Treasury News Network

Learn & Share the latest News & Analysis in Corporate Treasury

  1. Home
  2. Fraud Prevention
  3. Minimizing Payment Fraud

Notable types of payment fraud treasurers and CFOs should watch

Last month, the ransomware group RansomHub claimed that it had carried out the cyber attack that targeted Christie’s, the world’s wealthiest auction house by revenue.

In a post on the dark web on Monday (May 27, 2024), RansomHub revealed that it had breached data and acquired information on “at least 500,000” of Christie’s private clients from “all over the world.” The compromised data reportedly includes full names, passport numbers, birth dates, and nationalities of Christie’s customers worldwide.

The cybercrime group has threatened to leak or publicise the stolen data of Christie’s clients unless the auction house pays an undisclosed ransom.

“Ransomware payments in 2023 surpassed the $1 billion mark, the highest number ever observed,” according to The Chainalysis 2024 Crypto Crime Report.

With payments becoming the centrepiece of corporate finance and treasury, and the exponential growth in the realm of payments fueled by technological advancements, notable existing and emerging types of payment fraud are on the rise and remain a significant concern for CEOs, CFOs, and corporate treasurers.

Cybercriminals have silently infiltrated corporations, targeting their top executives, systems, networks, servers, data and infrastructure to perpetrate payment fraudulent activities. In fact,  global losses from payment fraud tripled from US$9.84 billion in 2011 to $32.39 billion in 2020, as per Merchant Savvy’s Global Payment Fraud Statistics, Trend & Forecasts (2020) published in Deutsche Bank’s 2021 report on the future of payments (Series 2). These payment fraud losses are expected to continue their upward climb, reaching an estimated $40.62 billion by 2027 – 25% higher than in 2020.

Furthermore, examining the payments fraud landscape in 2023, the Association for Financial Professionals® (AFP) 2024 Payments Fraud and Control Survey Report (sponsored by Truist) said, “We see an uptick in fraud activity from the previous year, with 80% of organizations reporting they were a victim of an attempted or actual fraud attack.”

“Larger organizations (with annual revenue of at least $1 billion) are more susceptible to payments fraud attacks than are smaller ones (with annual revenue of less than $1 billion): 83% compared to 74%”, the AFP report further mentioned.

Given that payments fraud is becoming more complex, sophisticated, pervasive, and expensive, understanding the key terms and concepts of the important existing and emerging types of payment fraud will arm and empower business leaders, finance chiefs, treasurers and their teams, as awareness and knowledge serve as the first crucial step in fraud prevention and minimising the risk of financial and reputational exploitation.

Ransomware

The word "ransom" reveals almost everything about this cyber threat. Ransomware is a type of malicious software or malware attack designed to lock and encrypt an organization’s data, system, files, or devices, rendering them inaccessible until a ransom is paid in exchange for unlocking and decryption. This form of cyber-extortion preys on vulnerabilities in people, systems, networks, and software to achieve its nefarious goals.

Deepfake: a subset of synthetic fraud

Deepfake fraud attempts skyrocketed in 2023, increasing by 31 times the volume seen in 2022. This represents a staggering 3,000% year-over-year rise, as highlighted in Onfido’s Identity Fraud Report 2024.

The next generation of digital fraud, deepfake, is also considered a subset or type of “synthetic fraud”, “synthetic media”, or “synthetic content”, which enables cyber criminals to utilise artificial intelligence (AI) and machine learning (ML) to create, replicate, fabricate, mimic, or alter someone’s audio (voice cloning), video, image, or text. This technology leverages existing text, photo, video, audio, facial expressions or body movements of a person to generate content that appears real or seemingly authentic but is often difficult to detect or distinguish as false, fake, forged, or counterfeit.

In February, the Hong Kong branch of a multinational company incurred a US$25.6 million (HK$200 million) loss as a result of a deepfake video conference call.

According to the South China Morning Post, a finance department employee of the company at the Hong Kong branch was invited to a staged video call filled with deepfaked (digitally re-created) company executives that included the organization’s London-based CFO. Apart from the finance employee, all participants in the video call were fake.

Responding to the escalating urgency conveyed by the deepfake CFO to conduct fund transfers, the finance executive (the victim) adhered to the instructions given during the call, ultimately transferring around $25.6 million to five different bank accounts, spread across 15 transactions.

The finance employee complied with the instructions because the CFO and other colleagues present in the video call looked and sounded like the real people he recognized. The digital manipulations convincingly and accurately imitated the behaviour and gestural mannerisms of the actual CFO and other employees, making it hard to tell the authentic from the fake.

Though this $25 million AI-orchestrated fraud is one of the most substantial corporate frauds involving deepfake technology, it is expected to emerge as the foremost payment security threat for CFOs and corporate treasurers in 2024, given that deepfake fraud attempts have witnessed an unprecedented increase. Additionally, the rise in availability and use of AI, face-swapping technology, and lip-synced videos are making the production of deepfakes cheaper, easier, more accessible, advanced, pervasive, and scalable.

Over the next 12 months and beyond, this trend is anticipated to be exploited to facilitate payment fraud and pressure corporate executives into disclosing sensitive and confidential organizational information and customer data.

