Work-From-Home Trend Raises Stakes in Fight Against Business Email Fraud

The pivot toward work-from-home environments has opened up new vulnerabilities that allow fraudsters to target B2B payments.

Nithai Barzam, chief operating officer of nsKnox, a cyber FinTech focused on fraud prevention and B2B payment security, told PYMNTS in an interview that cyber threats have become more sophisticated than ever during the COVID-19 pandemic — and they demand a sophisticated response.

The conversation came against a backdrop of mounting financial losses tied to business-email compromise (BEC) scams.  The Federal Bureau of Investigation estimates that such scams cost firms over $26 billion over the past three years.

“The numbers are just overwhelming,” noted Barzam. Between 2% and 5% of enterprise revenues are lost to fraud, he said, and emails, PDFs, external and internal communications and data flows all present points of vulnerability.

Read also: FBI Looks Back At The BEC Scam’s Accelerating Evolution

Additionally, malware attacks and “impersonation attacks” — where fraudsters take on the guise of company executives or legitimate business partners — have been growing by double-digit percentage points over the years, he noted.

All the while, he said, organizations are finding it harder and harder to keep traditional checks in place. When the office is closed, you can’t go down the hall and ask your boss a question — or confirm a transaction. And you can’t easily drop by a colleague’s desk and ask for an extra set of eyes to review a document or invoice before you send it out.

Instead, we’re relying on voicemail, email, peer-to-peer messaging apps and sometimes even text messages to handle internal and external communications. Adding unsecured home networks and the employees using their own devices for work into the mix creates an environment that makes companies more vulnerable to B2B payments fraud, Barzam said.

See also: FinServ Providers Lift Some Of B2B’s Fraud Burden

The schemes, he said, have evolved over the years. They started with phishing emails, move onto more complex business email compromises, designed to change bank account details, diverting company funds into fraudulent bank accounts, ultimately disappearing with their ill-gotten gains. Social engineering scams have further embraced technology in their bid to dupe workers through phone spoofing and hijacking — even deep-fake artificial intelligence (AI) voice cloning.

Insider fraud also presents an issue, he said, where 50% of economic fraud is conducted with the help of an insider.

“Pure cyberattacks” are a favorite tactic, too. Hackers and fraudsters use technology in the service of manipulating data within a targeted firm’s systems (with malicious software, for example). They also steal credentials, leveraging that stolen information to manipulate data within the firm, changing banking details to change payments’ ultimate paths.

As Barzam told PYMNTS, “payments fraud can occur at any point in time throughout the funds’ transfer journey.”

The Three Layers — and Continuous Validation 

Barzam said companies need a three-layered line of defense that ties together process, people and automation.

“There needs to be a collaborative effort between the finance people within a firm and their colleagues in cybersecurity management and policy,” said Barzam. “They are the ones who know the business best.” Those professionals, he added, understand how to onboard new suppliers, how changes in processes can affect payments.

Working together, Barzam said,  security and finance professionals need to secure their firm’s infrastructure and back-office operations, examining everything from the interfaces between the front and back-office workflows to the devices workers are using.

Additionally, he said, employee education is a critical defense component: Workers need an understanding of best practices for thwarting cyberattacks.

“Humans are only human,” said Barzam, “and even if there are good processes in place, they are only as good as the people who follow them — or don’t.”

After firms take processes and people into account, he said, they can endeavor to introduce advanced tools and automation into the mix.

Firms such as nsKnox, via cryptographic technology and access to a wide range of third-party public and private databases, can provide that continuous account validation at each step of the payments journey.  Among other offerings, nsKnox issues bank account certificates, which are verified through the nsKnox solution to ensure account detail accuracy and authenticity before any payments are issued.

“The way to automate security is to provide continuous verification of the details” used in transactions and payments files, he told PYMNTS.

“This is not about 16-year-olds sitting in a basement, in the dark,” said Barzam, who noted the hackers targeting enterprises are part of well-organized criminal networks. “They’re really good at what they do. They invest in technology. They invest in research and analysis and they prioritize targets.”