The email in your inbox may look like a legitimate email from your bank or credit union, complete with a logo and website address. In fact, it is the perfect forgery that is netting cybercriminals millions of dollars each year. Phishing schemes have become so sophisticated that even attentive users would be hard-pressed to detect them.
From the moment a user receives a malicious email in their inbox, the clock is ticking. Within the first hour, most users will click on links and provide their information, or open a malware-infected attachment. Once they do, their credentials are harvested to leverage or sell on the Dark Web, or their computer is infected with malicious software that can track a users’ every move.
It has gotten to a point where even the venerable lock icon in the browser is not a guarantee for safety. Cybercriminals have started to include SSL certificates on their phishing sites in an attempt to lull unsuspecting by security-minded users into providing their credentials. The report The State of Financial Phishing, also shows that there was a 14% increase in purposed registered phishing domains in the first half of 2019 compared to the same period in 2018. The number of phishing domains certified by registrars has doubled. Attackers are also not restricted by borders; attacks can originate from anywhere and make use of advanced spoofing techniques to disguise their traffic as legitimate traffic.
Cybercriminals are increasing the scale of their techniques. There is a 56% year-over-year increase in digital threats targeting financial organizations and their customers. Researchers at Zerofox found 87,900 fraud scams, with 75% of those discovered on mobile apps and social media.
Working both sides of the coin
There are three main threats to highlight for financial organizations. These include social engineering attacks, attacks that take advantage of misconfigurations, and attacks that leverage consumer information from data breaches.
One of the major threats from data breaches is how the data is used in subsequent attacks. Attacks targeting accounts happen daily. On average, NuData found that 65% of a company’s accounts are targeted at least once every month. The most common attack is credential stuffing; where cybercriminals use automation to try out thousands of names and passwords to discover the successful combinations before taking over an account. They also steal real identities or create synthetic identities to create fraudulent accounts intended to commit credit application fraud, loan fraud, and other types of account identity theft – running up big balances with no intent to repay them, leaving the legitimate consumer holding the bag.
Attackers are also increasing their efforts to blend in with other legitimate users. NuData found that spoofing behaviour went up by 550% in July compared to the previous month. This responds to a trend were bad actors know their device information is evaluated by common fraud-detection tools and that these tools can recognize a returning device that was used before for fraud. Bad actors then spoof the device information to bypass those legacy security tools that can’t recognize the information from the device and consider it new or trusted.
Similarly, this summer most attacks came from the U.S., although that doesn’t mean the actual attackers were based in the U.S. In this case, bad actors use open proxies, and infected consumer devices to pretended to be in the U.S. to mimic a legitimate location.
Locking the vault
The continued success of these attacks highlights a major flaw in user verification techniques which can be worked around for fraud purposes. Educating end users is an option for many, although nor is this enough, nor should the onus be on customers.
To defend against attackers, organizations need to take a layered approach to user authentication and use verification techniques that don’t rely solely on the credentials of the user, which could have been stolen. Instead, it is important to have a broader view of a user by adding layers that can evaluate customers based on how they behave (passive biometrics) and on who they are (physical biometrics).
Passive biometrics, a frictionless layer that looks at subtle user patterns such as how a user types or holds the device, can provide high confidence on whether a user with the correct password is indeed the legitimate user or just a fraudster. If there is high risk or suspicion of fraud, an institution should trigger further authentication of the user with techniques such as a physical biometric request: a fingerprint scan, for example, to dissipate any doubts.
With this approach, based on transparent intelligence and friction only when needed, companies can thwart bad actors with stolen credentials without adding undue friction on good users.
While phishing continues to become harder to spot – with most consumers realizing they were phished once it is too late – companies must work on improving their authentication frameworks so that user accounts are not accessible simply with a password and other credentials. User verification based on layers like passive and physical biometrics provide this security, protecting company assets while strengthening customer trust.