In this opinion piece, Mark Chazan, Chief Executive Officer of Eftsure, outlines the five biggest misconceptions regarding cybercrime – and what CFOs can do about it.
Across the world, headlines increasingly feature shadowy hackers and devastating cybercrime. Closer to home, cyber incidents have impacted millions of Kiwis, including the Latitude Financial data breach – the largest of its kind in New Zealand.
For financial leaders, cyberattacks can sometimes feel like a threat that exists outside their jurisdiction. However, an organisation’s financial health is intertwined with cyber-defences. Cyber fraud attempts are getting harder and harder to detect, especially as artificial intelligence (AI) advances continue to give scammers an advantage.
Countering those growing threats requires awareness and vigilance among finance leaders. A good starting point is correcting these five common misconceptions:
1. We’re already vigilant, and our company isn’t big enough to target anyway
Unfortunately, cybercrime impacts many organisations and individuals throughout New Zealand. According to CERT NZ’s latest quarterly report, financial scams have driven a 66 per cent increase in direct financial losses compared to Q4 2022. Those losses total almost $6 million.
Digitisation means scammers can target anyone from anywhere, and they’re constantly on the hunt for unsuspecting new targets. Moreover, scammers have the upper hand in that they can repeatedly try and fail to defraud you at little to no cost, while your business needs to thwart these efforts every time to avoid serious losses. The overall result is an unfair fight that organisations can – and often do – end up losing.
2. Most scammers aren’t very sophisticated, so our defences are sufficient
Many people envisage cyber-criminals as rogue, hoodie-wearing scoundrels, sending typo-riddled emails that are obvious scam attempts. The reality is that cybercrime groups tend to be highly professional and operate like any other international organisation. For instance, a Kaspersky investigation found dark-web recruiters advertising attractive salaries, paid time off and tight-knit team cultures to white-collar candidates.
Additionally, technology can help scammers offset disadvantages like language barriers or time constraints. Even tightly moderated AI tools like ChatGPT can help fraudsters create professional-sounding scam messages at scale, while malicious AI tools like WormGPT or FraudGPT are designed to aid illicit activity and are likely trained on data that includes phishing or malware-related information.
3. Our best practice accounting controls protect us
When talking to finance leaders, it’s common to hear confidence in existing controls’ ability to thwart cyber-crime. But finance teams are up against cybercriminals who regularly search for new vulnerabilities and may even have intimate knowledge of their target’s financial processes.
These vulnerabilities include old-fashioned human error. Social engineering attacks like business email compromise (BEC) involve hacking into the email account of a supplier, executive or other trusted contact, then using that account to deceive accounts payable (AP) staff into making fraudulent payments.
Even if your employees closely adhere to control procedures, they may not have the resources or awareness to spot these sorts of sophisticated attacks. This will become even more problematic as AI makes it easier for cybercriminals to convincingly imitate voices.
4. Cybercrime prevention is the purview of IT or security professionals
Even in organisations with the resources for a dedicated cybersecurity team, CFOs and finance teams tend to be better placed to address cybercrimes like digital payment fraud.
While IT and security teams are tasked with protecting systems and data, they can’t singlehandedly stop AP employees from skipping a step in a control procedure or falling victim to BEC scams. By contrast, finance leaders have a clearer picture of their anti-fraud controls and any exploitable gaps.
So what can finance teams do to safeguard their organisations against cyber fraud? It starts with ensuring you’ve got the right people, processes and technology.
- Implement robust anti-fraud controls – and put them to the test. Ensure control systems are based on the principle of “least privilege,” meaning that people only have access to the data and applications they need to perform their jobs. Controls like verbal verifications can mitigate BEC risks, especially if employees know best practices such as using independently sourced phone numbers. Regularly pressure-test these controls – for example, send a fake phishing message to see if employees click the link.
- Re-evaluate technology solutions. Cybercriminals are leveraging technology. Are you? The right technology can automate and centralise key processes, ensuring control procedures are followed. It can also help employees make safer decisions, including real-time warnings before a payment is authorised.
- Educate staff and drive an anti-cybercrime culture. Continuous training is key. This should include security hygiene like password security, multi-factor authentication (MFA) and phishing awareness, along with awareness about control procedures and best-practice approaches to verification. More broadly, leaders need to cultivate a strong security culture in which employees feel comfortable to ask questions or put their hands up if something seems amiss.
Lastly, there’s strength in numbers. Finance leaders aren’t alone in the fight against cybercrime and digital fraud, so look for like-minded networks of businesses. A collective approach to cybersecurity strengthens the entire group’s defences – and can level a playing field that cybercriminals have been exploiting for too long.
Eftsure is Australasia’s market leader in payment fraud prevention. Specifically designed for businesses, our end-to-end solution safeguards more than $216bn in B2B payments per year. Our mission is to build a safer business community. With a large and continuously growing database of verified supplier details (the only one of its kind), we use multi-factor verification to give businesses greater knowledge and control over onboarding suppliers, receiving invoices and making payments. In short, we ensure our customers never pay the wrong people.
For more information, go to How to spot a BEC attack