It’s a sad but simple truth: The move to remote work has increased the opportunity for fraud. Employees are more likely to make significant, serious requests over emails that are often sent from personal devices and are therefore much easier to be mimicked in a phishing attempt.
In fact, 23% of people in one large study said they connected a personal device to the company’s network, according to the September 2021 Digital Identity Tracker, a PYMNTS and Jumio collaboration.
“This is one of the big, underestimated risks, really,” Philipp Pointner, chief of digital identity at Jumio, told PYMNTS in a recent interview. “Our personal devices are not secured at the same level as company devices.”
Suppose the private individual’s phone or computer has been compromised. In that case, he explained, fraudsters could have access to the person’s email account and use that to socially engineer their way deeper into the organization or get more escalated access privileges — and then steal or change data or cause financial loss.
“That’s a real attack vector, and certainly something that has been accelerated through the work-from-home motion that everybody went through,” Pointner said.
Implementing Good Processes
Another security risk comes from phishing. The Tracker points out that 80% of people have observed a rising number of phishing attempts since the pandemic, and 85% said the attempts have grown more sophisticated.
See also: Jumio Lands $150 Million To Expand Digital ID Verification, AML Compliance
With people working remotely and unable to stop by someone’s office, it has become more common for people to make more serious requests via email, Pointner said. That’s why these types of attacks are more successful in getting people to pay out money or grant access to users.
“It can hit anybody at any time,” Pointner noted. “So, these basic principles of thinking before you act and making sure there are good processes in place for authorizing the more sensitive data leaving the company, or even money leaving the company, are more important than ever.”
Companies should define the format that must be used for requests, explain the circumstances under which data can be shared with people outside the company, and then constantly raise awareness among the entire staff that these attacks are coming and anyone can be a target.
“I think that alone is making it more difficult to successfully socially-engineer your way into a company,” Pointner said.
Managing Privileged Credentials
Another effective policy that can be used around privileged credentials is the policy of “least privilege.” This comes into play when someone in a company sometimes does routine tasks that only require low-level access, and at other times has the admin rights to do riskier things and make big changes to the system. In these cases, whenever they do routine tasks, they should log in as an operator, not as an administrator.
“This is where a good [identity management] platform and digital identity can be of extreme use to a company, because you can dynamically manage these things and easily have these step-up authentications for higher privileges,” Pointner explained.
Governments in the U.S. and around the globe are dealing with fraudsters by more frequently updating their identification documents. Companies like Jumio that verify the authenticity of government-issued documents must track all the changes and new versions that come out.
Keeping Fraudsters at Bay
“We’ve created a new way of dealing with this,” Pointner said. He explained that through unsupervised machine learning, the company’s models could detect these unknown types quickly, cluster them together to see where the similarities are, and then support them in the system within a couple of days.
“That is really a big change where technology helps solve a logistics problem, and so we are now very rapid in our adaptation to new documents that come out,” he said.
Overall, Pointner said, there’s still an increased fraud rate driven by the pandemic crisis and economic pressures. So, it’s more important than ever that companies understand who the user is.
“This notion of who you are on the internet is becoming ever-increasingly important,” he concluded. “We see it in the demand for our services. But we also see that the threat level is rising, and that companies need to turn to really sophisticated solutions to keep the fraudsters at bay.”