Skip to content

Overcoming Cyber Threats to Payments Security

Overcoming Cyber Threats to Payments Security

Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.

The True Costs of Cybersecurity Breaches

Organizations impacted by breaches almost always find themselves in the news, and with good reason. Depending on the size of the organization, thousands, sometimes millions of customers are affected. Combining the top 21 breaches in 2018, we found that more than 2.5 billion customers worldwide were impacted.

That’s almost a third of the world’s population, and with that kind of data at stake, it’s no wonder that 74 percent of organizations have been a victim of payments fraud.

In addition, the average cost of a data breach in 2018 was $3.86 million, up 6.4 percent over 2017. The average per record cost was $148, up 4.8 percent over $141 in 2017. With costs rising, organizations simply cannot afford to relax when it comes to cybersecurity. There are literally millions of dollars and billions of customers at stake.

The New Threat Landscape

One stark fact we must all face is that cybercrime is constantly growing and shows no signs of slowing. By 2020, it is estimated that ransomware attacks will quadruple, with cybercrime damage costs rising to $6 trillion in 2021. And in 2022, the human attack surface will reach 6 billion people as more and more are incorporated into the digital world.

This growth is accompanied by greater sophistication from hackers and cyber thieves. In 1998, the top threats were borne of things such as uncontrolled modems, no security verification or monitoring, and poor password practices. Today, those seemingly basic practices have become table-stakes and have been replaced by threats that include targeted phishing scams, poor patching, Internet of Things attacks and sophisticated malware.

The changes in information security threats have also gotten faster and more complex. Whereas in the past attacks may have been slow to occur, today they are in real-time, specifically targeted and from a complex marketplace of sophisticated specialists. The information hackers obtain is readily monetized and the techniques used are generally designed to continuously attack a system to create and detect vulnerabilities.

Human Error Creates Cybersecurity Issues

Unfortunately, when it comes to security online, humans can be their own worst enemy. Phishing attacks have risen in popularity over the past few years and take advantage of the unsuspecting in a few different ways. Business email compromise (BEC) is a targeted phishing (spear-phishing) attack that focuses on exploiting business relationships within an organization. For instance, a malicious email may appear to come from a co-worker or vendor, and will either ask for sensitive information or request invoices be paid to a different account that the scammer owns.

Since December 2016, there has been a 136 percent increase in identified exposed losses, now totaling more than $12 billion in losses associated with BEC scams.[i]

Best Practices for Beating Phishing Scams

There are several ways for people to protect themselves from phishing scams both at work and at home.

  1. Check the email address – Email addresses with misspellings or incorrect addresses (ACII.org, etc.) are a clear sign that something is wrong. Never open anything within or reply to an email from an address such as this.
  2. Are you expecting the message? – Your bank emailing you out of the blue to ask for your password is a sure sign that something is wrong. Unless you have reason to expect an email asking for sensitive information, be very cautious. Even if you are expecting an email, doublecheck the source to make sure it’s legit.
  3. Is this normal behavior? – If your boss or a trusted vendor suddenly emails asking for information beyond what is standard, or suggests sending payments to new locations, be sure to contact them in a different manner before proceeding. Most processes are highly regulated or standardized, so any deviation should be seen as suspicious.

By staying vigilant and notifying the right people when a suspicious email is received or when someone reaches out about something out of the ordinary, employees can avoid potential financial or reputational damage to their organization.

Phishing represents just 1 of the top 12 biggest threats to payments security. Don't be caught off guard. Read about how to defend yourself against all 12 threats in Gene's blog.

(All stats contained within are derived from the Ponemon Institute, 2017 AFP Payments Fraud and Control Survey, unless otherwise noted.)



[i] FBI official news clipping