Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
The True Costs of Cybersecurity Breaches
Organizations impacted by breaches almost always find themselves in the news, and with good reason. Depending on the size of the organization, thousands, sometimes millions of customers are affected. Combining the top 21 breaches in 2018, we found that more than 2.5 billion customers worldwide were impacted.
That’s almost a third of the world’s population, and with that kind of data at stake, it’s no wonder that 74 percent of organizations have been a victim of payments fraud.
In addition, the average cost of a data breach in 2018 was $3.86 million, up 6.4 percent over 2017. The average per record cost was $148, up 4.8 percent over $141 in 2017. With costs rising, organizations simply cannot afford to relax when it comes to cybersecurity. There are literally millions of dollars and billions of customers at stake.
The New Threat Landscape
One stark fact we must all face is that cybercrime is constantly growing and shows no signs of slowing. By 2020, it is estimated that ransomware attacks will quadruple, with cybercrime damage costs rising to $6 trillion in 2021. And in 2022, the human attack surface will reach 6 billion people as more and more are incorporated into the digital world.
This growth is accompanied by greater sophistication from hackers and cyber thieves. In 1998, the top threats were borne of things such as uncontrolled modems, no security verification or monitoring, and poor password practices. Today, those seemingly basic practices have become table-stakes and have been replaced by threats that include targeted phishing scams, poor patching, Internet of Things attacks and sophisticated malware.
The changes in information security threats have also gotten faster and more complex. Whereas in the past attacks may have been slow to occur, today they are in real-time, specifically targeted and from a complex marketplace of sophisticated specialists. The information hackers obtain is readily monetized and the techniques used are generally designed to continuously attack a system to create and detect vulnerabilities.
Human Error Creates Cybersecurity Issues
Unfortunately, when it comes to security online, humans can be their own worst enemy. Phishing attacks have risen in popularity over the past few years and take advantage of the unsuspecting in a few different ways. Business email compromise (BEC) is a targeted phishing (spear-phishing) attack that focuses on exploiting business relationships within an organization. For instance, a malicious email may appear to come from a co-worker or vendor, and will either ask for sensitive information or request invoices be paid to a different account that the scammer owns.
Since December 2016, there has been a 136 percent increase in identified exposed losses, now totaling more than $12 billion in losses associated with BEC scams.[i]
Best Practices for Beating Phishing Scams
There are several ways for people to protect themselves from phishing scams both at work and at home.
- Check the email address – Email addresses with misspellings or incorrect addresses (ACII.org, etc.) are a clear sign that something is wrong. Never open anything within or reply to an email from an address such as this.
- Are you expecting the message? – Your bank emailing you out of the blue to ask for your password is a sure sign that something is wrong. Unless you have reason to expect an email asking for sensitive information, be very cautious. Even if you are expecting an email, doublecheck the source to make sure it’s legit.
- Is this normal behavior? – If your boss or a trusted vendor suddenly emails asking for information beyond what is standard, or suggests sending payments to new locations, be sure to contact them in a different manner before proceeding. Most processes are highly regulated or standardized, so any deviation should be seen as suspicious.
By staying vigilant and notifying the right people when a suspicious email is received or when someone reaches out about something out of the ordinary, employees can avoid potential financial or reputational damage to their organization.
Phishing represents just 1 of the top 12 biggest threats to payments security. Don't be caught off guard. Read about how to defend yourself against all 12 threats in Gene's blog.
(All stats contained within are derived from the Ponemon Institute, 2017 AFP Payments Fraud and Control Survey, unless otherwise noted.)
[i] FBI official news clipping
Related Blog Posts
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
SWIFT gpi: Leveraging Cross-Border Payments for the Real-Time World
SWIFT gpi represents the evolution of business done over the SWIFT network, bringing correspondent banking into the digital era.
I’ve covered this topic before, but with gpi now reaching the two-year milestone, it’s a good chance to reassess the progress that has been made – and what is needed to drive further adoption.
The Race to Real-Time Payments in Europe
Instant payments have quickly morphed into the new norm, and as individual European nations forge a real-time, digital-first payments environment, they raise the bar for all financial institutions conducting business in the Eurozone. It’s no longer a question of “what’s the business case?” but a matter of how instant payments players can take advantage of the opportunities now being created.
Der Wettlauf um Echtzeitzahlungen in Europa
Echtzeitzahlungen haben sich zur neuen Norm entwickelt. Indem einzelne europäische Länder die Rahmenbedingungen für digitale Echtzeitzahlungen schaffen, setzen sie neue Maßstäbe für alle Finanzinstitute, die Geschäfte in der Eurozone abwickeln. Es geht nicht mehr um die Frage „Was ist das Business Model?“, sondern darum, wie Akteure im Bereich der Echtzeitzahlungen die sich bietenden Geschäftsmöglichkeiten erfolgreich nutzen können.
Local Perspectives: Real-Time Realities Across Asia-Pacific in 2019
Money20/20 Asia returns to Singapore this week, attracting payments professionals from around the vast APAC region – and beyond. The real-time and open imperative is one of the reasons why all eyes are on Asia-Pacific when it comes to payments, so I caught up with ACI payments experts representing three of the key countries within the region, to take the pulse of real-time schemes that are in varying stages of maturity.
What it Means for a Bank to be Real-Time Ready – It’s More Than Just Payments
Banks are quickly learning that real-time enablement of the business is more than just a technological upgrade – there is a wider challenge of transforming services and customer experience. Although the banking world faces this challenge with some trepidation, there are success stories from other industries that have overcome legacy technologies and transformed frustrating and opaque customer experiences.
Instant and Open Payments for Consumer Purchases – Lessons Learned From India and Beyond
Did you know that 65% of merchants want to accept instant payments? That’s because they know the customer experience (CX) benefits will drive growth for their business, and they recognize that this payment type will save their business money.
Putting Malaysia on the Path to Payments Innovation
The public launch of the DuitNow instant credit transfer service, in December 2018, provides just a taste of what lies ahead as Malaysia’s Real-time Retail Payments Platform (RPP) is progressively rolled out. Fueled by Bank Negara’s (BNM) increasing support for e-payment platform development, there has been a steady increase in mobile wallet and digital payment usage, setting the stage for 2019 to be a year of transformation for the payments industry in Malaysia.