Jane, CEO of XYZPay.com, was carving the holiday roast, the house full of laughter and the January board deck done with better‑than‑budget numbers, a pristine cap table, and a top‑tier banker waiting to launch a sale process—when her company cell phone rang. Her head of security, voice tight, said customer accounts were being compromised, $3M of payments were missing; PHI exfiltration was unknown; and the Security Incident Response Team was gathering.  60 seconds killed Jane’s holiday joy…

This nightmare plays out daily for CEOs across the HCIT/FinTech market. When attackers hit your firm, will they find you prepared, or will you be receiving that dreaded phone call?

Successful Defense Starts with Studying the Enemy’s Tactics

Some CEOs feel that security matters are too technical to understand and feel incapable of proactively driving fraud prevention.  In fact, “user-assisted”  fraud is a process which can be understood by anyone.  A leader who understands that process can virtually eliminate fraud by all but the most determined or state-sponsored fraudsters.

The Process of Compromising an Account

• Harvest credentials: Fraudsters create a fake website (e.g., XYZP@y.com), and send phishing emails or texts urging customers to take urgent action. When customers try to log in, credentials are stolen, and they are redirected to the real site.
• Break into the system: Fraudsters log into the platform, and change contact information to divert MFA alerts​.
• Exploit the system: The perpetrators create admin users and tell more fraudsters how to break in. They change “pay to” bank account numbers and divert payments, and exfiltrate PHI records.

Breaking the Fraudster’s Process by Complicating Every Step

• Reduce credential harvesting via External Attack Surface Management (EASM): Use an EASM firm to find fraudulent websites, shut them down quickly, and monitor the dark web for threats.
• Reduce fraudulent system access via Multi-Factor Authentication (MFA): Use the MFA present in business email and other business platforms.  Use a 3rd party MFA solution for XYZPay’s SaaS platform. Train users to be phish-resistant.
• Prevent system exploitation by protecting sensitive actions: Limit access based on roles and require MFA and extra verification for changes to bank accounts, user accounts, and contact information.

If each of the above steps is 80% effective, the entire process becomes 99.2% effective at preventing fraud. Well-run businesses can achieve much higher than 80% effectiveness at each step.

​Immediate Actions to Reduce Risk

Ask the following of your CISO:

• Is our firm using External Attack Surface Management (EASM)? It takes days to implement, is highly effective, and can be done inexpensively.
• How complete is the MFA coverage of our business? It needs to be everywhere.
  • Confirm MFA is required on business email and all other business software
  • Mandate use of company email addresses for MFA on all business platforms which use email as a verification method
  • For XYZPay’s proprietary SaaS or payment processing platform: a) if MFA is not in place, start a project with a 3rd party MFA solution provider, or b) if MFA is in place, confirm coverage of all accounts and enable the most phish-resistant verification options.
• How are we tracking, alerting, and triggering verification for high-risk user actions?
  • Log user actions.
  • Use Security Incident and Event Management tool to report on those actions and alert upon unusual or known suspect behaviors.

Conclusion

No fraud prevention solution is perfect, but these actions are simple, cost-effective, and can reduce your fraud risk by two orders of magnitude. Become the hard target, let the fraudsters work on someone else, and enjoy your holiday in peace!