Phishing attacks have become more sophisticated and personal. We are all busy with life – work, family, commute, and dinner plans, along with keeping up on the latest news cycle. Virtually anyone could be inclined to quickly click on a link stating there is an issue with their recent order.
But there’s more to phishing attacks than just baiting businesses and consumers. During a recent #ExperianLive event, Mike Gross, Head of Global Identity and Fraud Product Innovation, discussed what businesses can do to protect themselves and their customers.
Q: You say that phishers would make good digital marketers. What do you mean by that?
Mike: Like a great marketer, a good phisher understands people and their tendencies; they know how to get people to take action on their message. Take my most recent “almost phishing” incident. During the holidays, I received an email from a top online retailer stating there was a “problem with my recent order.”
I knew that any delay would jeopardize my holiday gift delivery. I was just about to click the “Login” button and then stopped. Thankfully, I double-checked the sender and it wasn’t my favorite shopping site after all – just a really good fake email from a “phishy” sender. Like a digital marketer, phishers understand how to specifically target the things that people care about. This is why phishing attempts focused around the holidays, tax season, natural disasters, and hot news topics are often so successful.
Q: Are phishers counting on the relationship and roles people have in an organization?
Mike: Yes. That’s the whole nature behind one of the biggest phishing attacks over the past several years – business email compromises. As a phisher, I’m sending you an email that looks like I work with you, say a vendor with a message that reads, “I changed the account that you use to pay me; please update your payment to this new account.”
If there is urgency behind it, it is taken seriously – for example, to avoid being late on paying a vendor. Human nature is being helpful and reacting, especially in this fast-paced, hyper-connected world – and that’s why these scams continue to work.
Q: What other phishing trends are you seeing?
Mike: They’ve evolved over time. Take the simple phishing email; it’s not so simple anymore. Nowadays, attacks are personalized to both the business and specific person – and phishers are taking advantage of automation and targeting tools so they can get the most reward for their effort. “Smishing” is variant of phishing focused on the phone channel, where attackers target victims with an SMS-based attack; you’ve probably seen them. You get a text and link from what you think is your friend saying something like “Check out this funny video!”
But it isn’t legitimate; it’s a fraudster that is spoofing your friend’s phone number. Then there is “vishing” which is a voice-based attack. This is where a fraudster pretends to be someone they’re not (like a consumer’s financial institution) and tries to obtain personal information or take over an existing account.
Q: Wow! Phishing fraud is sophisticated. What has led to that?
Mike: We’ve seen a tremendous leap in technology used. There is a great example of that last year with a U.K. bank. Their customers expect that if there is an out-of-place transaction, the bank will call them. In this particular vishing scheme, vishers used compromised accountholder usernames and passwords to log into customer accounts and set up money transfers.
Knowing that this would alert accountholders to the attempted transfer using the SMS one-time passcode, phishers called legitimate customers, impersonated the bank, and stated that since the customer was a recent fraud attack victim, the bank needed confirmation that they were the accountholder. The vishers told customers they would receive a passcode. While the customer confirmed the code, the vishers submitted the fraudulent transfer.
Q: What trends and techniques are you seeing?
Mike: Two of the big trends we’re seeing is around Artificial Intelligence (AI), machine learning, and SMS to find victims. A big part of phishing is what we call “spear phishing.” This targets individuals with access to an organization’s financial accounts or internal systems.
Another term is “whaling” which targets a specific high-profile individual. The phishers are no longer just sending out blanket lottery scam and Nigerian prince emails with misspellings to millions of people. It’s very focused – and phishers can easily do this using machine learning and AI.
Q: Do you notice any seasonality, or spikes in phishing based on a certain time of year?
Mike: The holidays are one because so many people go to their favorite shopping sites and buy items that are completely out of pattern based on what they usually do online. Another good example is tax season. We saw phishers impersonate top tax and financial management software providers, allowing consumers to “quickly and easily submit their tax forms online.”
What’s worse is that phishers use the knowledge you have about phishing against you. Things like “How do you protect yourself? Click on this link to learn more” or “Click this link to download software and protect your devices.” Also, fraudsters pay attention to the news, so whether it’s a natural disaster or the cathedral fire that happened in Paris last April, phishers see those as opportunities to prey on victims simply trying to donate to a worthy cause.
Q: What advice do you have for businesses and consumers to protect themselves against phishing attacks?
Mike: My advice for businesses is to focus on technology and training. Strong technology solutions must be in place at all businesses to block phishing emails that are coming from suspicious sites – and for the most part, large organizations do a great job of that. Smaller businesses can also take advantage of technology solutions from their internet providers. Businesses can implement web blocking software for less secure Internet sites and filter what types of content employees can have access to on business devices.
A lot of companies hire outside consultants to talk about the different types of phishing attacks with employees. These are helpful, but the key is to not allow training to become static because attackers evolve so quickly. Both businesses and consumers can use the email filtering option that is available through nearly every email provider. Don’t click on any attachments that even remotely look suspicious – especially if they’ve been texted to you from someone you either don’t know or the message appears out of character for someone you know.
Q: What activities is your group taking on that will help businesses and their customers fight phishing attacks?
Mike: There are several things we’re doing that impact businesses and consumers offline and digitally. We help businesses recognize their customers and authenticate them, whether that’s helping customers with a new bank account, enabling easy checkout at a favorite retailer app, or protecting account logins. 99% of people trying to access accounts are the legitimate account holder; it’s that 1% though that causes a lot of friction for good customers. So, we’re trying to make it easier for those consumers to quickly pass through all of the controls so authentication is easier. That translates into consumer loyalty for brands.
Q: And that’s what it’s really all about?
Mike: It is. We help businesses recognize their customers and also ensure that they are catching fraudsters on the back end. But we also strive to make that recognition or user experience as seamless as possible, with the right scrutiny for the risk level of that business.
Mike Gross leads product innovation strategy for Global Identity and Fraud at Experian. Check out the entire podcast and video on how to protect your business from phishing here.