In the cybersecurity world, it's not "if" but "when" in referring to a cyberattack. During a recent speaking engagement about the interconnection between payments and cybersecurity, I got to see this firsthand when a financial institution in the region publicly disclosed a cyberattack while I was presenting. This prompted me to share insights about current cyber threat trends and considerations for keeping payments data safe.
Threat actors can carry out payments fraud more easily if network vulnerabilities exist due to gaps in cybersecurity. In 2023, a breach of just one file transfer service provider affected approximately 60 to 70 million people. In 2024, several large companies were affected by a breach of a cloud service provider. Hundreds of millions of customers potentially had their personal data and payment information exposed. Sadly, I was one of them as a customer of at least two of the companies. If you have purchased a ticket to an event, concert, or in my case a comedy show, you were likely affected.
While the breaches are still under investigation, stolen credentials are a likely cause. Humans are still the weakest link, so criminals continue to target individuals. Phishing continues to be the number one attack vector as supported by the latest Internet Crime Complaint Center (IC3) report from the Federal Bureau of Investigation. Phishing can produce many successful outcomes for cyber criminals, such as delivering malware/ransomware, capturing payments details, or redirecting payments to their accounts.
In terms of losses, investment scams remain the top category of internet crime with reported losses of $4.57 billion. According to the IC3, $3.96 billion of that came from cryptocurrency fraud. Crypto-related fraud experienced a 53 percent increase from 2022 to 2023. With artificial intelligence (AI), cyber scams are now more sophisticated. Crypto fraud and business email compromise (BEC), which includes diverting high-value payments to fraudsters' accounts, are more frequent. According to the IC3 report, financial losses from BEC are now a close second to investment scams with losses over $2.95 billion.
What can financial institutions and payments firms do? Think in multiples. Use multifactor authentication and multilevel approvals across multiple channels. According to the Visa Biannual Threats report , threat actors are increasingly focusing on authentication bypass, so using more upfront security layers can be beneficial. Bypass can happen in various ways, but some examples are through modified tokens, AI-created biometrics, backend access, and social engineering. AI can not only create deepfakes to spoof a loved one, but to bypass face or voice authentication controls and allow threat actors to access systems. To avoid backend access, vulnerability scanning and patching remain key to keeping hackers out of your systems. Or you can put AI to good use by using anomaly monitoring for detecting fraudulent payment attempts and activity.
The Federal Reserve System has additional guidance and resources on information technology and cybersecurity topics. Banking organizations that are supervised by the Fed must report
within 36 hours of discovering an occurrence. To report an internet crime visit the FBI's Internet Crime Complaint Center (IC3)
.