Fintech’s Cybersecurity Soft Spot: Vendors
~9 min read
Recent cyberattacks on IT resources firm Solar Winds and energy supplier Colonial Pipeline may look like they have little to do with fintech, but they have one commonality that should make fintech companies take notice: supply chains were at the crux of the cyberattacks and made the companies vulnerable. The Solar Winds attack backdoored software patches that reached 18,000 vendors, exposing email addresses all the way up to the upper echelons of the U.S. government. The Colonial Pipeline attacks used ransomware as a stranglehold on their data management system to shut down oil and gas supplies. Involving multiple countries, the scams exploited global commerce networks that have the capability to bring fintech companies to their knees. Organizations, especially fintechs, are only as impenetrable as their vendors — or scammers posing as ones.
A Growing Criminal Enterprise
As the pandemic accelerates digital adoption in areas ranging from payment providers to educational opportunities, the virtual space has become ripe for chicanery. Schemes use social engineering to take advantage of the high level of client and consumer trust required to engage in digital payments. A recent Juniper Research study found that ecommerce fraud losses is expected to reach over US $20 billion in 2021, an increase of 18% since last year.
Source: Juniper Research
While global e-commerce losses are more concentrated in North America, fintech fraud crosses borders in most cases. As fake websites are hosted in one country, email addresses in another, and accounts with neobanks in yet another country, it’s sometimes a challenge to pin down where the scams originate. Although cyber criminals disproportionately target victims in high-income countries, they’re unscrupulous with how wide they cast their nets.
By 2025, China is expected to be the largest single e-commerce fraud market, shouldering 40% of global e-commerce losses, amounting to US $12 billion. It comes as no surprise that China, the largest global market for e-commerce, is more susceptible to fraud considering the “lack of fraud detection and prevention platform deployment” in the given market.
However, cybersecurity spending has experienced a slowdown, declining to 7% (CAGR) growth by 2023, according to Gartner. Boards are demanding better data and questioning the return on investment after years of large cybersecurity budgets. Fintech executives focus on compliance to government regulations, which doesn’t ensure network protection.
Diversifying the Portfolio
Cybersecurity has become a greater concern for consumers, with 41 percent of consumers expressing fraud as their biggest hesitancy to transitioning to more online commerce. Recently, 65 percent of customers surveyed said they would abandon an e-merchant if they experienced a data breach.
As online businesses become easier to set up, fake websites proliferate as well. Since the pandemic, Ronnie Tokazowski, senior threat researcher at cybersecurity firm Agari, says that a plethora of fake websites have appeared, soliciting victims to apply for government benefits by entering personal data and then funneling the funds to digital bank accounts belonging to the fraudsters. At least 50 financial institutions in Europe, Asia-Pacific, and the U.S. had lookalike domains set up to harvest personal data and install Trojan horse malware.
The types of fintech fraud have evolved to become more complex and layered in the past year. The same simplicity used to establish innovative, credible start-up fintechs are being leveraged for nefarious purposes. Cybercriminals can create a dummy website, open a bank account and shut it all down before they can be traced by banking, regulatory and legal authorities. A Chicago company specializing in hand sanitizer invested nearly US $1 million in an overseas firm that was supposed to manufacture ventilators. The fraudulent transaction was then reported to the International Financial Fraud Kill Chain (FFKC), who eventually froze the assets — but not before some of the funds had been wired into a cryptocurrency account.
The above chart illustrates how a Nigerian cybercrime group called Scattered Canary has developed more sophisticated schemes since it began with Craigslist scams in 2009. The group has branched into business email compromise (BEC) scams with payroll diversions, gift cards and wire transfers. The group has also more recently developed complex schemes involving unemployment fraud, pension schemes, and bank loan scams.
Phishing has expanded to include methods like “smishing” for SMS messaging, “vishing” for voice calling, and “pharming” for website redirection to a fake site. Many of these fraudulent methods are convincing as genuine, especially for users new to online commerce or even those tapping into unfamiliar domains. Overall, one third of people have bought items online during the pandemic they wouldn’t have in normal circumstances. Most retailers are also planning or already selling via social media channels, which can lead to additional cyber risks for merchants and consumers.
Each data breach in the financial sector is estimated to cost US$6 million; gone are the days when fraud simply involved stealing credit card numbers. When India’s national ID database Aadhaar experienced a data breach in 2018, over 1.1 billion citizens had their biometric data, including iris and fingerprint information, compromised. These types of unique identifiers could be used to open bank accounts and apply for government benefits; ironically, the data was subsequently sold on WhatsApp.
Business email compromises (BEC) and vendor email compromises (VEC) entail the greatest risks for fintechs. By employing sophisticated social engineering and computer intrusion techniques, cybercriminals are interacting with legitimate business email accounts, impersonating vendor emails and giving new bank account details to transfer digital payments to cybercriminals. Last year, the U.S. Internet Complaint Center (IC3) reported an uptick in stolen identities used to establish bank accounts to receive funds, which were then promptly transferred to cryptocurrency accounts. There was a 65% increase in bitcoin transferred across the dark web in the first quarter of 2020.
“Bad actors are changing tactics and finding new ways to make money. They’re not static. They do the research and target organizations and see if it’s viable to get a payout. They’ll do a lot of penetration testing to move within the network to try to gain as much access as possible. They’re looking at net worth, cyber insurance, where tech backups are and steal the data. They’ll encrypt the files and steal it or release it online for free. They pivot really well — better than many organizations.”
Tyler Hudak - Cybersecurity Expert, Trusted Sec
As cyber fraud is becoming more rampant, financial leaders are scrutinizing cybersecurity measures within their supply chains. Over 60 percent of bank executives now believe that third-party cybersecurity firms need to be deployed throughout the value chain.
