has not been any research done before the attack. Criminals may collect information about their targets like the organisation’s website, social media accounts, YouTube channels, business email communications, PR and any news relating to the enterprise.
To identify these types of threats, you should always make sure you analyse the email before doing anything. For instance, check the email address, see how the email is written, and identify if there are any potential malicious links or attachments attached or unusual requests. Always verify with the sender by phone call before following through with the email.
In addition to identifying phishing emails, never accept or open emails outside of the corporate network, emails that contain similar domain names such as your organisation’s name or a supplier’s domain name. A good practice is to follow your organisation’s cybersecurity protocols and education.
To minimise the risk of fraud or human error, security awareness training is a great start for organisations to start training their employers and employees. Several enterprise security providers supply security awareness training such as training modules, productions, and materials around various aspects of cybersecurity.
In 2022, remote work has become the norm for most organisations across the globe. To keep up with cybercrime, organisations need to constantly evolve their cyber security training. For instance, security awareness training programmes should use a variety of tools when educating users. A tailored and interactive training programme are two key components in making your employees competent in cybersecurity.
More CFOs and CEOs are recognising the increasing threat of cybercrime in 2021 encouraging the practice of anti-phishing. Yet some still fall victim to cyber threats. According to the UK government, when respondents were asked “how often are senior managers updated on cyber security?” 16% of businesses said never.
A cybersecurity strategy needs to be constantly updated each year to keep up with the rise of attacks.
According to the ACSC, Australian SMBs know cyber security is important, but there are barriers to implementing good practices. They further state the types of barriers businesses come across when implementing a cybercrime strategy such as, not having dedicated staff with an IT security focus, complexity and self-efficacy and underestimating the risk and consequences of a cyber-attack.
Each security awareness training should have three main components such as assessment, change of behaviour and evaluation. CFOs need to build a culture of cybersecurity and shape unsafe behaviours through a training program that identifies behaviour, changes behaviour and evaluates the success rate of preventing an attack.
Along with simulated phishing emails, other formal education sessions include newsletters or informative emails (39%), awareness posters or videos (35%), smishing and/or vishing simulations (33%) and internal cybersecurity chat channel (32%).
One of the best cybersecurity training activities is mimicking or simulating real scenario attacks. This will allow the employee to practice understanding how the attack is orchestrated, as well as what to look out for and immediately act appropriately.
Another motivation behind an attack is to target an organisation’s supply chains to commit further fraudulent activities on other businesses. Accounts payable teams not only need to be prepared for direct attacks but need to be tested through different scenarios and understand the depth and breadth of potential cyber incidents.
MFA has been around for several years, yet few enterprises have fully embraced the security practice. According to research, when asking the respondents why they do not use MFA, the overall reason is that change is hard and inconvenient.
Phishing is one of the oldest types of cyberattacks, it is quick and easy for cyber criminals to prepare and execute. The aim of a phishing technique is for victims to hand over sensitive information or download malware that gives fraudsters access to the business’s network.
The five most common types of phishing attacks include email phishing, spear phishing, whaling, smishing and vishing. Depending on the cybercriminal, phishing attacks can be targeted at a specified individual or business through various distribution channels
In general, smaller businesses are more likely to face any form of cybercrime attack than large enterprises. The reason for this is that SMEs are faced with low awareness of cyber threats, inadequate protection for intellectual property, lack of budget to cover costs of cybersecurity software or awareness training and low management support. Overall, the security defence of SMEs is much smaller making them more vulnerable to cyber attacks compared to large enterprises.
Every organisation must implement some form of security measure around the individuals they employ, their security software and the processes of how the business operates. With a combination of an interactive security awareness training program, security technology and cybersecurity culture, you can significantly minimise the risk of phishing.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.