Outsmarting the new generation of online fraudsters [Q&A]
Millions of dollars are lost to online scams each year and the fraudsters are getting ever more sophisticated in the targeting of their attacks.
Much of today's fraud is executed using information about the consumer's habits and personal details, usually captured in phishing attacks or data breaches. The fact that we’re conducting more of our transactions online as a result of the pandemic has created even more opportunity for fraudsters.
So, what can we do about it? We spoke to Miles Hutchinson, CISO of Jumio to find out how enterprise security professionals can outsmart this new generation of fraudsters.
BN: Have we become more vulnerable to online fraud in recent years?
MH: Yes -- fraudsters have more opportunity than ever before due to the digital nature of our world today. During the pandemic, consumers shifted to using primarily online banking, for example, which widened the digital attack surface and created more opportunities for fraudsters to steal credentials and launch account takeover (ATO) attacks.
Also, fraud has become more personalized. Fraudsters study victims' businesses, personal details, shopping habits and more to determine the most efficient way to defraud them. US consumers lost $770 million to social media scams in 2021 alone (18x what it was in 2017), and this figure only accounts for about one-fourth of all fraud losses that year. Each year, fraudsters become increasingly calculated with their approaches and more of them are breaking through security barriers.
BN: Why is the traditional approach to cyber risk no longer adequate?
MH: Traditionally, organizations will layer in countless risk signals from multiple vendors to deter fraudsters and protect their business ecosystems. This means having several solutions in place to verify user identity, examine their identification and supporting documentation, authenticate them after each visit, screen to ensure they are not on any watchlists, manage investigations, monitor transactions and report suspicious activity. Rather than increasing efficiency, leveraging multiple disparate solutions for identity verification creates silos and can actually increase the risk of fraudsters getting through the system.
Focusing on compliance checklist models is a solid way to confirm what security measures are in place, but unfortunately, it's not efficient at determining if the overall security strategy will effectively counter the contemporary threats we live with today. By using multiple solutions for verification, organizations risk non-compliance with regulations related to Know Your Customer (KYC), anti-money laundering (AML), data privacy and the Markets in Financial Instruments Directive (MiFID). These regulations enforce enterprises to identify and report unlawful activity such as terrorist financing or money laundering to regulatory agencies. In addition, businesses that do not comply with regulatory compliance standards can lose customers’ trust, fall victim to fraud and/or be charged with costly fines.
To address these pain points, leveraging one consolidated identity verification system is crucial. A consolidated, holistic identity verification approach equips enterprises with the necessary controls and assurances to accurately identify end-users and helps to achieve high catch rates and low false positives. On top of that, when enterprise teams collaborate to maintain a strong security posture the same way that we collaborate on developing a new product or feature, it can be a game-changer.
BN: What is a 'holistic' approach to security and how can it make a difference?
MH: A holistic approach means that the organization has one single application programming interface (API) layer that checks all risk and fraud detection capabilities to address identity proofing, compliance verifications and AML use cases. This approach consolidates all the identity verification processes into one comprehensive platform to confirm user identity and maintain compliance standards more efficiently. Additionally, it delivers a more seamless user experience that verifies consumer or employee data, while providing enhanced authentication using a document such as a government-issued ID.
BN: Why is intelligence about the latest scams a key factor?
MH: Intelligence is always valuable. It's like taking the red pill in The Matrix, giving you insights into factors that were hiding in plain sight before. Once you know the latest scam patterns, you can't unsee them. To prevent fraud, it is critical to first understand how these scams work. A scam is only as good as its subterfuge, once you can see past that then you can take significant steps to disrupt and prevent their success.
It is important to recognize that the dark web already contains an abundance of personal data, such as usernames, passwords, email addresses and birth dates. As a result, cybercriminals have easier access to stolen usernames and passwords, as well as security questions and answers. Since criminals can simply log in with this information and pose as the user, traditional authentication methods like security questions or passwords do not provide real proof of identity. Enterprises must have these sorts of factors in mind when configuring their fraud prevention strategy.
BN: Do consumers need to take greater responsibility for their own online security?
MH: While companies collecting personally identifiable information (PII) are definitely responsible for holding it in a secure manner, consumers also need to be wary of their online security and how their private data is shared among organizations. To be cautious, assume that everyone needs to be responsible for their own data and have a baseline understanding of how to be safe online. In many cases, it's similar to driving a car -- the manufacturer is responsible for making sure the car is safe to drive, yet the driver also needs to be aware of how to drive it safely. I'm not suggesting people need a license to operate online, but having a basic knowledge of what's considered safe online security vs. what's not is a great starting point.
For instance, consumers should be aware that hashed passwords can be easily deciphered, giving cybercriminals the perfect opportunity to leverage bots and credential stuffing to try these login credentials across countless websites (including banking portals, social media accounts and health care sites) in search of an opening. Plus, simply resetting passwords is no longer an efficient method to keep user accounts safe. Many organizations are adopting more secure alternatives such as biometric authentication to get ahead of common security vulnerabilities.