Watch our podcast featuring world-leading cyberpsychology expert Prof Mary Aiken and Paul O’Brien from Bank of Ireland’s Security team to learn how you can safeguard your business against fraud.
Barely a month goes by without new warnings on the latest lengths fraudsters will go to part you or your business from your hard-earned earnings. Whether it’s fraudsters targeting Irish farmers with ‘purchase scams’ for bogus farm machinery, a spike in invoice fraud against businesses or a surge in social media fraud, the only limit is the fraudsters’ imagination.
And now, according to one of the world’s leading cyberpsychology experts, the fraudsters are even spending more on artificial intelligence (AI) than some of the biggest tech giants. So what can you do?
“91% of cyberattacks come about as a result of social engineering, and social engineering has everything to do with psychology and very little to do with technology”
We caught up with cyberpsychologist Prof Aiken and Paul O’Brien from Bank of Ireland’s Security team to give business owners a better understanding of the main fraud themes that currently impact businesses as well as the psychological tactics used by fraudsters to trick you and your employees into sharing important financial information that leads to fraud. And we’ll give you the guidance and steps you need to take to protect your business.
Stop. Think. Check.
According to O’Brien, some of the easiest frauds to commit are the most common ones.
“The thing we see most impacting businesses is just a simple email. It could be an email that impersonates a supplier asking you to update account details. It could be an email that impersonates somebody in the business that says ‘John, I really need to make you to make this urgent payment’, or a small variation of that. It could be an email from a staff member, or that looks like it’s from a staff member that says ‘I have a new bank account. Can you update my details on payroll?’ What the fraudster is trying to do is get you to make a payment or to update a bank account. So the really key thing from our point of view that we would always say to people, as simple as it sounds, never, ever, ever make a payment or update bank account details without speaking to this person first.”
Prof Aiken agrees that fraud techniques that seem to have been around forever remain in play, occurring alongside more sophisticated ones.
“91% of cyberattacks come about as a result of social engineering, and social engineering has everything to do with psychology and very little to do with technology.”
She gave the example of your average phishing attack. “In a phishing attack, the cyber attacker is deploying persuasive, manipulative and deceptive strategies around leveraging human trust. So it’s a sophisticated operation, and they’re very skilled and highly practiced, because this is what they do all day long, every day. In terms of the victim, what we see is that all victims are not the same. All targets are not the same. So some can have greater vulnerability in terms of their personality traits, or greater vulnerability in terms of their predisposal to risk taking, so are more likely to click or to open an attachment and then become a victim of a phishing attack.
“But also we see in the targets greater levels of psychological resilience and protective aspects embedded into their personality type or traits. For example, their level of IT knowledge is a protective factor; their experience and their overall resilience, and know how. So not all targets are the same, not all victims are the same, and you’ve got psychology deployed both ways.
“And if we think about another sort of psychological attack vector, and that would be leveraging the premise of authority. So we see this in whaling attacks, you know, at a C-level and in an organisation, if you’re very junior and somebody’s very senior will your base propensity is to obey a request or an order, not the other way around. It’s really hard to disobey the order if you think it’s your boss asking you to do something absolutely.
“And that plays into organisational psychology and the hierarchy in an organisation. So you’re very junior, and somebody suddenly has shone a bright light on you and says ‘this is a crisis. I need you to do this.’ So your reaction is most likely to be, ‘wow. I need to perform. And not only do I need to do it, but I need to do it as quickly as I can’ And that’s what the cyber criminals and the fraudsters are tapping into.”
O’Brien recommends that if you are on the receiving end of such a request to transfer money in a hurry, be suspicious and try and verify if the request is genuine.
“Always check with them first, lift the phone, talk to somebody, it only takes 20 seconds. If it’s not them and they say ‘what email’, think of how much pain and grief you would have saved yourself by making that quick phone call rather than making a payment and then having to have to go chase the money.”
Aiken adds that if you don’t get them on the phone, in this day and age you’ll surely get them on social media.
