With significant ramifications for South African businesses that have vulnerabilities in their payment systems, the growth in financial and accounting hacking through phishing and Business Email Compromise (BEC) has made headlines.
However, strong financial controls combined with strong server, IT, and email monitoring processes aren't enough if staff aren't savvy to the psychological tricks scammers use to manipulate people, making them more susceptible to tricker and deception,says Ryan Mer, CEO at eftsure Africa, a Know Your Payee™ (KYP) platform provider.
The idea that only gullible people are victims of payment fraud and cybercrime is hazardous because it breeds complacency among highly educated people who hold senior positions in organisations. Criminals that engage in paying are frequently highly talented, well-equipped, and knowledgeable enough about their field to pass for professionals, Mer added.
Manipulating credibility and trust
In order to obtain information or persuade targets to act, con artists rely on human instincts to be kind, avoid conflict, and find quick and efficient solutions to problems.
An attempt to gain the trust of a potential victim by posing as a well-known or reliable individual is a common modus operandi. Examples include a worker getting a letter from the finance director of a company telling them to make a quick payment to a vendor or an HR manager getting a nice email from a worker asking that their bank information be altered for payroll purposes.
According to Mer, “an employee’s desire to perform their duties swiftly and competently, especially for a trusted figure of authority, is manipulated by criminals who rely on an instruction being actioned without question for a scam to be successful. In such instances, only an automated system for detecting red flags in outbound payments can offer the level of protection organisations really need to counter human error.”
Making use of urgency
Despite scammers' increasing creativity, a tried-and-true strategy that hackers frequently use is making their victims feel as though something is urgent. According to Mer, phishing emails and business email compromise scams are made to increase the likelihood that employees will report a potential concern by coaxing them into doing so. Scammers entice victims into taking rapid action before they have time to stop and consider the actions they are taking. Establishing procedures that force employees to take their time and carefully review all actions involving payments is essential.
Before granting an urgent request, one should exercise caution and carefully verify any abrupt changes in a customer's or supplier's business operations, such as the addition of a new point of contact or a change to their email address or banking information. Scammers frequently rely on the herd effect, in which individuals in organisations behave as their peers do.
There is a chance that if one member of a team cooperates with a con artist, it could lead to similar deception of other team members.
There is a chance that if one member of a team cooperates with a con artist, it could lead to similar deception of other team members. Even the most attentive teams can fall victim to sophisticated phishing and BEC scams, thus having sound business procedures and knowledgeable employees only goes so far in defending a company.
Future threats
It is a moving target since cybercrime is always changing. South Africa ranked third globally in terms of the number of cybercrime victims, according to Interpol's most recent African Cyberthreat Assessment Report, which was published in 2021. The report estimated that the country's annual cost from cybercrime is an astounding R2.2 billion. For South African businesses, it is essential to maintain knowledge of the most recent scams and the methods used to carry them out. Moreover, independent third-party verification systems like eftsure can provide a much-needed additional layer of protection by automating payment checking and supplier verification, saving time on manual operations, and minimising human mistake.