Install security programs on mobile devices
Even before the current health crisis, the use of email to deliver financial malware was a dominant attack method with 65 percent of threat groups using spear-phishing to compromise their corporate networks. The 2019 AFP Payments Fraud and Control Survey Report found that payments fraud from third-parties continues to increase with 44 percent of business email compromise (BEC) being perpetrated by criminal impersonating vendors.
Increasingly, cyber attackers are taking advantage of the COVID-19 situation to target individuals and organizations using advanced social engineering, which is the psychological manipulation of people into performing actions or divulging confidential information.
“For example, more recently, we’ve seen a number of mobile applications being pushed out to mobile app stores that are malicious, but claim to be focused on helping individuals navigate the risk of infection,” stated Leach. “Some have taken on an authoritarian approach, demanding that users install the applications in order to comply with government mandates to track their activities. Of course, once individuals install and open the app, their data is then stolen or compromised.”
“To protect themselves, users are advised to leverage reputable anti-malware and anti-virus programs for their mobile devices and update them regularly, as they would for their home and office computers. Mobile security app such as Lookout or MyPermissions that can scan your device and tell you which apps are accessing your information are helpful as well,” Leach added. “In general, when downloading apps, ensure permissions are restricted to only those capabilities required to operate them.”
Encourage employees to report suspicious activities
While these problems are widespread, so too is awareness. In response to growing threats, more than 75 percent of companies have indicated they are adopting stronger internal controls that prohibit initiation of payments based on emails or other less secure messaging systems.
A recent poll by J.P. Morgan of more than 200 corporate and financial institution clients in Asia Pacific revealed that nearly 92 percent of respondents believe the best method for preventing social engineering and phishing attempts is to train and educate employees against clicking on phishing links and navigating to untrusted websites. In the same poll, nearly 96 percent believed encouraging employees to actively report phishing and vishing attempts, or suspicious activity to the security operations center is vital.
Best cybersecurity practices to combat risk
Having strong controls in place to deal with cyber threats is key. It’s important to remind treasury and finance employees of cybersecurity best practices when working remotely. These include securing home Wi-Fi networks, only using company approved communications tools, never sending work documents to personal email accounts, and keeping personal device operating systems and applications up-to-date with the latest versions.
Best practices should also include establishing procedures for authenticating callers, reporting suspicious activity, approving changes to account details or transactions, and being familiar with all procedures necessary for maintaining effective controls that protect the organization.
“Companies need to put strong mechanisms in place to authenticate the party they are communicating with, particularly as it pertains to transactions and business assets,” said Leach. “Employees are increasingly migrating to text messaging applications to communicate. This in turn circumvents traditional call-back procedures, thus creating a vulnerability that bad actors can exploit to spoof a legitimate transaction request.” In short, verify payment requests; don’t move money based solely on a text, email or telephone instruction, even from a trusted vendor.
Treasury and finance organizations would be well served to conduct regular resiliency tests and training exercises to build increased preparedness among staff and ensure technology can effectively support contingency situations. Once employees have been trained, actively test them. For example, send employees targeted phishing emails, then require those who clicked on the compromised messages to take additional training.