Social media scraping and automated fraud attacks have deemed old-school single-layer defense systems ineffective. In this month’s Digital Fraud Tracker, Georgetown cybersecurity Prof. Chuck Brooks tells PYMNTS how a mix of drills, training and separated siloes are the best way to send phishermen home empty-handed.
Fraudsters can scam individuals and businesses out of their stored funds, personal data and login credentials in countless ways, but bad actors often find that old-fashioned, tried-and-true methods work best. The FBI found that phishing was the most common cybercrime method in 2020, almost doubling in frequency from 114,702 incidents in 2019 to 241,324 occurrences last year.
Merchants and other businesses risk being overwhelmed by the sheer volume of attacks if they are not adequately prepared to defend against them, according to Chuck Brooks, adjunct professor of cybersecurity risk management at Georgetown University. Some attacks will inevitably get through, but with well-positioned defenses, this threat can be reduced to a manageable level.
“Everyone’s going to fall for something at some point,” Brooks said in a recent interview with PYMNTS. “But if you limit it to being just an aberration [rather than a commonplace occurrence], then you’re okay.”
No single defensive measure is enough to stop phishing on its own, said Brooks, but a combination of employee training and automated defenses can be enough to mitigate the risk of phishing.
How Fraudsters Have Improved Their Tactics
Some individuals and businesses are more vulnerable to attacks than others. Bad actors traditionally have targeted small to mid-sized businesses (SMBs) due to their perceived lack of security, but recently cybercriminals have been branching out to attack healthcare companies and universities.
“Everyone gets phished, but small businesses are low-hanging fruit because they just don’t have the security resources and their people are not well-trained,” said Brooks. “Universities and healthcare industries [are also a common target] for the same reason, because they haven’t put a lot of money into security because they’re busy fighting diseases and educating people with those resources and those technologies.”
Phishing also has become increasingly automated, with bad actors leveraging sophisticated artificial intelligence (AI) tools to pick their targets and stage thousands of potential attacks at once. They often combine this with social engineering tactics that monitor potential victims’ social media to cater attacks specifically to them.
“Hackers now can build up dossiers of who they’re going after, because they can see your posts, they can see what your interests are, or what [you’re] doing on Instagram or WhatsApp or Facebook,” Brooks explained. “They can even look at you and find contacts, your fields of interest and if you’re looking for a job. Then they’ll send out a thousand phishes and get two or three hooks, and that’s it.”
This same combination of automated systems and human expertise also can be deployed to fight phishers. Neither method is sufficient on its own, but they can provide a formidable defense when leveraged together.
Deploying a Multilayered Defense System
Training employees to identify potential phishing emails is the first step in prevention, but many of the obvious clues, such as misspelled words and poor grammar, are no longer present. Fraudsters have grown more sophisticated, and employees need to keep up with the new paradigm.
“It used to be that you just won a lottery or need help from someone in a faraway land with five misspellings,” Brooks explained. “Now there are graphics that are just taken from a bank’s webpage and emulated perfectly. So, the first thing you have to look at is, do you bank at that place? You also want to look at that email address, because for most of them, they’re not going to spoof it.”
Human errors are inevitable, however, and some employees will make mistakes and accidentally fall victim to phishing. The backup system at that point includes automated systems that can silo employee access and reduce damage if a worker’s account is compromised.
“The best way is administrative privileges for your company,” Brooks said. “You can limit employee access or require two [authentication] steps before they go there. A lot of companies will also outlaw certain sites that workers can’t go visit, so it makes it more difficult to get phished.”
Phishers have become more sophisticated adopted more diverse tactics, so merchants and other organizations need to be equally flexible and multilayered when it comes to their phishing prevention strategies. Failure to do so could result in catastrophic data breaches that ultimately could cost millions of dollars.