By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
The Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Payments Forum and the Identity Theft Resource Center (ITRC) highlight a roundup of items focused on cybersecurity.
CISA Releases Phishing Infographic
CISA published a Phishing Infographic to help protect both organizations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The material also provides detailed actions organizations and individuals can take to prevent successful phishing operations – from blocking phishing attempts to teaching individuals how to report successful phishing operations.
“Phishing is a form of social engineering in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access,” the infographic explains. Threat actors solicit sensitive information or lure victims into downloading and executing malware. Bait typically consists of an email with a subject line that entices the user to open the email, e.g., the subject line contains an alert, an action, or request for information.
CISA also revealed these most successful subject lines: financial security alerts and updates, organization-wide announcements and updates; and user-specific alerts, such as training updates. A single bite can lead to successful exploitation. Plus, threat actors set multiple hooks to increase their chance of success and then wait for a victim to take the bait.
CISA revealed:
· Eight of 10 organizations had at least one individual who fell victim to a phishing attempt according to its assessment teams.
· One of 10 phishing emails sent by CISA assessors had a user execute a malicious attachment or interact with a malicious link.
· Seventy percent of all attached files or links containing malware were not blocked by network border protection services.
· Eighty-four percent of employees took the bait within the first 10 minutes of receiving a malicious email, by either replying with sensitive information or interacting with a spoofed link or attachment
“The threat actor reels in the catch of the day when an email is not blocked by network border or endpoint protections and reaches a victim who replies with valuable information or executes a spoofed link or attachment. The threat actor can then feast on sensitive information, credentials, or the ability to compromise the endpoint via malware disguised as links and attachments.”
CISA recommends organizations implement strong network border protections; configure email servers to utilize protocols designed to verify the legitimacy of email communications; educate employees to recognize common indicators of phishing; and report malicious communications, allowing incident responders to analyze the threat.
U.S. Payments Forum Finds Fraud a Trending Topic
Redwood City, Calif based The U.S. Payments Forum in its latest quarterly market snapshot found fraud will likely always be a cause for concern in the payments ecosystem.
“Stakeholders across the board agreed that while the implementation of EMV has thwarted many fraud instances in the card-present environment, fraudsters have set their sights on the CNP (card not present) space instead. CNP fraud is growing six times faster than card-present fraud, according to one global payment network.” Forum members also expressed concern regarding a rise in bot activity and enumeration fraud attacks (which allows cybercriminals to verify whether or a user exists in a exists on a database) with one issuing bank seeing a 50% year over year (YoY) increase in these brute-force attacks.
The U.S. Payments Forum report also said friendly fraud or first-party fraud is also increasing in the payments space, particularly with consumers disputing charges and taking advantage of lenient return policies during times of economic uncertainty. Accertify, an American Express company, also shared that first-party fraud has been increasing as more transactions are conducted digitally, including newer industries like sports betting and food and grocery delivery. Some consumers choose to fraudulently dispute these sports betting charges when they do not turn a profit.
“Synthetic ID fraud, a more malicious tactic, is gaining traction as well,” noted the Payments Forum. These types of attacks are typically orchestrated by cybercrime groups that create banking accounts, rewards accounts and more. They then use these accounts to facilitate chargebacks or move funds via peer-to-peer transactions, gift cards and, in some cases, cryptocurrency.
The consensus among payments stakeholders is that the industry must take a layered approach to fraud mitigation, beginning with strong authentication techniques, data analytics tools and consistent monitoring.
ITRC 2023 Predictions Show Shift to Social Media Attacks and More Scams
The El Cajon, Calif.-based Identity Theft Resource Center (ITRC), a national nonprofit organization, established to support victims of identity crime, released its 2023 predictions for identity crimes and compromises.
Said Eva Velasquez, president and CEO of the ITRC, “In 2022, consumers doubled down on instant payment and transfer apps. The velocity of social media account takeovers increased by more than 1,000 percent in a year due to people falling for phishing attacks and identity-based scams. ITRC research shows 27% of individuals and 87% of businesses lost revenue from a social media account takeover. We saw identity fraud-related crimes climb, particularly in attacks where cybercriminals impersonate someone to open accounts using stolen personal information to bypass security features. We saw more than 90 supply chain attacks impact over 1,600 organizations.”
Added Velasquez, “These trends point towards shifts in tactics moving forward. We expect to see identity crimes affect generations differently, depending on how people interact with the digital world, as well as a rise in scams targeting specific ethnic groups. We see romance scams shifting toward platonic relationship scams. We think identity criminals could look to exploit the technology gap between people who adopt new passwordless logins and those who do not. We will also watch to see how much information is included in data breach notices in 2023. A lack of information on compromises leaves people and businesses vulnerable to identity crimes.”
There are eight trends in the ITRC’s 2023 predictions for the next calendar year:
1. Identity criminals will increasingly rely on impersonation using personally identifiable information (PII) gathered through compromises, phishing and social engineering to open new accounts, take over non-financial accounts such as social media, and impersonate government representatives.
2. Romance scams will continue to morph into relationship scams.
3. Scams targeting specific ethnic groups or immigrants with limited English proficiency will increase.
4. Identity criminals will move to exploit the technology gap between people who adopt Passkey, a password replacement and other passwordless tech, and those who cannot or will not make the shift.
5. Identity crimes and fraud will continue to affect generations differently. Payment and contact methods vary depending on age and how each individual interacts with the digital world.
6. The increased popularity of payment apps among scammers will prompt action by Congress or the Consumer Financial Protection Bureau (CFPB) to crack down on the misuse of these apps.
7. Despite continued evidence that data breaches are giving scammers the information they need to craft more effective phishing pitches and account takeover fraud, Congress will fail to pass a comprehensive privacy and data security law in 2023.
8. The number of data breach notices that reveal less information about a compromise will continue to grow, putting more people and businesses at risk.