Another significant form of attack impacting businesses is the live chat scam. These scams can begin with a phone call from someone pretending to be from your bank, for example, and they will give you a web address and ask you to then click on a button.
That button to ‘start a live chat’, for example, is in fact a command to download software that gives the fraudster remote access to your computer. They will then request your access code to your bank account, which they will use to steal money.
“Never, ever, ever, give anyone your code no matter who they say they are, or no matter why they say they need them,” O’Brien urged.
Prof Aiken says that these ‘live chat’ scams are very sophisticated forms of attack where the fraudsters are very practiced and very skilled at engaging with the target.
“It’s an engaging process where they really want to cultivate that relationship in a very short period of time. So first of all, how do they do that? They’re tapping into our deepest human vulnerabilities and trying to get us to bypass rational thought and tap into an emotional response where you’re not really thinking it through. And the easiest way to do this is to create a sense of urgency or crisis, because immediately, that’s when the emotional part of our brain kicks in. They will start the call with that sense of crisis but make you believe they are going to help you. So it’ll be ‘Mary, there’s a payment of €10,476 has gone from your account’. Mary will say ‘obviously says that wasn’t me’. “They’ll go ‘No problem. I’ll help you with that so I’ll be able to stop that payment. Now let’s move on to what we’re going to do to secure your account.’”
And that’s when they’ve got you. Prof Aiken said the fraudsters will deploy exceptional interpersonal skills, build rapport through casual chat, all the while luring you into allowing remote access, mirroring your conversation to make you believe they really are your bank, for example.
AI and the uncanny valley
If you thought the aforementioned scams involving humans were frightening and devious, attacks using AI are already here.
Aiken has just returned from a Europol conference at The Hague and the news isn’t good. “The sentiment there was that some of the largest investors in AI are organised crime groups. And what we’ve seen with the rapid growth of online environments, this has increased what we call the attack surface for fraud through the democratisation of GenAI tools and other technologies. This has effectively increased the volume and complexity of these crimes.”
The problem with AI is how real it can make people seem and voices sound. “The one in-built defence humans have against this is the human brain which is hard-wired to protect us against “evolutions in species”, Prof Aiken said.
She said our ability to notice something off or odd about an AI can trigger a response known as entering the ‘uncanny valley’.
“Let’s call deep fakes, new species augmented by AI. And what’s incredible is at a very sort of primal level, in our primitive part of our brain, there is a reaction, which is called the uncanny valley. And what it is, it’s a revulsion reflex.”
But this still is not ample protection if the gangsters are investing more and more in convincing AI.
Paul O’Brien said that at the end of the day, there are a few simple things business owners and their employees can do to protect themselves.
“We’re trying to give people an understanding of the main types of fraud that we see, and, more importantly, what they can do about it. If you think you may have been a victim, or if you’re worried about something, please call us. You know, we’ve a team there that’s there. 24/7, 365 days of the year. It’s freephone 1800 946 764, so please do come and talk to us. There’s a huge amount going on in the background in terms of what we do, in terms of our technology, and we’re putting huge investment into protecting our customers from this happening in the first place.”
But the first line of defence will always be with the person. “We will always say to people, really simply, if anybody in your business or a supplier asks you to make a payment or to update bank account details, always talk to them first to make sure that the request is genuine. Just that really, really simple phone call. That’s one thing.
“The second thing is, go back to the other type of fraudthat we explained, where somebody is trying to get codes for your banking app. Never, ever, ever give those codes to anybody, particularly on the phone, no matter who they say they are, no matter why they say they need them.
“There is literally no circumstance where Bank of Ireland will ask you for a code from the app. If somebody asks you for a code, they’re a fraudster, hang up. So keep those two things in mind. If somebody asks you to make a payment or update banking details, talk to them first. And never, ever give anybody a code from your app. You’ll actually go an awful long way to protecting yourself.”
Fundamentally, it boils down to three actions: Stop, Think and Check.
-
Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here
-
Listen to the ThinkBusiness Podcast for business insights and inspiration. All episodes are here. You can also listen to the Podcast on:
-
Spotify
-
SoundCloud
-
Apple
