The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Billing and Payment Security in the Age of COVID-19

Brenda Magri's picture
Division ISSO for the Biller Solutions Division Fiserv

Brenda Magri is the Division ISSO for the Biller Solutions Division at Fiserv.  She works with CEOs, executives and industry consultants to help them to provide a secure high-volume transaction...

  • Member since 2020
  • 2 items added with 2,357 views
  • May 11, 2020

By Brenda Magri, Senior Director, Security Strategy, Fiserv Biller Solutions

Cybersecurity is a crime of ever-present opportunity. For cybercriminals, the COVID-19 pandemic has proven to be a golden moment as bad actors have sought to exploit the crisis to their advantage. In response, utilities, like other companies that handle sensitive customer data, are compelled to heighten security to protect financial, billing and payment systems. An enhanced approach can include updates to the systems themselves, adjustments to processes and an emphasis on employee education.   

Cyberattacks are Up

Across all business sectors, companies and consumers face the threat of new cyberattacks linked to the COVID-19 crisis. Employees – many of whom may be out of their routine while working from home – are possibly perceived as distracted and thus more vulnerable.

One of the most popular types of cyberattack is “phishing” with a fake email or “smishing” (phishing via text message). These involve bogus but legitimate-looking messages enticing the recipient to click on a link for more information. This often takes the form of an urgent warning requiring that a specific action be taken immediately to prevent loss of access to a financial account or another important service upon which the person targeted by the scam relies. Alternatively, the messages may appear to come from a health organization providing COVID-19 updates (for example, offering access to masks or testing kits) or – aligned to the rise in online shopping – could warn of an issue with a delivery by a freight carrier. In either case, clicking on a link or an action button can expose that device to the risk of a cyberattack. And that could lead to data theft or the introduction of ransomware to a utility’s financial and data systems.

Employee education plays a key role in preventing such situations. Prior to the pandemic, a utility employee working in their usual office environment might notice a suspicious message and either delete it without opening or forward it to the IT department for investigation. Now, that same employee could be juggling multiple responsibilities in an unusual work situation. The criminals are counting on an employee’s guard being down and failing to detect the subtle signs that an incoming email is a phishing attempt.

Any unauthorized access to a utility’s billing and payment systems could be devastating, impacting the ability to bill customers and receive payments at a time when people are inside their own four walls more than usual, and thus need heat, light and power to be available.

Best Practices for Defense against Cyberattacks

Fortunately, utilities and other companies can take steps to defend themselves against this new wave of cyberattacks:

  • Tune data loss tools, including email spam filters, for enhanced sensitivity to COVID-19-related threats; keep watch for not only that term, but related words and language, and commonly misspelled words similar to the key terms.
  • Create a regular cadence of COVID-19 communications and convey that schedule to employees so they know to always expect, for example, the weekly summary of business updates arrives on Fridays. Tell them what the official emails will look like, so any phishing emails will be more likely to raise red flags.
  • Educate employees on what to look for in order to detect phishing and smishing attempts. Warning signs include spelling and grammatical errors and frenzied-sounding communications urging the recipient to take a specific action without delay. Instruct employees to never click on links from unknown senders – ideally with an automated warning at the top of any external emails advising to “think before you click.”
  •  Help protect your customers by collecting only the data you need, rather than all the data you want. Providing them with a more personalized customer experience can require a robust data profile, but it also comes with the additional responsibility of protecting that data. In the quest to enhance customer interactions and raise satisfaction scores, be wary of collecting and storing more data than is reasonably needed. 

Protecting data and financial systems is not just a job for the Security and IT departments; every employee plays a critical role on the front lines of your defense. With thorough training and consistent, comprehensive communications, employees can create a significant barrier against cyberattacks. In today’s rapidly evolving COVID-19 world, that’s an important part of keeping billing and payment systems running.

Brenda Magri's picture
Thank Brenda for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on May 11, 2020

The remote work environment has certainly created new challenges across the industry-- but most of these best practices will be relevant regardless, I would imagine. That said, do you think that if the post-COVID world will become one where remote working is more common that some of these lessons will have been gained at a speed they may not have otherwise? By having to deal with these all at once, do you see utilities learning some important lessons and being able to apply them in an evergreen way?

Brenda Magri's picture
Brenda Magri on May 11, 2020

The concept of remote working has been gradually working its way into workforces in varying speeds.  Some jobs are more conducive to remote working than others.  The current emergency has accellerated the adoption of tools and technology for remote working.  However I don't believe we have been as adept at dealing with the human aspects of remote working.  Often people do not work from home because their home environment is not conducive to remote work, this adds stress.  I believe that utility organizations and other organizations will have to take a holistic approach to the remote work question after the emergency is over.

Dudley McFadden's picture
Dudley McFadden on May 13, 2020

Working at home I'm using e-mail readers on web browsers and my phone more often.  That's in contrast to back in the office where I normally use the desktop Microsoft Outlook app.  There, the email message is displayed on my professional desktop monitor more fully and clearly than the abridged preview format common on other devices—it's easier to spot those telltale phishing clues.  On the web browser view I find myself sometimes quickly skimming through messages.  Due to the layout and presentation I'm, well, lured in to reading less carefully as I should.  As Brenda warned: especially while juggling multple responsibilites.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »