More than perhaps any other type of cyber security attack, electronic fraud feels so personal. That is, as business people, we entrust certain individuals or groups with the responsibility for performing important or sensitive work, and when that trust is violated, it feels just terrible. Making matters worse, these individuals and groups to whom we offer our trust, often go to such amazing lengths to step around the controls we put in place. In fact, perhaps the salient aspect of the typical fraudster – electronic or otherwise – is an intense level of resourcefulness. The fraud they commit typically involves an assortment of clever techniques designed to find weak spots in our infrastructure and operations. As a result, so-called “point solutions” cannot solve the entire problem; instead, a collaborative protection suite is required to counter the potentially devastating effects of Web and application fraud on modern business. As part of the technical research for my 2017 TAG Cyber Security Annual, recently released for free download on https://www.tag-cyber.com/, I reached out to one of the best in the anti-fraud business, Ricardo Villadiego, CEO of Easy Solutions, to get his insights into best practices in this important area of enterprise control.
EA: Ricardo, there is an old saying that robbers target banks because that is where the money is. Do you think this is a valid description of where fraudsters target their activity?
RV: I think it's a fair assessment, Ed, but it's more than that. Fraudsters are going where there's money to be made, certainly, but they are also looking for relatively easy money. So, financial organizations lacking the most rigorous and cutting edge fraud protection solutions are ideal targets. Take the SWIFT attacks earlier this year. Not two months after cybercriminals used the SWIFT system to steal $81 million from a New York bank, another attack has come to light. In this case, hackers infiltrated SWIFT's financial messaging system and sent a dozen fraudulent wire transfer orders to Wells Fargo Bank, asking that $12 million be transferred from Ecuador’s Banco del Austro bank to four different accounts located in Hong Kong, Dubai, and the United States. Had a solution been in place that utilized machine-based learning and advanced anomaly detection and prediction, these attacks could have been prevented. Financial organizations, of course, aren't the only verticals being targeted. Hackers, for example, are increasingly turning to the travel industry. There's real money to be made in targeting frequent traveler and loyalty programs. It's no wonder that enterprises of all stripes are investing in anti-fraud solutions.
EA: Has the business of detecting and preventing fraud become more difficult with the transition to mobile communications in business?
RV: It is definitely the most complex and sophisticated environment we have seen. But just as fraudsters are working to stay one step ahead of law enforcement, fraud prevention solution providers have been working twice as hard to stay ahead of fraudsters. As mobile financial transactions are proliferating, mobile commerce is increasingly coming under attack. A recent report from Forrester Research Inc. noted that it’s critical for today’s enterprises to seek out fraud prevention solutions that collect mobile sensor data and integrated scoring profiles. At Easy Solutions, we have several solutions that protect mobile devices and effectively stop even the most sophisticated mobile attack in its tracks.
EA: As you said earlier, everyone just assumes it must be financial services being hit the hardest, but can you elaborate on how other industries been hit?
RV: Fraudsters are going where the money is. And that obviously means financial institutions are coming under attack, to be sure, but retailers are also coming under heavy fire. Take, for example, the number of attacks on big-brand retailers a few years back. This included Target, Home Depot, Neiman Marcus, and Staples, just to name a few. Currently, fraudsters are focusing their attention beyond direct financial targets. Personal data is where the money is, and it’s especially lucrative for cyber thieves when that data is sold on the Dark Web. Everything from Anthem’s medical data breach to the Office of Personnel Management, whose data breach last year involved the personal data of 21.5 million people, is fair game.
EA: Tell me about how fraud takedowns occur. Does this require a lot of analysis by fraud intelligence teams?
RV: We first start the process by proactively looking for fraudulent Websites that might be trying to imitate legitimate sites, often with some slight misspelling variant on a common business or domain name. We also focus on searching for evidence of Websites that are associated with phishing or malware, usually requiring, as you suggest in your question, quite a bit of in-depth analysis by our fraud intelligence team. From there, we work with third parties including ISPs and hosting companies, to actually deactivate these malicious sites. Our Detect Monitoring Service shuts down thousands of attacks daily with a 76 percent proactivity rate, meaning that an attack was stopped before our clients or their customers even knew it existed. And with an average take down time of 3.6 hours, we’re seven times faster than the industry average.
EA: What advice do you have for businesses that might have some of the tools required for fraud prevention and detection, but that might not possess a full suite of what is truly necessary?
RV: The concept that “one-size doesn't fit all” holds especially true when looking at fraud prevention and detection. Just as no two enterprises are exactly alike, no two anti-fraud solutions are identical. The smart business will look for companies that offer defense in depth strategies with components that can be cherry-picked to suit their individual needs and that will work in harmony with one another. Total Fraud Protection from Easy Solutions is a prime example of this and offers organizations flexible and comprehensive multi-layered fraud protection across all devices, channels and clouds. Even with limited resources, businesses should invest in a solution that monitors brand usage and prevents malicious activity that can lead to account takeovers. They should also be looking for solutions that provide real-time transaction risk monitoring and assessment. Enterprises need to embrace a multi-layered approach to fraud prevention, but more than that, they need to embrace the idea that it’s not a matter of whether they will be breached, but rather when. It’s therefore vital that they educate their staff on phishing and spear-phishing, as well as the dangers of opening attachments and BYOD security. Beyond the prevention aspect, however, businesses need to have incident response mechanisms in place for when the inevitable happens, because it will.
EA: In addition to the usual phishing, ransomware or malware attacks, what other types of cyber attacks should enterprise security teams be on the lookout for?
RV: Financial-related fraud makes the headlines, but for any company today, a greater issue might reside in reputation-related threats such as brand impersonations, malvertising, email spoofing, cousin domain registration, and brand infringements. The issue here isn't so much the immediate effects, but rather the long-term damage, not just to reputation, but to the loss of public trust and the ensuing loss of customers. In our opinion, it's just as important for organizations to protect brand value as monetary value. Companies need to monitor for similarly named domains and become hyper vigilant about their social media presence, and this requires looking beyond just Facebook, Twitter and LinkedIn, toward also incorporating Instagram, Snapchat, Tumblr, blogs, and the like. Smart companies also need to protect their email channels from impersonation by employing systems such as DMARC, so that teams can remove those threats before they reach their customers.