See something, say something: How vigilance is the best defence against cyberattacks

With reports of cybercrime in Canada at an all-time high, it has never been more important to stay vigilant to prevent malicious, financially-motivated attacks. 

At The 2024 SUMMIT, Mark Kozicki, Vice President, Payment Products at Payments Canada, met with Larry Zelvin, Executive Vice President and Head of the Financial Crimes Unit at BMO, to discuss the growing threat of cybercrime and fraud in the payment industry and the role each of us plays in keeping payments in Canada safe and secure.

Image

What kinds of cybersecurity risks is the payment industry facing right now?
The potential risks to payments are rather unique, not only to the economic security of a nation but also the national security. A large-scale cyberattack on Canada’s payment systems infrastructure could pose a huge threat to our national and economic security. Payments uphold our entire economy, so the consequences of a successful attack would be dire. If you want to change the policy of a nation, one of the best ways is to go after its economic vitality. And what better way than in payment systems? You don't have to build an Army. You don't have to build a Navy or an Air Force. You just need to be connected to the internet and have people who are really good at hacking. The similarities between cyber and fraud are also extraordinary, especially in a financial institution, because the cyber attacks we see are all financially motivated. If you're going to target an energy company with a cyber attack, you're probably looking to shut down the power grid. But at a bank, a cyber attack is pretty much looking to steal money or disrupt its flow.

How do we mitigate these risks while staying ahead of the bad actors trying to destroy what we have in place?
The people working in the payment system industry every day may make the difference between success and failure. They are probably the greatest source of information and intelligence for their security teams in the effort to prevent cyberattacks.

One of my favorite stories about fraud detection happened during a cyber attack on the Bank of Bangladesh, where the attackers attempted to steal one billion dollars. Somebody at the New York Fed looked at a Swift order and said, “This doesn't make sense. This is misspelled. I don't think this is right.” It wasn't AI and it wasn't a cybersecurity control; it was an individual who detected the fraudulent request. Then there’s the case of SolarWinds — one of the biggest cyber attacks in history — which was discovered the same way. A 24-year old woman who had just begun her career in cyber security was looking at a screen and said, "This doesn't look right. I need to look into it."

It might be an obvious saying, but if you see something, say something. If you report something you think is suspicious but ends up being nothing, your security team will more than likely be grateful anyway. Personally, I'll take a thousand false alarms if it means getting even just one real threat on our radar.

What is the biggest learning from an international perspective as it relates to fraud and cyber security?
I worry about resilience not only from a national perspective but from an international perspective. You're only as strong as your weakest link, and when you’re interconnected, those weak links can be especially dangerous. I think it’s important that every jurisdiction be practicing strong cyber security hygiene at the same level to ensure a united front. Collaboration and cooperation on a global scale is key.

What are some things we, as individuals, can do to stay more vigilant?
Slow down on your computer. Stop clicking on things and opening attachments that you don’t know or aren’t sure of. A lot of the cyber breaches we see are not because something was being done maliciously by an employee, but rather because they went too fast. Watch out for messages that have a sense of urgency or appeal to your emotions; for example, messages that mention a family member or friend who is in trouble or ill. If it doesn't feel right, say something. Like the employees at SolarWinds and the New York Fed, you too could make the difference between whether or not Canada can respond to and recover from a cyber attack in the way we want to. It takes all of us, not one of us; let's complement one another and be a team.

Lastly, educate yourselves and your loved ones so that we’re all equipped with these fraud prevention tools. Elderly people and children are the most victimized when it comes to payment fraud and scams, so check up on them every once in a while. Sit down with your children and the older folks in your life and educate them on these risks, too. An ounce of prevention is better than two pounds of cure.

Subscribe to The SUMMIT newsletter to get the latest updates on The SUMMIT, including agenda announcements, exclusive promotions, industry resources and more.