To combat fraud — especially phishing — united we stand?
The advent of mobile and app-based channels to lure victims to send money to fraudsters has been on the rise, with email and text-based communications the weapons of choice.
As noted in the latest Digital Fraud Tracker, phishing attacks are up 76 percent this year compared to last year. Verizon has estimated that 30 percent of phishing messages are opened by their intended targets.
And the bad guys are nothing if not persistent, as the telecom’s research found that 15 percent of those who fall victim to phishing scams will be targeted again within the short span of a year.
In an interview with Karen Webster, Yinglian Xie, CEO and co-founder of DataVisor, said phishing attacks are on the rise, due in part to the lure of significant profit to be made illicitly.
Bad actors, she said, are perennially on the hunt for sensitive information such as Social Security numbers and birth dates — not to mention bank account numbers — that can, in combination, be leveraged to drain funds.
Xie said that fraudsters are swooping in to co-opt processes tied to large transactions (and wire fraud), such as mortgage payments or loan disbursements, where funds representing “huge payouts” are diverted to bank accounts, never to be seen again.
With a nod to the fact that many victims are repeat targets, Xie said that once fraudsters find vulnerabilities, they attack again and again — using different scams. If a payment request from a vendor works, then so might an IRS scam, or one that alerts would-be victims to a passport or visa issue.
All of this comes against a backdrop where, as Webster said, the bad guys (and gals) have gotten increasingly adept at fashioning sophisticated attacks, using legitimate channels to make phishing attempts appear to be official requests for information or money. Consider, for example, the DocuSign links that appear in email inboxes, requesting clicks on links that wreak havoc.
And, said Xie, the fraudsters have been careful to calibrate their email and text communications to be serious and official in language (such as in correspondence purported to be from a bank, complete with official signature fields) or more colloquial (such as a text masquerading as being from a co-worker) in order to snare victims.
One tried-and-true method of detecting what’s real and what isn’t is to hover a cursor over an email address that looks official to see if the communication may be linked to a Hotmail or other (decidedly less official) address.
And, in an effort to overlay another sanity check, said Xie, it can pay dividends to pick up the phone and make sure a request to pay out funds to an account is legitimate — or whether the IRS, to give another example, wants the recipient to pay back taxes amid a slew of emails and phone calls that, at first blush, seem above-board.
“I would say being more conservative definitely is the right approach,” Xie advised.
But against the rising phishing tide, she noted, it’s difficult for individual recipients of these communications to see a message and immediately discern whether a scam is in play — especially if the fraudsters use different message formats to lull individuals into a false sense of security.
Before the Inbox
Conservatism may be a good guiding principle, but stopping the fraudsters before they even get their communications to the end user would also be an effective endeavor.
To prevent legitimate users from becoming easy prey, said Xie, unsupervised machine learning can aid firms in uncovering broad patterns of attacks, analyzing messages across emails and texts — the “server side approach,” as she defined it. Such analysis can find red flags amid IP addresses, phone number prefixes and email domains.
A collaborative approach can be the most effective in stopping fraudsters in their tracks, said Xie — and that entails information shared across telecom providers, FIs and corporate customers. She pointed out that telecom firms, especially, are in a strong position to analyze the communications coming across their networks, and can be proactive with warning texts to short-circuit fraud attempts.
Along with the collaborative approach between companies, Xie said, a proactive approach in the fight against phishing must also include educational efforts aimed at the general population.
Financial institutions, too, should bolster their detection and prevention efforts with technology to stop fraudulent accounts from ever being opened in the first place (fraudsters, after all, need a place to stash their money or put the final puzzle pieces in place when establishing synthetic identities).
“The challenge for the banks is that they're dealing with these stolen credentials,” Xie said. “They're dealing with identities while at the same time they want to offer convenience for users” who want services rendered digitally, and they want to broaden their consumer bases.
“The analytical approach and the more preventive approach, together, can be useful toward detecting these attacks early.”