Payment Protection for the Modern Age

  • James Richardson, Head of Market Development - Risk & Fraud at Bottomline Technologies

  • 09.04.2020 05:15 pm
  • cybersecurity , payments , Fraud

Modern cybersecurity professionals have succumbed to an arms race with criminals as corporate defence spends balloon, attempting to keep pace with ever-evolving infiltration and extraction techniques. As expenses grow, dangers continue to mount. In a recent Treasury Fraud and Controls Survey, 76% of respondents said they raised their company threat level because fraud attempts have increased 50% over the last three years. Additionally, nearly 60% of polled companies have been knowing targets.

Successful incursions average $310,000 (the equivalent of £240k) in losses, and it can take time for a victim to be paid back in full or even in part. This cash shortfall can cripple corporate clients who have obligations to pay employees, suppliers and lenders. Larger corporate clients may lose millions in a successful heist. Importantly, 87% of all businesses report they were unable to recover half of their loss in 2019. That figure rises to 93% for small to mid-size companies. When fraud strikes, 9 in 10 companies lose at least half of the compromised cash for good.

Cloud-based security systems can quickly and economically scale to meet this growing threat. Still, they are not yet the natural choice of cybersecurity professionals. Often, the largest financial institutions rely on in-house and legacy technologies, viewing security solutions as an in-house management and development task.  As a result, many tier-one banks have not yet reaped the benefits of a communal approach to cybersecurity.

Cloud-based solutions can learn from a network of user experiences, proactively adapting to new threats, and dealing in prevention rather than recovery. These systems not only monitor transactions but employ behavioural analytics to catch abnormal activity and account for human error. Unlike in-house security systems, cloud technologies help to safeguard payments from fraud at the outset – safety is in the DNA and is continually evolving.

As technology and time increase complexity, it’s vital that cybersecurity keeps pace. Legacy systems and in-house solutions might serve as a temporary patchwork, but cloud-based defences will better guarantee that your company and data security is adjusted to potential threats as and when presented.

Evolving Threats

Today, there are six forms of prevalent fraud each hovering at a concerning 20% or higher success rate. They include ransomware (19%), business email compromise or BEC (18%), system-level fraud (20.5%), wire fraud (23.5%), cheque fraud (33%), and bank mandate fraud (33%). Though forms such as system-level fraud pose a greater threat to top tier banks than small and mid-sized business, all forms share a handful of malicious qualities. They seek medium to large payoffs over smaller sums; they target the weakest point of a company’s operation chain, often people; and they leverage automation.

Each of these threats gain strength over time from increasingly cheap and sophisticated automation. As the costs and risks involved in launching email-based attacks continue to drop, so more companies are targeted.  According to the Treasury Fraud & Controls survey, a mere 10% of all companies didn’t report a business email compromise attempt.

Across the board, fraud methods are growing in sophistication and efficacy. The natural response for targeted companies is to try to secure the doors and windows from the inside, often at great expense and to limited benefit.

Dated Solutions

To address fraud – and other payment and cash security-related risks – many of the largest banks and financial institutions rely on in-house technology solutions. Often, in-house tech is outdated, with improvements and patches foisted upon legacy systems. They require institutional knowledge to maintain, and they adapt to new threat environments slowly. Importantly, in-house solutions do not have access to the lessons learned by peer companies. Each defence system is isolated, and competitor companies are at best reluctant to share details of their vulnerabilities and security breaches.

Imagine two scenarios:

In the first, your home computer needs an antivirus update. To execute this update, you to send a system diagnosis to your software provider, pick up a CD with your relevant updates, and then install it manually. This process is the personal equivalent of an in-house cybersecurity update, and it fell from common usage more than a decade ago. Now, cloud services automatically and frequently protect your computer, deploying software informed by an anonymous database of threats from around the world. In-house means delays and potential chinks in the armour.

In the second scenario, there is a robber who is targeting a cul-de-sac with five homes. The robber looks through the windows of each house and finds that four of the five have an alarm, while one does not. The burglar naturally chooses the softest target. Not only is the home without the alarm the easiest to steal from, it practically advertises itself by its lack of protection. This apathy is why people without alarms might put a security company’s sticker on their window anyway.

More obviously, firms that have employed cloud-based security software might similarly get a pass from criminals looking for low risk, high reward heists. These folks are experienced fraudsters who can figure out fairly quickly if they’re dealing with an in-house defence system or cloud-based shield.

In-house solutions might sound like a good idea. You can create a tailor-made security system company that keeps transaction information and client data safely in your hands. But in reality, you’re isolating yourself and painting a target. What you really need is an expert.

Security is in the DNA

Cloud-based cyber defence solutions built with modern challenges in mind will better safeguard customer and payment information. Better to defend your castle with a mobile intelligence and reconnaissance capability than a simple moat.

Cloud systems offer two capabilities that are impossible to duplicate in-house because they rely on the compilation and analysis of large data sets that individual companies can’t access:

  • Transaction Monitoring: a review of all transactions and transfer of payments in flight. Critically, this feature should function up to the second because real-time payments make it more challenging to identify and intercept fraudulent transactions before they complete. There is little value in a statement that informs you of fraud, especially in a world where it is hard to recover losses – you need to prevent fraud. Transaction monitoring should identify abnormally large payments and figures, accidental double payments, and abnormal activity.
  • Behavioural Analysis: user-level transaction monitoring that targets anomalous individual activity. To complement and modernise transaction monitoring software, your security system must employ behavioural analytics. With this capability, your tech is not only watching for large data, but also any action considered out of the ordinary. For example, this would prevent the execution of a payment at 3:00 am from a user who never logs in past 8:00 pm. Behavioural analysis allows for a more realistic approach to fraud prevention. Not all software comes with this feature, though, so it is important to prioritise it in your search.

The benefits of big data analysis, artificial intelligence, and machine learning all emanate from increased computational power and the sharing of large and disparate data sets. In both of these regards, in-house security systems lag. Increasing computing power in isolation is expensive and hard to scale. Remaining removed from a network means there’s less data to analyse and therefore less to learn. Cloud-based security systems advance far more rapidly than in-house defences, keeping your money safe and warding off potential criminals.

Other Blogs