It’s no secret that in the anti-fraud world, too many organizations are being victimized by advanced attacks that their antiquated security strategies are unequipped to tackle. In many ways, the cybersecurity market has failed to serve those it intends to protect with an increasing amount of specific, overlapping solutions, leaving organizations confused about how to best secure themselves from outside threats.
Here at Cyxtera, we know that there is an overwhelming amount of information to consider when looking for security solutions. Keeping this in mind, we have compiled a list of the five most common questions we receive, answered by our anti-fraud experts.
What are the biggest threats you see?
The largest threat that needs to be considered is phishing, due to its prevalence and multi-vector attack capabilities. An overwhelming 90% of attacks start with some kind of phishing campaign, and many organizations aren’t equipped to recognize such attacks. Further, phishing is not limited to just a few channels – it is nearly ubiquitous. Email campaigns are the most well-known, whether they are casting wide target nets or attacking specific individuals with meticulously crafted, seemingly-real emails. However, organizations must expand their anti-phishing focus, as attacks can be found in any place in which fraudsters are able to make contact with users. This includes app stores hosting rogue apps, social media platforms with fake profiles, SMS communications, similar domains, and many more. These attacks pose the greatest threat to organizations unequipped to detect and take them down, as they are constantly evolving as cybercriminals attempt to circumnavigate security methods.
What are the primary attack vectors you are detecting?
Echoing the answer above, phishing is by far the largest attack vector with its highly varied methods that change frequently. Between 2017 and 2018, 90% of cybersecurity executives reported at least one type of phishing attack targeting their organization. These campaigns are created by fraudsters who have either identified vulnerabilities within a system or have gained access through weak or stolen credentials. Among the most common forms of attack on these vulnerabilities are similar domains, in which fraudsters create nearly-identical replicas of an official website with a similar URL, and emails targeting an organization’s customers. Another, more specialized, attack type is called Business Email Compromise (BEC). Fraudsters carrying out BEC campaigns create highly detailed emails in which they pretend to be a high-level executive or member of the finance department of an organization in order to gain access to sensitive information or make money transfers to their own accounts. BEC alone has caused exposed losses of more than $12 billion USD since 2013.
Third-party application stores, and occasionally official app stores, are the second most targeted vector that we are seeing. Fraudsters create fake applications, or “rogue apps”, that imitate the official apps of legitimate organizations in an attempt to lure users into giving up their sensitive credentials. Social media impersonation also comprises a large percentage of phishing attacks, in which fraudsters create fake, seemingly realistic accounts in order to trick users into giving up their personal information.
What controls should we be implementing based on today’s attacks?
A proactive strategy that controls visibility and allows for quick and easy mitigation is essential to defending against today’s attacks. Organizations must also have the ability to not only identify the victim, but also to track attackers’ moves and answer questions such as: Who is being targeted? Where did the attack originate from? What information was exposed? With visibility comes the power to take informed action to mitigate the effects of an attack.
Keeping this in mind, it is important to note that cybercriminals are highly aware that organizations are implementing security strategies to avoid falling victim to phishing and other attacks. Criminal attack strategies are constantly changing and evolving in order to bypass most types of security. A strong anti-fraud solution must be regularly fine-tuned to ensure that fraudsters are unable to exploit system gaps and slip attacks past them.
We don’t have a phishing problem, so why do we need phishing protection?
There are two types of financial institutions: those who have been phished, and those who have been phished but don’t know it. Unfortunately, most people only associate phishing with fake URLs or emails. However, the concept of phishing, by definition, is a malicious intent to harvest sensitive information – regardless of the delivery method. Attack vectors include all of those we’ve already mentioned in this post and many more: social media platforms, messaging applications, SMS, fake mobile applications, etc. The assumption that phishing is not an issue leaves organizations and their users susceptible to large financial and reputational consequences.
Knowing that all institutions are likely to be targeted for phishing, what can be done to reduce the number of attacks? The answer lies in real-life examples. Many larger banks have fortified their security to such an extent that cybercriminals are turning away from them and looking elsewhere for new targets. It costs very little for attackers to probe thousands of organizations for the weakest link that would be easiest to target; banks that employ a strong, adaptable solution will deter attacks, while those least protected will be victimized the most.
Why do we need cross-channel visibility if our business units operate independently?
Cross-channel visibility is about understanding how fraud propagates. Attacks do not manifest on a single channel, nor are they executed on a single vector. To focus only on specific platforms and channels leads to a failure to understand where and how an attack is attempting to infiltrate. Further, attackers will always look for the easiest point of entry into a vulnerable system and then move around laterally, wreaking more and more havoc. Without visibility into attacks across your organization, they may be too far along to be stopped by the time they are detected. The earlier you detect a breach, the better your chances are to stop them without losses or other negative consequences.
To learn more about common problems associated with phishing and how to protect against it, take a look at Digital Threat Protection.