Fraudsters’ use of social engineering and phishing continues to triumph many of the modern-day fraud-fighting techniques. In this month’s Digital Fraud Tracker, PYMNTS talked with Enrique Alvarez, special agent for the FBI’s cyber branch, about how combining multifactor authentication and AI can help save merchants and businesses from fraudsters impersonating legitimate customers and employees.
Digital fraud has been endemic for years, but 2020 saw cybercrime reach new heights as digital engagement soared amid social distancing and stay-at-home orders. The Federal Trade Commission’s Consumer Sentinel Network received more than 2 million fraud reports for total losses of approximately $3 billion on top of more than 1 million reports of identity fraud. These numbers likely understate the true value of fraud losses as these incidents are traditionally underreported.
Most of merchants’ and companies’ losses amid the pandemic were not because of fraudsters scamming customers, however, but from them targeting businesses’ employees, according to Enrique Alvarez, special agent for the FBI’s cyber branch. High volumes of staff working from home offered fraudsters a unique opportunity to stage social engineering attacks and account takeovers that allowed them unfettered access to companies’ internal systems.
“As the workforce transitioned to being at home, fraudsters took advantage of the fact that folks were accessing [businesses’] internal networks using machines that may not have been issued by the company,” Alvarez said. “They’re using home laptops or desktops that may not have been protected to the level that their own internal IT folks were happy with.”
In a recent interview with PYMNTS, Alvarez offered insights into the various techniques that fraudsters leveraged to target merchants and other businesses over the past year and how security systems that utilize artificial intelligence (AI) and multifactor authentication (MFA) can be deployed to keep them at bay.
How The Pandemic Has Supercharged Common Fraud Threats
Fraudsters typically stick to the classics when it comes to fraud methods, generally preferring social engineering and phishing techniques over technologically advanced solutions like botnets, Alvarez said. They pick their targets carefully, however, and do their homework beforehand.
“These guys are using very simple techniques like phishing or spear-phishing, and our case data shows that these techniques are used over and over again because they work,” Alvarez explained. “If you’re a cybercriminal, you’re first going to do your reconnaissance by looking on LinkedIn and social media, like a bank’s Twitter feed, and find out information that may assist you in targeting that particular enterprise.”
Employees working from home offered fraudsters a once-in-a-lifetime opportunity to infiltrate corporate systems as they could remotely impersonate employees through their home networks and access internal databases. The vast majority of these attacks were waged using stolen credentials, which fraudsters gathered through a number of methods, including phishing.
“In our collection of cyber fraud investigations that we have within the cyber division of the FBI, [we found that] 99 percent of attacks leveraged compromised username [and] password combinations,” said Alvarez. “This is stuff that they’re finding on the dark web, or [gained from] brute-forcing simple passwords because humans just can’t remember more sophisticated passwords.”
Businesses are working on several countermeasures to prevent these attacks as permanent work-from-home operations become more widespread. AI-based systems have their uses, Alvarez said, but the best security systems rely on more secure user authentication.
How Merchants Can Fight Back
The primary benefit of AI-based systems, according to Alvarez, is that they can detect minute patterns and inconsistencies fraudsters may cause that human analysts might not catch. These analyses are typically only performed while a fraudster is already in the system or has just left it, though, meaning that a reliance on these systems can risk the loss of precious data, even if the fraudster is caught.
“You can definitely leverage these sophisticated tools to understand how your enterprise works on a regular day, and then [see when] that weird anomaly starts happening, like sending data to an abnormal IP,” said Alvarez. “But that’s a bad day because that means the intruders have been in the enterprise for a while. It’s a truism in our cyber-intrusion cases that most of the self-reporting we get from the victims is when they see data leaving.”
The best way to prevent fraud is by keeping fraudsters from ever entering the system in the first place through ironclad customer and employee authentication. Passwords are an extraordinarily weak method of verification, and businesses should instead lean on MFA methods, like SMS codes and biometrics, he said.
“I’m shocked that, 50 years later, we’re still dealing with passwords as a component for authentication,” he said. “There are literally billions of username/password combinations sitting on the dark web, and [fraudsters] have tools that allow you to query by domain, by bank name, by victim name or what have you. You just cannot rely on username and password — you have to employ MFA.”
The best security systems rely on multileveled defenses that employ a wide range of countermeasures, MFA and AI among them. The staggeringly diverse array of fraud threats, therefore, requires an equally diverse set of protections if operations plan to protect their internal systems from irreversible damage moving forward.