By P.J. Rohall, Fraud SME, Featurespace
[Editor’s Note: All this month we will be taking a look back at CNP Expo 2019. Merchants and service providers who attended praised the comprehensive education and networking available to them across the three days of the event. For our readers who were not able to join us, we want to provide a taste of what you missed, and we hope to see you in San Francisco next year. This week, take a look at CNP Expo through one attendee’s eyes.]
One of the most perfidious types of fraud is social engineering, which is growing at an alarming rate. I was fortunate enough to attend the CNP Expo in San Francisco recently, where multiple keynote speakers provided some excellent insight on the epidemic.
Karisse Hendrick and Brett Johnson are always a can't-miss duo and this was no exception. They provided some educational thoughts on how merchants are particularly susceptible to social engineering through the call center. The following day, Supervisory Special Agent Elvis Chan of the FBI summed things up well when he said, "only amateurs attack machines; professionals attack people".
Technology has allowed fraudsters to widen the scope of their attacks. Victims now range from the easily fooled to the most tech-savvy among us, because at some level, anyone can be manipulated to disclose sensitive facts and details. It’s true that “to err is human,” but when we get tricked into giving someone sensitive information about ourselves or someone else, there’s no divine forgiveness. Instead, there’s the incredible likelihood of account takeover (ATO).
In the lifecycle of fraud, social engineering and ATO are often connected, but they’re really two separate tactics—among many others—that skilled fraudsters use to execute attacks across a variety of channels:
Phishing is when someone attempts to obtain sensitive information, such as usernames, passwords and credit card details, by disguising themselves as a trustworthy entity in an electronic communication.
These attacks rely on casting a wide net for success, sending mass emails to as many accounts as possible and while they're generally unsophisticated messages, the sheer scale usually guarantees a small percentage of success.
One recent study found that 83 percent of individuals were victims of phishing attacks in 2018, an increase of 9 percent over the previous year. The study also found that of these attacks, most fraudsters relied on malicious links, which are URLs designed to deploy harmful malware or trick someone into disclosing sensitive information.
Spear phishing is much more sophisticated. Here, the fraudster carefully studies the would-be victim and uses the information to craft compelling copy with unique details that would influence or appeal to the target. Branding, formatting and other visual cues are manipulated to appear legitimate and once fooled, the victim is exposed to the same threats as in a regular phishing attack.
Although much smaller in scale, the success rate of these attacks is much higher. An astounding 86 percent of spear phishing attacks are successful.
Business Email Compromise (BEC)
BEC attacks are spear-phishing attacks that target employees, typically those who access or influence a business' money movement, intending to get them to transfer funds or disclose sensitive information.
According to the FBI’s Internet Crime Complaint Center, BEC scams cost $12.5 billion from Oct. 2013 through May 2018.
Scam phone calls are becoming a global epidemic; a First Orion study projects that they will account for 50 percent of all mobile calls (and from personal experience, that seems low).
The majority of vishing attacks are unsophisticated; however, targeted offensives on vulnerable segments of the population, such as the elderly, leverage ignorance and fear, with a high rate of success.
Call centers are top targets for fraudsters seeking valuable identity data to perform a downstream ATO. In these attacks, there are two victims: the call center and the individual whose information is stolen. Any business with a call center is vulnerable because they expose representatives with access to sensitive information to social engineering.
Fraudsters can call in and request account access or information and since this is something that good customers commonly do, representatives can be easily manipulated into thinking they are helping a genuine customer.
Representatives are trained to keep call times low and satisfaction high. They don't have the time or resources to appropriately handle social engineering attacks.
Breaching The Account
Through social engineering, the fraudster will get the sensitive information needed for the ATO.
In some attacks, the fraudster will gain the identity or log-in information for an account, but it's not always necessary. Consumers often replicate credentials, meaning fraudsters can use bots to test usernames and passwords against multiple accounts for an individual, hoping for a match (also known as credential stuffing).
Banks' and merchants' call centers are attractive targets. Information obtained in social engineering can be piecemealed to breach accounts in one continuous attack. With merchants, fraudsters can place digital orders, access gift cards and steal loyalty points. With banks, they can initiate high-value transfers and lean on fast payment methods.
A fraudster that doesn't want to spend time pairing stolen information with the right account can try for an authorized push payment, which relies solely on social engineering skills to manipulate genuine customers into transferring funds to an account which they control. Social engineers are skilled at influencing their targets with attacks that leverage human emotions, from playing to someone's romantic vulnerabilities to promising a once-in-a-lifetime investment opportunity. This is an especially large issue in areas that have faster payments, such as the U.K.
The Fraud Solution
Social engineering and ATO are complex and require a comprehensive solution. I think the former is a bit trickier, as it deals with human behaviors and vulnerability. After all, a social engineer's modus operandi is not to attack the device, but the person behind it. However, there are plenty of educational resources and cybersecurity trainings available to help combat this threat.
The latter is where top-notch fraud solution providers can have a big impact. Beating ATO is all about strong authentication across all channels. Call center, online, mobile. Every entry point that provides access to the account needs to be monitored. And even better than monitoring is risk-based authentication that passively captures behavioral data from the moment you see this individual.
This includes behavioral biometrics, device, mobile, geo location, identity data, call center data and supplemental third-party data. A platform that can draw on this breadth of data can leverage adaptive behavioral analytics to develop a clear picture of who is attempting to access the account. This ensures safeguards that protect the account, without adding friction to the customer journey.
Many sessions at this year’s CNP Expo highlighted the pernicious effects of rampant social engineering and how it is fueling account takeovers for many high-risk institutions. Understanding the dynamics of these attacks is a great place to start and once you fully recognize your pain point, it's imperative to protect customers and accounts by implementing the most effective solution available.
2019 will bring more clever attacks, so stay informed, be vigilant and take it personally.