Phishing

“Phishing is the concept of sending an email that appears to come from a trustworthy source to get you to interact with it, to call a number, or to click on a link. The concept here is to catch as many fish or people as possible. Phishing attempts are done to gather sensitive information fraudulently by pretending to be someone cybercriminals are not so that you give up confidential information. It is not a personalized attack and not geared toward you or your company specifically. It is just casting a wide net to see who responds, who clicks on the email, or who calls on the phone number that is listed to gain access to your data or to control your devices from nearly every conceivable access point,” explains Craig Jeffery, managing partner at Strategic Treasurer, a leading treasury consulting firm. ⃰

“Phishing threats have reached unprecedented levels of sophistication in the past year, driven by the proliferation of generative AI tools,” as per the Zscaler ThreatLabz 2024 Phishing Report.

This report examines more than two billion phishing transactions from 2023, extracted from the Zscaler cloud, aiming to provide organizations with a comprehensive understanding of the “rapidly evolving phishing landscape.”

Moreover, the Zscaler ThreatLabz report highlights that “Phishing attacks surged by 58.2% in 2023 compared to the previous year, reflecting the growing sophistication and reach of threat actors.”

The top five countries targeted by phishing attacks were the US, UK, India, Canada, and Germany, with the finance and insurance industry encountering 27.8% of total phishing attacks. This marks “The highest concentration among industries and a 393% year-over-year increase”, the report further added.

Business email compromise (BEC)

Last year, cyber-enabled scams led to $10 billion in losses, with business email compromise (BEC) representing $6.7 billion of that figure globally, as outlined in Nasdaq and Verafin’s 2024 Global Financial Crime Report.

According to SecureTreasury™ (securetreasury.com), the cloud-based payments security training programme for corporate treasury and their teams, BEC occurs when a bad actor compromises “Legitimate business email accounts to initiate unauthorised transfer of funds.”

To perpetrate this form of attack, the criminal hacker will assume or gain control of an organization’s employee’s email, usually that of a high-ranking executive or financial officer with access to company finances and use the email account to send fake or fraudulent emails to deceive an employee, client, or vendor into sharing sensitive information or transferring money to bank accounts thought to be trusted. However, the funds actually end up in domestic or foreign bank accounts owned by the criminals.

Usually, a deceptive email requesting a financial transfer is sent to the victim or target, framing the transaction request as necessary, urgent, and confidential.

Account Takeover (ATO)

Account takeover (ATO) is a form of BEC fraud where cyber thieves gain control over an organization’s bank accounts or finances and use the account to initiate unauthorised funds transfers or steal information. This also includes adding fake employees to payroll or exfiltration of sensitive data that might be irrecoverable.

Data from the Javelin Strategy & Research 2024 Identity Fraud Study reveals that ATO fraud resulted in nearly $13 billion in losses in 2023 (up from $11 billion in 2022). 

The crucial distinction between account takeover (ATO) and authorised push payment (APP) fraud is that ATO results in an unauthorized withdrawal of funds from the victim’s account, whereas APP fraud involves tricking victims into authorising the transfer of funds to an account controlled by a criminal.

Authorised push payment (APP)

Authorised push payment fraud, also referred to as APP fraud, entails conning victims into making a payment or authorising a fund transfer to a fraudulent account. Typically, bad actors employ impersonation techniques to pose as a credible or trusted person or entity, manipulating the victim into authorising a payment. Here, the victims are led to believe or are convinced that the payments are being made for a seemingly legitimate reason.

Most APP fraud attempts use real-time payments systems, making such payments immediate and irreversible in nature. This means that once the funds arrive in the criminal’s account, reversing the transaction is usually not possible, particularly if the hacker promptly withdraws or transfers the money.

According to GlobalData and ACI Worldwide’s Scamscope Fraud Report, losses to APP scams are expected to record a compound annual growth rate (CAGR) of 11% from 2022 to 2027, totalling $6.8 billion across six real-time payments markets (the US, the UK, India, Brazil, Australia, and Saudi Arabia).

To conclude, the Association of Certified Fraud Examiners (ACFE) reports that fraud costs a typical organization 5% of its yearly revenue. ACFE states, “As criminals continue to perpetrate fraud, it is no longer a question of if fraud will occur, but rather when it will occur at an organization.”

With cyber attacks becoming more targeted and sophisticated, payment fraud attempts are expected to increase dramatically. This means finance chiefs and corporate treasurers will have to make payment fraud detection and prevention a top priority and approach securing payments as a vital and ongoing process.

For now, it is essential for CFOs, treasurers and their teams to develop a comprehensive understanding of the prominent existing and emerging types of payment fraud they might encounter to facilitate the proactive pursuit of payment fraud detection and protection.

In this regard, ongoing and specific payment fraud training (securetreasury.com) for corporate treasury professionals, will also help in preventing and combating payments fraud, thereby reducing the impact of such losses in the world of real-time payments.

 

⃰ Disclosure: Strategic Treasurer owns CTMfile.

Like this item? Get our Weekly Update newsletter. Subscribe today

About the author

Also see

Add a comment

New comment submissions are moderated.