Emerging Markets as a Nexus
Although many of the targets are in high-income countries, cybercriminals tend to originate their schemes in emerging markets.
“Emerging markets leverage newer technology that is yet to be regulated, allowing for the ability to obfuscate traditional controls in place to prevent fraud. But it is important to note that anyone, anywhere can send and receive cryptocurrency with no government oversight. Distributed exchanges that are not centrally managed allow for easy swapping of cryptocurrency which has provided a means for the ability to quickly exchange stolen or extorted cryptocurrency.”
Patrick Garrity - VP of Operations, Blumira
Through blockchain technology, bad actors can quickly cover their tracks, leaving little forensic evidence of the perpetrators’ work or where the money has disappeared. “With blockchain technology, new schemes can be spun up by anyone overnight, allowing the possibility for new extortion schemes to spin up,” adds Garrity.
Many of these cyber-enabled fraud schemes originate from organized networks in Nigeria, according to the FBI. Africa’s largest economy, Nigeria has been fertile ground for fintech startups but it is also associated with “advanced fee” scams, which generally involves emails offering riches for a small upfront fee, tricking the victims into sharing their personal bank account information. Recently, cybercriminals have taken advantage of global stay-at-home orders. One popular scam starts with a fraudster, masking as a legitimate vendor, reaching out to a worker operating remotely, requesting online payment through a new payment channel or new bank account. Vendors can be suppliers, payroll providers, banking institutions — any organization that the relevant company departments interact with. Once the funds are in a new bank account, the funds are then immediately transferred to another bank or cryptocurrency account.
Cybercriminals are using BEC to funnel digital payments to an unwitting money mule, who then transfers the funds to another financial institution. The incoming funds originate from an organization who thinks they’re paying a vendor when in fact they’ve made a payment to an unsuspecting catfishing victim. The victim then transfers the funds out to a third-party bank account, who they believe belongs to their romantic interest.
With neobanks offering alternatives to brick-and-mortar financial institutions, victims may be unfamiliar with online financial institutions they’ve never heard of. And as digital banking becomes more ubiquitous, victims, especially those who are new to e-payment platforms, may not be aware of how to verify or secure their transactions, or which payment platforms are legitimate. Fintech makes digital payments convenient, but it also fools people into thinking that all e-commerce is legitimate.
Source: IC3 2020 Annual Report
Recently, scammers targeted one of Africa’s biggest fintech startups, Paystack, with an elaborate scheme to elicit funds from hopeful Nigerian students looking to enroll in graduate school abroad. A fake website, touting an online English proficiency test to qualify for scholarships to study abroad, tricked potential Nigerian students into making payments multiple times under tight deadlines.
Increasingly, fintech startups are used as payment gateways on dubious websites to quickly funnel money to fraudsters. In Nigeria, as well as other African countries, bank verification numbers of directors and trustees, certificate of registration from the Corporate Affairs Commission, and corporate bank accounts are required before they become vendors on Paystack. It’s not clear how the scammers were able to pass the verifications required by Paystack, which is being acquired by Stripe.
Email compromise scams resulted in the highest loss last year, costing at least US$1.8 billion. Lookalike domains and email spoofing look so genuine that the schemes have managed to swindle billions from thousands of unsuspecting victims, even some who are business savvy. In 2020, Barbara Corcoran, founder of the real estate brokerage and investment firm, Corcoran Group, and Shark Tank judge, was nearly swindled out of US$400,000 when one letter from her assistant’s email address was switched.
“Vendor email compromise scams most resonate with fintech companies. Scammers request aging reports with sensitive vendor information, impersonate businesses with lookalike domains, and request funds to be transferred to new online bank accounts. They have been the most successful schemes affecting fintechs, and the majority of them have a West African nexus.”
Ronnie Tokazowski - Senior Threat Researcher, Agari
Fighting Tech With Tech
As the fintech fraudsters become more sophisticated, technology innovations are being deployed to protect digital payments. A hybrid cloud strategy, combining public and private cloud computing, can enhance agility and reduce expenses. A distributed cloud approach brings data closer to the retailers and customers, which not only complies with regulatory constraints but also reduce the expenditures associated with data analysis. Merchants can use AI, machine learning and IoT to churn through big data to analyze customer’s transaction profiles.
“In today’s climate of increased risks for consumers, it can help companies more proactively address cybercrime, uncovering unusual transactions and mitigating attempts at fraud before a customer even knows they were a target.”
Roy Aston - Chief Information Officer, Paysafe
Among other tools, AI is already deployed in multiple ways to detect fraud. Payment firm Vocalink uses AI to detect fake invoices, saving US $9 million in one pilot program. AI can improve biometric authentication and eliminate weaknesses to increase security and make the applications more robust, like Apple’s face identification technology. Such technology maintains a seamless user experience while providing sufficient security protocols. Machine learning analyzes historical data to recognize fraudulent schemes, rendering human supervision optional for effective fraud prevention.
Cyberinsurance as an industry has risen in popularity as a tool against fraud, but hackers are also using insurance data to target their victims. The industry is projected to grow 21.2 percent CAGR by 2025 to US$20.4 billion. The insurance payout could incentivize criminals to target certain fintech companies; regulatory authorities discourage ransomware payouts simply for that reason.
As scammers become more sophisticated, more fake vendors will be created, and legitimate vendors will be exploited as a backdoor into payment platforms. Whatever cybersecurity measures fintech companies employ within their own organization, payment platforms are only as safe as the vendors they do business with.
Image courtesy of Reproductive Health Supplies Coalition
Click here to subscribe and receive a weekly Mondato Insight directly to your inbox.
Has Ethiopia's Digital Finance Moment Finally Come?
COVID’s G2P Revolution: Togo as a Case Study