Payment fraud is exploding. So are false positives, customer friction and investigation costs. Unfortunately, as customers continue to pull us down the river of rapid digital transformation, traditional fraud detection systems are being left in the sand.

You can install the latest generation of security software to protect against evil hackers, but what is the use of it if your employees continue to follow phishing links? Several security companies conduct social and technical research of real-life phishing attacks aimed at different businesses and are impressed with the scale of the problem.

A friend of mine received an interesting piece of snail mail the other day. It was one of those inheritance scam letters that usually arrive in E-Mail. In summary, the author, a high-ranking bank official, has an unclaimed inheritance that he is willing to split with the letter’s recipient if the recipient will accept the responsibility of being appointed as the heir to the deceased’s money, etcetera, etcetera. As you can see, it bears all the earmarks of the traditional scam message.

Phishing attacks are a common attack vector for financial services organizations. Effective and simple to launch, phishing attacks challenge financial firms to protect their mobile workforce and harden their customer-facing apps. Mobile phishing, in particular, bypasses traditional perimeter defenses such as secure email gateways by targeting users via personal email, SMS and social messaging apps.

Phishers leveraged fake automated messages from collaborative platform Sharepoint as a means to target users’ Office 365 credentials. Abnormal Security found that the phishing campaign began with an attack email that appeared to be an automated message from Sharepoint. To add legitimacy to this ruse, the attackers used spoofing techniques to disguise the sender as Sharepoint. They also didn’t address the email to a single employee but included multiple mentions of the targeted company.

When it comes to card-not-present transactions, security is constantly a moving target. Between February and April, the peak period when COVID-19 was spreading across much of the US, cyber-attacks against the financial sector were reported to have risen by 238%. The exponential growth of digital payment transactions, combined with the increasing variety of customer-facing devices and payment applications, has many financial institutions re-evaluating their approaches to cybersecurity.

A 64-year-old man has pleaded guilty in a Texan court to charges of money laundering after a series of attacks that defrauded companies out of hundreds of thousands of dollars. Kenenty Hwan Kim (who sometimes went by the name Myung Kim) took advantage of a simple trick that has proven highly effective to fraudsters in recent years. The method of tricking businesses into handing over large amounts of money is known as Business Email Compromise (BEC), and comes in a variety of flavours.

Even with tough economic times, e-commerce is up 25% since the beginning of March. But, fraud has increased as well; according to Malwarebytes online credit card skimming has increased by 26% in March alone. In our April “Staff Picks for Splunk Security Reading” blog post, I referenced a story about an e-commerce site getting hacked with a “virtual card skimmer” (thanks Matthew Joseff for sharing this with me).

On Monday, May 4th, **FINRA (Financial Industry Regulatory Authority), issued a warning to financial companies stating that a new email phishing campaign was doing the rounds. According to the regulator, the campaign is ongoing, widespread, and made to look as though the emails are coming from FINRA itself.