The rise in finance and accounting cybercrime through phishing and Business Email Compromise (BEC) has made headlines with massive implications for South African companies with gaps in their payment systems. “However, robust financial controls together with strong server, IT, and email monitoring processes aren’t enough if staff aren’t savvy to the psychological tricks scammers use to manipulate people, making them more vulnerable to tricker and deception,” says Ryan Mer, CEO at eftsure Africa, a Know Your Payee™ (KYP) platform provider.
Mer says it’s a myth that only gullible, unskilled professionals are susceptible to scams. “The misconception that only foolish individuals fall victim to cybercrime and payment fraud is dangerous because it leads to complacency in the highly educated who occupy senior positions within organisations. Criminals engaging in payment are often well-skilled, well-resourced and armed with enough industry knowledge to appear legitimate.”
Manipulating trust and competence
Scammers rely on human impulses to be helpful, avoid conflict, and problem-solve quickly and effectively to extract information or manipulate targets into taking action.
A common modus operandi is an attempt to win the trust of a potential victim by impersonating a known or trusted figure. Examples include an employee receiving a mail from an organisation’s financial director instructing them to arrange urgent payment to a supplier or an HR manager receiving a polite email from a member of staff requesting their bank details be changed for payroll purposes.
“An employee’s desire to perform their duties swiftly and competently, especially for a trusted figure of authority, is manipulated by criminals who rely on an instruction being actioned without question for a scam to be successful. In such instances, only an automated system for detecting red flags in outbound payments can offer the level of protection organisations really need to counter human error,” says Mer.
Banking on urgency
While scammers become increasingly inventive, an age-old tactic cybercriminals routinely rely on is creating a sense of urgency in their victims. Mer says phishing messages and business email compromise scams are designed to make employees more likely comply with a potential threat that they know they should report. “Scammers lure victims into acting quickly before they have time to think rationally about the activities they’re undertaking. Implementing processes that require staff to slow down and double-check any actions that involve payments is vital.”
He adds that a sudden change in customer or supplier business practices, such as a new point of contact, change of email address or banking details should be viewed with caution and thoroughly verified before complying with an urgent request. “In many organisations, there is a concerning disconnect between the theoretical controls in place and what actually happens in everyday business contexts. Cybercriminals often rely on the herd principle in which people in organisations adopt the behaviour of those around them. The risk that one person in a team complies with a scammer may result in others being deceived in the same way. Sound business processes and educated staff, while essential, can only protect a business so far as sophisticated phishing and BEC scams can defeat the internal controls of even the most vigilant teams,” says Mer.
Extra, automated protection
Cybercrime is constantly evolving which makes it a moving target. Interpol’s last African Cyberthreat Assessment Report published in 2021, placed South Africa as having the third-highest number of cybercrime victims in the world, costing the country a staggering R2.2-billion annually. “Ongoing education on the latest scams and the tactics used to execute them is crucial for South African companies. In addition, independent third-party verification systems like eftsure can offer a much-need extra layer of protection by automating payment checking and supplier verification, saving time on manual processes and reducing human error,” notes Mer.