How to Combat Shifting Fraud Tactics
Now that some companies are returning to their offices—and the rest of us have settled into our work-from-home cadences—we have some time to reflect on our response to the last few months of upheaval. We have the opportunity to shore up our contingency plans for future use, particularly around business security in a work-from-home setting.
Bad actors know a crisis when they see one and can quickly adapt their tactics to leverage current events. These past months are a testament to that. While many of us remain home, we must also remain diligent of potential security threats, just as we do when we are in the office. As a security systems engineer, these are my observations and takeaways from this experience.
Bad actors are changing their tactics
This may come as a surprise, but there has not been a significant increase in fraud attempts in the last few months. Our own internal tracking shows fraud counts matching the 2019 trends quite closely. There was a 50 percent spike in April 2020 (compared to April 2019) as personnel acclimated to remote forms of work, but May 2020 is shaping up to have less fraud instances than May 2019, by 60 percent so far.
Instead, what we are seeing is a shift in content. Bad actors know that users (those of us in the workforce) are hungry for updates about current events, and they use that as a leveraging point to trick their victims into engaging with them. They view chaos as an opportunity to confuse users into interacting with fraudulent content, like clickbait articles, for example.
So while we do not see an increase in attacks, we do see a change in overall tactics. The best way to prevent against this type of threat is to be mindful of what you are clicking on. Hover over hyperlinks before clicking them to review the URLs—make sure you only click on what you trust.
Security flaws are exposed
From a technology standpoint, the business world is facing vulnerabilities that they never considered when they developed their enterprise strategies and architecture.
Most enterprise IT architectures in operation today use the "eggshell" or "castle and moat" defenses, where big "(fire)walls" kept things out. In those models, all users inside the walls become trusted. But now the walls are rendered ineffective by the current events, exposing internal systems to a world in which they were not built to operate. This leaves users vulnerable in a target-rich environment, due to the many vectors that a bad actor can use to leverage their way into a laptop or home network using phishing campaigns.
Phishing campaigns can be challenging to detect. According to the AFP's 2020 Payments Fraud and Control Report, BEC (Business Email Compromise) remained the highest source of security risks at 61 percent, with external sources (such as check washing) following closely at 58 percent.
One type of BEC attack, for example, sends a hyperlink to users via email. Clicking the link routes the user to a web server containing a simple "Hello" message, and nothing more—no malicious code or script, or anything that may seem out of the ordinary. What the user does not realize is that by clicking on the link, they have provided a bad actor with the source IP for their machine, compromising its security.
While at home, users' computers lay outside the castle walls they are accustomed to having in the office. Bad actors rely on that lack of knowledge.
Physical security also has its faults
Physical security methods, while touted as a failsafe by some, do nothing to add to the safety of your business.
For example, if your Controller took home a folder of unsigned checks for the weekend, and left them in the car while they stopped by the gym (a prime spot for car theft), your company information is physically at risk.
When all is said, don't let electronic fraud scare you away from embracing automated solutions for your back-office. By teaching your employees to identify potential risks and alert your security team, your company becomes safer without sacrificing important operational efficiency initiatives.
When considering the best method for protecting your company against security threats, don't ignore the forest for the trees. Protecting against one scenario may leave you open in another avenue, which in turn limits the flexibility your company demands.
The best and most surefire way to protect against email threats is to show your team how to identify them. Teach them to exercise suspicion towards unsolicited email communication and react accordingly:
Do not click on a hyperlink unless you trust it.
Do not open email attachments unless you trust the sender and are expecting the file (even trusted sender's emails may be compromised)
Do not provide your user credentials to anyone over email or phone.
Lock your computer every time you step away.
Bad actors know the methods companies take to protect themselves, and they shift their attacks to circumvent those defenses. Continually working with your employees to identify new threats is the most surefire way to protect against fraud. Make your entire team fraud experts, and you will ensure that your security team can dedicate more of their time focusing on more significant threats.